kubernetes network_error ai_generated true

Error: tls: first record does not look like a TLS handshake

ID: kubernetes/ingress-ssl-certificate-mismatch

Also available as: JSON · Markdown · 中文
78%Fix Rate
83%Confidence
1Evidence
2024-02-14First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
nginx-ingress-controller v1.10 active
nginx-ingress-controller v1.11 active
Kubernetes v1.28 active

Root Cause

Ingress TLS configuration points to a secret that contains non-TLS data (e.g., plain text or wrong format) or the certificate is invalid.

generic

中文

Ingress TLS 配置指向包含非 TLS 数据(例如纯文本或错误格式)的 secret,或证书无效。

Official Documentation

https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

Workarounds

  1. 85% success Verify secret content: `kubectl get secret <tls-secret> -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate. 
    Verify secret content: `kubectl get secret <tls-secret> -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate.
  2. 90% success Recreate secret with correct certificate and key: `kubectl create secret tls <secret-name> --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it. 
    Recreate secret with correct certificate and key: `kubectl create secret tls <secret-name> --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.
  3. 80% success Check Ingress controller logs: `kubectl logs -n ingress-nginx <controller-pod> | grep 'tls'` to see detailed error, then fix cert chain or secret name. 
    Check Ingress controller logs: `kubectl logs -n ingress-nginx <controller-pod> | grep 'tls'` to see detailed error, then fix cert chain or secret name.

中文步骤

  1. Verify secret content: `kubectl get secret <tls-secret> -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate.
  2. Recreate secret with correct certificate and key: `kubectl create secret tls <secret-name> --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.
  3. Check Ingress controller logs: `kubectl logs -n ingress-nginx <controller-pod> | grep 'tls'` to see detailed error, then fix cert chain or secret name.

Dead Ends

Common approaches that don't work:

  1. Restart nginx-ingress-controller pod 90% fail

    Restarting does not fix incorrect secret data; the same invalid cert will be loaded again.

  2. Change TLS port from 443 to 8443 in Ingress spec 95% fail

    Port change does not fix the underlying certificate format issue.

  3. Delete and recreate the Ingress resource 85% fail

    Recreating Ingress uses same secret reference; problem persists.