cert-managerknativeknative-serving

Knative & cert-manager - SSL_ERROR_SYSCALL


kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T21:16:14Z", GoVersion:"go1.16.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-12T14:12:29Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}

Running on Ubuntu 20.04

Installed: https://knative.dev/docs/install/install-serving-with-yaml/

Tried all network layers - this one is running with kourier and cert-manager

I installed "networking-ns-cert" and using DNS01 - basically following: https://knative.dev/docs/install/install-serving-with-yaml/

I do get my certificates created and I can curl -H "app..mydomain.dev" http(not https)

get kcert --all-namespaces                                                                                                                     
NAMESPACE         NAME                        READY   REASON
cert-manager      cert-manager.mydomain.dev      True    
default           default.mydomain.dev           True    
knative-serving   knative-serving.mydomin.dev   True    
kourier-system    kourier-system.mydomain.dev    True    
kube-node-lease   kube-node-lease.mydomain.dev   True    
kube-public       kube-public.mydomain.dev       True    
kube-system       kube-system.mydomain.dev       True    
test              test.mydomain.dev              True    
kubectl get svc -n kourier-system
NAME               TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
kourier            NodePort    10.96.38.63      <none>        80:30789/TCP,443:30670/TCP   31h
kourier-internal   ClusterIP   10.101.145.191   <none>        80/TCP                       31h
openssl s_client -connect mydomain.dev:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1621705659
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
curl -H "Host: helloworld-go.default.mydomain.dev" http://mydomain.dev
Hello Hello Knative Serving is up and running with Kourier!!!

curl -iv -H "Host: helloworld-go.default.mydomain.dev" https://mydomain.dev                                                                      
*   Trying <ip address>...
* TCP_NODELAY set
* Connected to mydomain.dev (<ip address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.dev:443 
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.dev:443 ```

Solution

  • I notice that you're connecting to https://mydomain.dev, but passing a host header for a different domain. My guess would be that curl is sending an SNI request for a mydomain.dev cert; since networking-ns-cert will acquire wildcard certs for *.<namespace>.my domain.dev, it's possible that the server doesn't have a cert matching the SNI request, and closes the TCP connection.

    Try using the -kvv options to curl (instead of -v) to print more verbose debugging information and bypass some SSL errors. Since you have DNS and certs set up, I'd try:

    curl -kvv https://helloworld-go.default.mydomain.dev