NGINX migration, backend SSL verification breaking

hholierhoek · January 23, 2026, 5:27pm

We’ve just embarked on our ingress migration from NGINX. Traefik was chosen due to the level of support for the NGINX annotations.

I’m having trouble getting my ingress to work, and wondering if anyone has some tips for me.

I understand that the way it works, it’ll connect directly to the backend pod IP so SAN validation is against the pod IP. I’ve tried adding the NGINX annotation proxy-ssl-server-name to mitigate it, but curl still fails with HTTP code 500. The Traefik logs show:

500 Internal Server Error error="tls: failed to verify certificate: x509: certificate is valid for 100.127.212.75, not 10.233.83.231"

The cert shows:

    X509v3 Subject Alternative Name: 
        DNS:rmgr.psa-restricted.svc.cluster.local, DNS:nspos-prometheus-endpoint, IP Address:100.127.212.75

Backend pod IP is: 10.233.83.231

Annotation is: nginx.ingress.kubernetes.io/proxy-ssl-server-name: rmgr.psa-restricted.svc.cluster.local

Setting “ssl-verify: off”’ doesn’t get past this either.

Is there something else I’m missing? Any pointers would be very much appreciated.

hholierhoek · January 26, 2026, 2:29pm

After reading the code a bit I suppose I should mention that proxy-ssl-name is also set to the same value as proxy-ssl-server-name. It seems ssl-server-name is irrelevant if ssl-server is specified.

hholierhoek · January 26, 2026, 3:25pm

Reading more about the ssl-server-name annotation - as opposed to just the google AI hallucination - it’s supposed to be a boolean (enables TLS SNI) which seems contrary to how it’s used in the Traefik code and a yaml file - see 07-ingress-with-proxy-ssl.yml where it’s set to the same as ssl-name - ‘whoami.localhost’.

That said, I don’t need SNI and so that annotation can’t help me anyway.

For my case I guess it’s back to ssl-name, and the question of why that isn’t forwarded in the code for use in the TLS validation. But perhaps that should be the topic of an official issue on github?

hholierhoek · January 26, 2026, 7:13pm

Never mind. Looks like due to chart misconfiguration the ingresses were being picked up by the Traefik provider, not their nginx provider.

Topic		Replies	Views
Rancher k3s build-in traefik ingress not connecting to https backend service Traefik v2 rancher , kubernetes-ingress	2	1639	July 29, 2023
Forwarding to https backend fails with ingress Traefik v1 kubernetes-ingress , letsencrypt-acme	2	6098	October 22, 2022
Proxy.go:100 > 500 Internal Server Error error="tls: failed to verify certificate: x509: certificate is valid for 0.0.0.0, not 172.28.0.10" Traefik v3 (latest) docker	7	1338	May 22, 2024
Pilot using HTTPS Traefik v2 kubernetes-ingress	3	713	November 19, 2025
Possible solution for "cannot validate certificate because it doesn't contain any IP SANs" Traefik v2 kubernetes-crd , kubernetes-ingress	3	9595	June 14, 2021

NGINX migration, backend SSL verification breaking

Related topics