1

So I need to change an expired SSL certificate. Unfortunately, the one responsible for this task has passed away suddenly. I have no experience with google cloud, kuberneted or ingress.

If I go to the google cloud console, to load balancers and click on the only one shown, it shows the certificate named "k8s-ssl-xyz" which is the expired one I need to change. I tried editing this load balancer, under frontend-settings and creating a new certificate. That worked, but after a few minutes it reverts itself back to the old certificate.

Under kubernetes engine, services and ingress there is a service called "basic-ingress4". It's yaml file contains a line stating:

ingress.kubernetes.io/ssl-cert: k8s-ssl-xyz

I tried changing "k8s-ssl-xyz" to the name of the certificate I created earlier, but it also gets reversed to the old one after a while. 

gcloud beta compute ssl-certificates list

Returns:

NAME            TYPE   CREATION_TIMESTAMP    EXPIRE_TIME      MANAGED_STATUS
k8s-ssl-xyz                  2019-10-01          2019-08-15
newcert         MANAGED     2019-09-30          2019-12-29        ACTIVE
    x.yz.de: ACTIVE

I also tried

gcloud compute target-https-proxies update k8s-tps-xyz --ssl-certificates newcert

And it returned "Updated [...]" but it didn't work either.

Basically, I am lost here. How can I change this certificate without it resetting itself?

Dawg
  • 31
  • 5
  • Check that the DNS servers point to the correct IP address and that the domain name matches the certificate. Google offers managed (free) certificates so that you don't have to manage this yourself. – John Hanley Oct 02 '19 at 00:23
  • The DNS servers point to the correct IP address, I also checked the domain name which also is correct. I tried creating a managed certificate and it's the same. It changes for a few minutes and then it changes back to the old certificate. I also updated the annotation in the basic-ingress4 yaml 'ingress.kubernetes.io/ssl-cert' but the same is happening here, it changes back to the old entry. It's like there is another config which gets loaded after some time. – Dawg Oct 02 '19 at 13:49
  • Are there any log entries in Stackdriver? Since you were able to create a managed certificate, this confirms that your DNS settings are correct. What does `curl -i -k https://example.com` display? Here I am trying to verify that the endpoint works even with an expired certificate. – John Hanley Oct 02 '19 at 14:09
  • Thanks so much for your help. I figured it out. The culprit was a kubernetes secret which stored the old certificate. It was applied in the yaml file of the ingress service under 'secretName'. Changing this changed the certificate for good. I added a new answer explaining the steps I took. – Dawg Oct 02 '19 at 14:15

1 Answers1

2

I worked it out. The basic-ingress4 service had an entry in it's yaml called 'spec->tls->secretName'. Running the command kubectl get secrets returned a secret with this name. kubectl describe secret/secretname returned it was indeed a tls secret for the host I wanted to change the secret for.

So by doing 

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=foo.bar.com"

followed by

kubectl create secret tls foo-secret --key /tmp/tls.key --cert /tmp/tls.crt

I created a new secret containing a new certificate. Changing the secretName key in the yaml file to the new name of the secret foo-secret finally changed the certificate for good.

/E: If one wants to use a google managed certificate, removing the 'secretName' entry and changing the load balancer to a google managed certificate works.

Dawg
  • 31
  • 5