Help Center/ Cloud Container Engine/ FAQs/ Networking/ Network Exception Troubleshooting/ What Could Cause Access Exceptions After Configuring an HTTPS Certificate for a LoadBalancer Ingress?
Updated on 2024-11-13 GMT+08:00

What Could Cause Access Exceptions After Configuring an HTTPS Certificate for a LoadBalancer Ingress?

If you configure an HTTPS certificate for a LoadBalancer ingress, access may become abnormal if any of the following issues arise. To fix the problem, refer to the causes listed in the table.

Cause

Symptom

Solution

The certificate has expired.

The error similar to the following is displayed when the curl command is executed:

SSL certificate problem: certificate has expired

Replace the certificate in a timely manner.

An unmatched HTTPS certificate chain is used by a client to verify the HTTPS certificate configured for the LoadBalancer ingress.

The error similar to the following is displayed when the curl command is executed:

SSL certificate problem: unable to get local issuer certificate

Ensure that the HTTPS certificate chain on the client matches the certificate configured for the LoadBalancer ingress.

No domain name is specified when a certificate is created.

The error similar to the following is displayed when the curl command is executed:

SSL: unable to obtain common name from peer certificate

Specify a domain name when creating a certificate.

The domain name to be accessed is different from the domain name of the HTTPS certificate.

The error similar to the following is displayed when the curl command is executed:

SSL: certificate subject name 'example.com' does not match target host name 'test.com'

Configure a certificate that matches the domain name for the ingress.

You can run the following command to check the certificate information, such as expiration time and domain name. ca.crt specifies the certificate path.

openssl x509 -in ca.crt -subject -noout -text

Updating a Certificate

  • To update a TLS certificate, modify the secret where the certificate is imported to on CCE. The TLS certificate is imported to a secret first. CCE then automatically handles the certificate configurations on the ELB console and gives a name to the certificate (started with k8s_plb_default). This certificate, which is generated by CCE, cannot be modified or deleted from the ELB console.
  • To update a certificate created on the ELB console, modify the certificate on the ELB console. There is no need to manually set up the cluster secret.