I want to deploy kubernetes with http/2 enabled in kubernetes cluster with namesheap certificate, but i have always this error :
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f66617669636f6e2e69636f20485454502f312e310d0a486f73743a206261636b2d61646d696e2d68747470322e6361707461696e776f726b732e636f6d0d0a582d526571756573742d49443a2032393838326665623234633864333063346565373063363238623033666464390d0a582d5265616c2d49503a2035312e38332e3130362e3234380d0a582d466f727761726465642d466f723a2035312e38332e3130362e3234380d0a582d466f727761726465642d486f73743a206261636b2d61646d696e2d68747470322e6361707461696e776f726b732e636f6d0d0a582d466f727761726465642d506f72743a203434330d0a582d466f727761726465642d50726f746f3a2068747470730d0a582d466f727761726465642d536368656d653a2068747470730d0a582d536368656d653a2068747470730d0a7365632d63682d75613a2022476f6f676c65204368726f6d65223b763d223933222c2022204e6f743b41204272616e64223b763d223939222c20224368726f6d69756d223b763d223933220d0a7365632d63682d75612d6d6f62696c653a203f300d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f39332e302e343537372e3832205361666172692f3533372e33360d0a7365632d63682d75612d706c6174666f726d3a202257696e646f7773220d0a4163636570743a20696d6167652f617669662c696d6167652f776562702c696d6167652f61706e672c696d6167652f7376672b786d6c2c696d6167652f2a2c2a2f2a3b713d302e380d0a5365632d46657463682d536974653a2073616d652d6f726967696e0d0a5365632d46657463682d4d6f64653a206e6f2d636f72730d0a5365632d46657463682d446573743a20696d6167650d0a526566657265723a2068747470733a2f2f6261636b2d61646d696e2d68747470322e6361707461696e776f726b732e636f6d2f676574416c6c44696374696f6e6172790d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a2066722d46522c66723b713d302e390d0a0d0a
My configs are :
-application.properties :
server.port=8443
server.http2.enabled=true
server.ssl.enabled=true
server.ssl.key-store=classpath:keystore/cert.p12
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=password
-Dockerfile :
FROM openjdk:11.0.8-slim
VOLUME /tmp
ARG DEPENDENCY=target/dependency
COPY ${DEPENDENCY}/BOOT-INF/lib /app/lib
COPY ${DEPENDENCY}/META-INF /app/META-INF
COPY ${DEPENDENCY}/BOOT-INF/classes /app
ENTRYPOINT ["java","-cp","app:app/lib/*","com.package.app"]
-ingress :
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
name: example
namespace: http2
spec:
rules:
- host: domain.com
http:
paths:
- backend:
serviceName: service-http2
servicePort: 8443
path: /
tls:
- hosts:
- domain.com
secretName: secret-tls
-cert : i have two files :
- exemple.cert
- exemple.ca-bundle
i used this command to convert my cert to .p12 :
OpenSSL pkcs12 -export -in cert.crt -inkey key.key -out cert.p12
-my.yaml file :
apiVersion: v1
kind: Service
metadata:
name: back-http2
namespace: http2
labels:
app: back-http2
spec:
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 8080
- name: https
protocol: TCP
port: 8443
selector:
app: back-http2
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: back-http2-deployment
namespace: http2
labels:
app: back-http2
spec:
replicas: 1
selector:
matchLabels:
app: back-http2
template:
metadata:
labels:
app: back-http2
spec:
containers:
- name: back-dev
image: docker/registry:back-http2
imagePullPolicy: Always
ports:
- name: http
protocol: TCP
containerPort: 8080
- name: https
protocol: TCP
containerPort: 8443
imagePullSecrets:
- name: secret
-versions:
spring boot : 2.4.2
kubernetes : 1.20.2
nginx ingress controller deployed with helm : ingress-nginx-4.0.3
Any help would be greatly appreciated! Thank you!
CodePudding user response:
You need to configure TLS passthrough in the nginx ingress definition
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
Make sure that the ingress itself is started supporting this flag, f.e.
args:
- --enable-ssl-passthrough
The reason behind this is that HTTP2 requires TLS by default.