[I] help request: Setup SSL / TLS on kubernetes with ingress-controller and cert-manager [apisix]

Sat, 26 Jul 2025 03:57:10 -0700 


crixx opened a new issue, #12463:
URL: https://github.com/apache/apisix/issues/12463

   ### Description
   
   Hi there
   
   I'm working on kubernetes and I'm new to apisix. I want to secure my 
deployed application with https. Since I'm using kubernets, I'd like to make 
use of the CRD provided by the ingress-controller instead of using the Admin 
API .
   
   As it seems to me, the ingress-controller does not pick up my ApisixTls CRD 
and thus is not adding the certificate / ssl secrets to the gateway.
   
   The error message in the gateway log is the following:
   
   `2025/07/26 09:12:01 [error] 53#53: *40954959 [lua] init.lua:206: 
ssl_client_hello_phase(): failed to match any SSL certificate by SNI: 
app.domain.com, context: ssl_client_hello_by_lua*, client: 10.42.0.1, server: 
0.0.0.0:9443 `
   
   What I did so far:
   
   I installed apisix and apisix-ingress-controller via the k3s helmchart 
mechanism:
   
   ```
   apiVersion: helm.cattle.io/v1
   kind: HelmChart
   metadata:
     name: apisix
     namespace: kube-system
   spec:
     chart: apisix
     repo: https://charts.apiseven.com
     targetNamespace: apisix
     createNamespace: true
     valuesContent: |-
       service:
         type: LoadBalancer
   
       apisix:
         ssl:
           enabled: true
   
       ingress-controller:
         enabled: true
         apisix:
           adminService:
             namespace: apisix
         gatewayProxy:
           createDefault: true
   ```
   
   I installed cert-manager via the `apply -f` method from their website.
   I created a cluster issuer
   I created a certificate using let's encrypt. 
   The secret is created and populated with 
   
   ```
   type: kubernetes.io/tls
     tls.crt: <base64>
     tls.key: <base64>
   
   ```
   
   Then I created a httpbin deployment:
   
   ```
   kubectl run httpbin --image kennethreitz/httpbin --namespace apisix
   kubectl expose pod httpbin -n apisix --port 80
   ```
   
   Finally I created a ApisixRoute and an ApisixTls Definition
   ```
   apiVersion: apisix.apache.org/v2
   kind: ApisixTls
   metadata:
     name: httpbin
     namespace: apisix
   spec:
     hosts:
     - app.domain.com
     secret:
       name: app-domain-cert
       namespace: default
   ---
   apiVersion: apisix.apache.org/v2
   kind: ApisixRoute
   metadata:
     name: httpbin
     namespace: apisix
   spec:
     http:
     - name: httpbin
       match:
         paths:
         - /*
         hosts:
         - app.domain.com
       backends:
       - serviceName: httpbin
         servicePort: 80
   ```
   
   All resources seem to be fine, nevertheless I see the above error message in 
the log of the apisix-gateway. When changing the ApisixTls resource, I don't 
see any new messages in the ingress-controller logs.
   
   Any ideas?
   
   Thanks in advance!
   Cris
   
   ### Environment
   
   - APISIX version (run `apisix version`): APISIX/3.13.0, ingress-controller 
2.0.0
   - Operating system (run `uname -a`): kubernetes on K3S
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to