Issue while adding SSL to Azure Kubernetes Service

Question

I have written a microservice that posts data to CRM.
Containerized the micro service in AKS. now I generated a certificate using openssl and trying to add the certificate to my microservice DNS url.

Finally getting this error on executing the below command:

curl -v -k --resolve aiacrminterface-aks.southeastasia.cloudapp.azure.com:443:20.195.39.104 https://aiacrminterface-aks.southeastasia.cloudapp.azure.com.

For SSL I followed https://learn.microsoft.com/en-us/azure/aks/ingress-own-tls.

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host aiacrminterface-aks.southeastasia.cloudapp.azure.com left intact

Answer 1

@SR-7782 Can you please use service type ClusterIP Take look on this useful article: services-kubernetes.

If you use Ingress you have to know that Ingress isn’t a type of Service, but rather an object that acts as a reverse proxy and single entry-point to your cluster that routes the request to different services. The most basic Ingress is the NGINX Ingress Controller, where the NGINX takes on the role of reverse proxy, while also functioning as SSL. On below drawing you can see workflow between specific components of environment objects.

Ingress is exposed to the outside of the cluster via ClusterIP and Kubernetes proxy, NodePort, or LoadBalancer, and routes incoming traffic according to the configured rules.

Example of service definition:

apiVersion: v1
kind: Service
metadata:
  name: app-svc
  labels:
    app: app1
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    app: app1
---
apiVersion: v1
kind: Service
metadata:
  name: app2-svc
  labels:
    app: app2
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    app: app2

Hope it helps!!!

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

Answer 2

Hi,

As I checked the YAML I need to know a few details

1. What is the ingress controller using (Nginx or any other)?
2. Are you using ingress resources to route traffic to the ingress controller?
3. Is there is a custom SSL certificate or using Lets Encrypt?

Whit the YAML you provide I understand that you expose the application from a LoadBalancer and expected to work as SSL. If so it won't work. To work with SSL you have to use Layer 7 Load balancer such as Nginx Ingress controller. This will terminate SSL from Layer 7. With ingress controller, you have to use the resource called ingress and from there you can specify the SSL cert. and domain names.

Please refer following docs

Use Ingress with TLS in AKS

Please 'Accept as answer' if it helped

Answer 3

@Kasun Rajapakse
Now facing the below issue
Added crmaiainterface-aks.southeastasia.cloudapp.azure.com:443:20.195.98.50 to DNS cache
* Rebuilt URL to: https://crmaiainterface-aks.southeastasia.cloudapp.azure.com/
* Hostname crmaiainterface-aks.southeastasia.cloudapp.azure.com was found in DNS cache
* Trying 20.195.98.50...
* TCP_NODELAY set
* Connected to crmaiainterface-aks.southeastasia.cloudapp.azure.com (20.195.98.50) port 443 (#0)
* schannel: SSL/TLS connection with crmaiainterface-aks.southeastasia.cloudapp.azure.com port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: sending initial handshake data: sending 208 bytes...
* schannel: sent initial handshake data: sent 208 bytes
* schannel: SSL/TLS connection with crmaiainterface-aks.southeastasia.cloudapp.azure.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with crmaiainterface-aks.southeastasia.cloudapp.azure.com port 443 (step 2/3)
* schannel: encrypted data got 1342
* schannel: encrypted data buffer: offset 1342 length 4096
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with crmaiainterface-aks.southeastasia.cloudapp.azure.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with crmaiainterface-aks.southeastasia.cloudapp.azure.com port 443 (step 3/3)
* schannel: stored credential handle in session cache

GET / HTTP/1.1
Host: crmaiainterface-aks.southeastasia.cloudapp.azure.com
User-Agent: curl/7.55.1
Accept: /

• schannel: client wants to read 102400 bytes
• schannel: encdata_buffer resized 103424
• schannel: encrypted data buffer: offset 0 length 103424
• schannel: encrypted data got 199
• schannel: encrypted data buffer: offset 199 length 103424
• schannel: decrypted data length: 170
• schannel: decrypted data added: 170
• schannel: decrypted data cached: offset 170 length 102400
• schannel: encrypted data buffer: offset 0 length 103424
• schannel: decrypted data buffer: offset 170 length 102400
• schannel: schannel_recv cleanup
• schannel: decrypted data returned 170
• schannel: decrypted data buffer: offset 0 length 102400
  < HTTP/1.1 404 Not Found
  < Date: Thu, 22 Oct 2020 01:02:30 GMT
  < Content-Length: 0
  < Connection: keep-alive
  < Strict-Transport-Security: max-age=15724800; includeSubDomains
  <
• Connection #0 to host crmaiainterface-aks.southeastasia.cloudapp.azure.com left intact