What Could Cause Access Exceptions After Configuring an HTTPS Certificate for a LoadBalancer Ingress?
If you configure an HTTPS certificate for a LoadBalancer ingress, access may become abnormal if any of the following issues arise. To fix the problem, refer to the causes listed in the table.
Cause | Symptom | Solution |
|---|---|---|
The certificate has expired. | The error similar to the following is displayed when the curl command is executed:
| Replace the certificate in a timely manner. |
An unmatched HTTPS certificate chain is used by a client to verify the HTTPS certificate configured for the LoadBalancer ingress. | The error similar to the following is displayed when the curl command is executed:
| Ensure that the HTTPS certificate chain on the client matches the certificate configured for the LoadBalancer ingress. |
No domain name is specified when a certificate is created. | The error similar to the following is displayed when the curl command is executed:
| Specify a domain name when creating a certificate. |
The domain name to be accessed is different from the domain name of the HTTPS certificate. | The error similar to the following is displayed when the curl command is executed:
| Configure a certificate that matches the domain name for the ingress. |
You can run the following command to check the certificate information, such as expiration time and domain name. ca.crt specifies the certificate path.
openssl x509 -in ca.crt -subject -noout -text
Updating a Certificate
- To update a TLS certificate, modify the secret where the certificate is imported to on CCE. The TLS certificate is imported to a secret first. CCE then automatically handles the certificate configurations on the ELB console and gives a name to the certificate (started with k8s_plb_default). This certificate, which is generated by CCE, cannot be modified or deleted from the ELB console.
- To update a certificate created on the ELB console, modify the certificate on the ELB console. There is no need to manually set up the cluster secret.
- Updating a Certificate