Possible solution for "cannot validate certificate because it doesn't contain any IP SANs"

I know that Kubernetes Ingress Controller reaching up the pods directly via IPs, because it is required for sticky sessions or weight-based routing but it also causes a "cannot validate certificate because it doesn't contain any IP SANs" error when routing to https endpoints. As workaround in case when sticky sessions are not needed is anything wrong with routing traffic through the ExternalName service pointing to ClusterIP service hostname and issue the certificate for https endpoint with SAN equal to ClusterIP hostname? Example:

kind: Service
metadata:
  name: example-app-external-service
spec:
  type: ExternalName
  externalName: example-app-internal-service
---
kind: Service
metadata:
  name: example-app-internal-service
spec:
  type: ClusterIP
  selector:
    app: example-app
  ports:
    - port: 80
---
kind: IngressRoute
spec:
  routes:
    - services:
      - kind: Service
        name: example-app-external-service
        port: 80
        scheme: https

Hello @rkoplinger,

If you are not able to issue certificates with IP SANs, you have 2 options:

  • Disable backend certificate validation using the insecureSkipVerify on a serversTransport object: (Kubernetes IngressRoute - Traefik)
  • Add a serverName to a serversTransport to specify the host name to use when contacting the backend service (Kubernetes IngressRoute - Traefik). This may allow your certificates to be properly requested and served.
2 Likes

Thank you. Second option is exactly what i was looking for.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.