{ "id": "kubernetes/ingress-ssl-certificate-mismatch", "signature": "Error: tls: first record does not look like a TLS handshake", "signature_zh": "错误:tls:第一个记录看起来不像 TLS 握手", "regex": "tls: first record does not look like a TLS handshake", "domain": "kubernetes", "category": "network_error", "subcategory": null, "root_cause": "Ingress TLS configuration points to a secret that contains non-TLS data (e.g., plain text or wrong format) or the certificate is invalid.", "root_cause_type": "generic", "root_cause_zh": "Ingress TLS 配置指向包含非 TLS 数据(例如纯文本或错误格式)的 secret,或证书无效。", "versions": [ { "version": "nginx-ingress-controller v1.10", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx-ingress-controller v1.11", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Kubernetes v1.28", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Restart nginx-ingress-controller pod", "why_fails": "Restarting does not fix incorrect secret data; the same invalid cert will be loaded again.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "Change TLS port from 443 to 8443 in Ingress spec", "why_fails": "Port change does not fix the underlying certificate format issue.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "Delete and recreate the Ingress resource", "why_fails": "Recreating Ingress uses same secret reference; problem persists.", "fail_rate": 0.85, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Verify secret content: `kubectl get secret -o jsonpath='{.data.tls\\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate.", "success_rate": 0.85, "how": "Verify secret content: `kubectl get secret -o jsonpath='{.data.tls\\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate.", "condition": "", "sources": [] }, { "action": "Recreate secret with correct certificate and key: `kubectl create secret tls --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.", "success_rate": 0.9, "how": "Recreate secret with correct certificate and key: `kubectl create secret tls --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.", "condition": "", "sources": [] }, { "action": "Check Ingress controller logs: `kubectl logs -n ingress-nginx | grep 'tls'` to see detailed error, then fix cert chain or secret name.", "success_rate": 0.8, "how": "Check Ingress controller logs: `kubectl logs -n ingress-nginx | grep 'tls'` to see detailed error, then fix cert chain or secret name.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Verify secret content: `kubectl get secret -o jsonpath='{.data.tls\\.crt}' | base64 -d | openssl x509 -text -noout`. Ensure it contains a valid PEM certificate.", "Recreate secret with correct certificate and key: `kubectl create secret tls --cert=path/to/cert.pem --key=path/to/key.pem` then update Ingress to reference it.", "Check Ingress controller logs: `kubectl logs -n ingress-nginx | grep 'tls'` to see detailed error, then fix cert chain or secret name." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://kubernetes.io/docs/concepts/services-networking/ingress/#tls", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.83, "fix_success_rate": 0.78, "resolvable": "true", "first_seen": "2024-02-14", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }