Share via

Kubernetes: SSL connection failed while accessing external API

Mhatre, Aalap 11 Reputation points
2020-12-05T16:27:59.08+00:00

I have a Kubernetes cluster version 1.16.13 running within Azure. .Net core services are running within this cluster. I need to access an external service which requires installation of certificate in my certificate store.

In order to do so, the certificate ".crt" file is copied using the Docker file at "usr/local/shared/ca-certificates" folder and then the update-ca-certificates is also executed. Its then installed within the containers certificate store "/etc/ssl/certs"
I see a ".pem" file created in this root CA. However, when the service tries to access the external API an error is encountered stating "SSL connection could not be established".

The .pem file initially consists of 3 different certificates one being of the root. When the .pem file is converted into .crt file using openssl, only one certificate can be seen encrypted in the generated .crt file.

I also tried mounting certificate using configmaps + volumemounts but it still did not work. Another option tried was to install it in the "private" store "/etc/ssl/private" rather than the root CA store.

Can someone help on this? Is the certificate also required to be installed on the cluster nodes?

Update:
When installing a ".p12" certificate file on a windows system, i found 3 certificates are installed within "Personal" store of a user viz. 2 intermediate certificates and 1 client/ server certificate. This client/ server certificate is also found installed in "Other People" store

Now i want to understand how to map these certificates to container of AKS cluster

Version details of POD:
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"

Version details of VMSS under AKS cluster:
SKU: aks-ubuntu-1604-2020-q3
Version: 2020.09.03

Do i only install these certificates under certificate store "/etc/ssl/certs" of PODs or i also have to install these on the cluster nodes?

According to me, installing these only on PODs does not serve the purpose

I tried installing ".crt" intermediate certificates under "/usr/share/ca-certificates" and client/server certificate under "/etc/local/share/ca-certificates" and then run "update-ca-certificates" but it still fails.

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michaël Leneveut 6 Reputation points
    2020-12-05T21:23:16.367+00:00

    Did you try to add the root certificate in the .crt ?

    You could need to concatenate the root certificate then your certificate in the same .crt file.

    Try to do a :
    curl -vvv https://xxx

    to see if you could provide more details.

    Regards.

  2. Mhatre, Aalap 11 Reputation points
    2020-12-22T13:15:24.427+00:00

    We have 2 '.pem' certificate files: one is the root certificate while the other is client certificate including the intermediate certificates as well. Besides this the encrypted private key '.key' file is also considered.
    All these three files are mounted under '/etc/ssl/certs' folder using configmaps & volumemounts.

    Pushing certificates from within the Docker file using 'update ca-certificates' does not work on the client certificate; as in the conversion process to '.crt' file we end up loosing out on the contents of intermediate certificates.

    With this approach things worked as expected.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.