Help Center/ Cloud Container Engine/ FAQs/ Networking/ Network Fault/ What Could Cause Access Exceptions After Configuring an HTTPS Certificate for a LoadBalancer Ingress?

Updated on 2024-09-30 GMT+08:00

View PDF

What Could Cause Access Exceptions After Configuring an HTTPS Certificate for a LoadBalancer Ingress?

If you configure an HTTPS certificate for a LoadBalancer ingress, access may become abnormal if any of the following issues arise. To fix the problem, refer to the causes listed in the table.

Cause	Symptom	Solution
The certificate has expired.	The error similar to the following is displayed when the curl command is executed: SSL certificate problem: certificate has expired	Replace the certificate in a timely manner.
An unmatched HTTPS certificate chain is used by a client to verify the HTTPS certificate configured for the LoadBalancer ingress.	The error similar to the following is displayed when the curl command is executed: SSL certificate problem: unable to get local issuer certificate	Ensure that the HTTPS certificate chain on the client matches the certificate configured for the LoadBalancer ingress.
No domain name is specified when a certificate is created.	The error similar to the following is displayed when the curl command is executed: SSL: unable to obtain common name from peer certificate	Specify a domain name when creating a certificate.
The domain name to be accessed is different from the domain name of the HTTPS certificate.	The error similar to the following is displayed when the curl command is executed: SSL: certificate subject name 'example.com' does not match target host name 'test.com'	Configure a certificate that matches the domain name for the ingress.

You can run the following command to check the certificate information, such as expiration time and domain name. ca.crt specifies the certificate path.

openssl x509 -in ca.crt -subject -noout -text

Updating a Certificate

To update a TLS certificate, modify the secret where the certificate is imported to on CCE. The TLS certificate is imported to a secret first. CCE then automatically handles the certificate configurations on the ELB console and gives a name to the certificate (started with k8s_plb_default). This certificate, which is generated by CCE, cannot be modified or deleted from the ELB console.
To update a certificate created on the ELB console, modify the certificate on the ELB console. There is no need to manually set up the cluster secret.

Parent Topic: Network Fault

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot