Please use this template for troubleshooting questions.
My issue:
After migrating from rke2 ingress controller to f5 nginx ingress controller, I am getting DEPTH_ZERO_SELF_SIGNED_CERT error, we use to use SSL pass through in old Ingress but since it’s no longe supported in NGINX ingress controller we are using tls passthrough. it works fine if I switch back to old Ingress.
apiVersion: k8s.nginx.org/v1
kind: TransportServer
metadata:
labels:
app.kubernetes.io/managed-by: Helm
name: app-manager-env-test-0
namespace: test-localstack-env
status:
reason: AddedOrUpdated
state: Valid
spec:
action:
pass: test-manager-env-bcdr
host: app.<redacted>
ingressClassName: f5-nginx
listener:
name: tls-passthrough
protocol: TLS_PASSTHROUGH
upstreams:
- name: <redacted>
port: 3000
service: <redacted>
I taught if tls_passthrough works same like ssl_passthough but looks like it’s not working the same way. I have provided sample tls_passthough config below.
How I encountered the problem:
one application is throwing this error and other one throwing second error.
node:internal/modules/run_main:104
triggerUncaughtException(
^
Error: self-signed certificate; if the root CA is installed locally, try running Node.js with --use-system-ca
at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)
at TLSSocket.emit (node:events:507:28)
at TLSSocket._finishInit (node:_tls_wrap:1078:8)
at ssl.onhandshakedone (node:_tls_wrap:864:12) {
code: ‘DEPTH_ZERO_SELF_SIGNED_CERT’
}
Node.js v23.11.1
**Error 2:
**
Caused by: java.lang.RuntimeException: Unable to retrieve OpenId Connect Provider metadata from: https://keycloak./realms//.well-known/openid-configuration
org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘oidcProvider’ defined in class path resource [nifi-web-security-context.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider]: Constructor threw exception; nested exception is java.lang.RuntimeException: Unable to retrieve OpenId Connect Provider metadata from: https://keycloak./realms//.well-known/openid-configuration
Solutions I’ve tried:
I tried to sign NGINX certificate with same CA which these apps are using.
Version of NIC and/or NGINX:
nginx-ingress:5.4.1-alpine
Deployment environment:
TEST
Hi @karthikm , thanks for posting this topic.
did the old setup terminate TLS at the ingress? also, does the client trust the cert on the new cluster?
@karthikm tls-passthrough is an opt in behaviour, make sure you’ve enabled the flag enableTlsPassthrough see NGINX Ingress Controller Helm chart parameters | NGINX Documentation
Can you please paste describe output of your TransportServer and NIC deployment please
Hi Sean, Thank you for your reply, in the old setup tls terminates at the pod itself. Ingress use to just pass the traffic to backend and all our Ingress urls were http with 443 backend. The Cetificates used for ingress controller and all application pods are signed by trusted ca using cfssl sever deployed in the same cluster. We mounted those certs to all pods including ingress to /etc/ssl/certs folder
I am getting Cert errors with Certificates for keycloak modules when app trying to establish connection to keycloak using openid.
/opt/ui/node_modules/openid-client/lib/helpers/request.js:140
throw new RPError(\`outgoing request timed out after ${opts.timeout}ms\`);
^
RPError: outgoing request timed out after 3500ms
at /opt/ui/node_modules/openid-client/lib/helpers/request.js:140:13
at async Issuer.discover (/opt/ui/node_modules/openid-client/lib/issuer.js:144:22)
at async file:///opt/ui/server.js:60:16
Node.js v23.11.1
Another app error:
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
at org.eclipse.jetty.server.Server.start(Server.java:418)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.server.Server.doStart(Server.java:382)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:952)
at org.apache.nifi.NiFi.<init>(NiFi.java:158)
at org.apache.nifi.NiFi.<init>(NiFi.java:72)
at org.apache.nifi.NiFi.main(NiFi.java:301)
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider]: Constructor threw exception; nested exception is java.lang.RuntimeException: Unable to retrieve OpenId Connect Provider metadata from: https://keycloak.<redacted>/realms/admin/.well-known/openid-configuration
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:154)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:122)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:271)
... 51 common frames omitted
Caused by: java.lang.RuntimeException: Unable to retrieve OpenId Connect Provider metadata from: https://keycloak.<redacted>/realms/admin/.well-known/openid-configuration
at org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.<init>(StandardOidcIdentityProvider.java:140)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
qq
extraArgs:
ingress-class: f5-nginx
watch-ingress-without-class: "false"
enable-ssl-passthrough: "true"
ingressClassResource:
name: f5-nginx
enabled: true
default: false
doesn’t belong to f5 NIC, can you please double check?
UnfortunatelyI can’t help much just with keycloak connection issues, are these logs from NIC pods? maybe you could give us nginx configuration with redacted values
Also service is clusterIP, is it fronted by some loadbalancer?
Hi @ve.patel
I will check the config, we don’t load balancers, all connection come from within our network or through vpn.