0

I have a certificate, signed by Active Domain Certificate Services. The certificate itself looks fine, I successfully converted it from DER to PEM. However, it says

X509v3 CRL Distribution Points:

    Full Name:
      URI:ldap:///****

Authority Information Access:
    CA Issuers - URI:ldap:****

And the, nginx (nginx-ingress in Kubernetes) server says

unexpected error generating SSL certificate with full intermediate chain CA certs: Get ldap:///****: unsupported protocol scheme "ldap"

(the **** are long, company-specific paths)

I have the CA certificate alone in valid DER and PEM formats, and a chain in .p7b format that openssl pkcs7 does not seem to understand (there should not be any intermediates, but I am not completely sure).

The Kubernetes TLS secret storage does not have a separate field for CA certificate, so I need to bundle the whole chain somehow. How do I do that?

Jan Hudec
  • 265
  • 3
  • 11
  • What version of nginx-ingress controller do you use? There was a problem with certificate chain completion https://github.com/kubernetes/ingress-nginx/issues/1977. Can you try to use older or newer version of nginx-ingress controller to check correctness of the certificate for Kubernetes? Also you can try to use fork quay.io/aledbf/nginx-ingress-controller for that. – Artem Golenyaev Oct 04 '18 at 10:19
  • @ArtemGolenyaev. I have been using 0.13.0. I have tried to update to the newest, 0.19.0. That still logs that error, but it serves the certificate nevertheless (while the 0.13.0 didn't). – Jan Hudec Oct 04 '18 at 19:23
  • have you tried to use quay.io/aledbf/nginx-ingress-controller ? – Artem Golenyaev Oct 05 '18 at 09:12
  • @ArtemGolenyaev, no, but it is already merged in the 0.19.0. Yes, 0.19.0 uses the certificate even if it can't complete it. Nevertheless the question is how do I build the complete certificate manually, not how to make the nginx-ingress work! – Jan Hudec Oct 05 '18 at 10:04

1 Answers1

1

cfssl claims it can do it. It created something, though the nginx-ingress controller still prints the warning.

Jan Hudec
  • 265
  • 3
  • 11