yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
a41a4e0331fbc0beff63bb28fa59228cc9a751df
doc-exports/docs/cce/umn/cce_faq_00455.html
qiujiandong1 71d5c814e7 CCE UMN 20250311 version 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2025-06-16 14:58:53 +00:00

61 lines
6.3 KiB
HTML
Raw Blame History

<a name="cce_faq_00455"></a><a name="cce_faq_00455"></a>
<h1 class="topictitle1">What Could Cause Access Exceptions After Configuring an HTTPS Certificate for a LoadBalancer Ingress?</h1>
<div id="body0000002011455085"><p id="cce_faq_00455__p184469445314">If you configure an HTTPS certificate for a LoadBalancer ingress, access may become abnormal if any of the following issues arise. To fix the problem, refer to the causes listed in the table.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_faq_00455__table230510269532" frame="border" border="1" rules="all"><thead align="left"><tr id="cce_faq_00455__row7305112615310"><th align="left" class="cellrowborder" valign="top" width="30.283028302830285%" id="mcps1.3.2.1.4.1.1"><p id="cce_faq_00455__p43051526105316">Cause</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="36.38363836383638%" id="mcps1.3.2.1.4.1.2"><p id="cce_faq_00455__p499232073913">Symptom</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.2.1.4.1.3"><p id="cce_faq_00455__p9982123317515">Solution</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_faq_00455__row23051626145317"><td class="cellrowborder" valign="top" width="30.283028302830285%" headers="mcps1.3.2.1.4.1.1 "><p id="cce_faq_00455__p14241106185816">The certificate has expired.</p>
</td>
<td class="cellrowborder" valign="top" width="36.38363836383638%" headers="mcps1.3.2.1.4.1.2 "><p id="cce_faq_00455__p172577178214">The error similar to the following is displayed when the <strong id="cce_faq_00455__b474810486147">curl</strong> command is executed:</p>
<pre class="screen" id="cce_faq_00455__screen4887032112418">SSL certificate problem: certificate has expired</pre>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.1.3 "><p id="cce_faq_00455__p1998315542410">Replace the certificate in a timely manner.</p>
</td>
</tr>
<tr id="cce_faq_00455__row195105371615"><td class="cellrowborder" valign="top" width="30.283028302830285%" headers="mcps1.3.2.1.4.1.1 "><p id="cce_faq_00455__p8492133583112">An unmatched HTTPS certificate chain is used by a client to verify the HTTPS certificate configured for the LoadBalancer ingress.</p>
</td>
<td class="cellrowborder" valign="top" width="36.38363836383638%" headers="mcps1.3.2.1.4.1.2 "><p id="cce_faq_00455__p25368271135">The error similar to the following is displayed when the <strong id="cce_faq_00455__b13669835111511">curl</strong> command is executed:</p>
<pre class="screen" id="cce_faq_00455__screen1183319331235">SSL certificate problem: unable to get local issuer certificate</pre>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.1.3 "><p id="cce_faq_00455__p147612222030">Ensure that the HTTPS certificate chain on the client matches the certificate configured for the LoadBalancer ingress.</p>
</td>
</tr>
<tr id="cce_faq_00455__row20790173614316"><td class="cellrowborder" valign="top" width="30.283028302830285%" headers="mcps1.3.2.1.4.1.1 "><p id="cce_faq_00455__p7390171825810">No domain name is specified when a certificate is created.</p>
</td>
<td class="cellrowborder" valign="top" width="36.38363836383638%" headers="mcps1.3.2.1.4.1.2 "><p id="cce_faq_00455__p1778516388315">The error similar to the following is displayed when the <strong id="cce_faq_00455__b10670938131518">curl</strong> command is executed:</p>
<pre class="screen" id="cce_faq_00455__screen101672431339">SSL: unable to obtain common name from peer certificate</pre>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.1.3 "><p id="cce_faq_00455__p1747352210314">Specify a domain name when creating a certificate.</p>
</td>
</tr>
<tr id="cce_faq_00455__row1159117429313"><td class="cellrowborder" valign="top" width="30.283028302830285%" headers="mcps1.3.2.1.4.1.1 "><p id="cce_faq_00455__p738551815583">The domain name to be accessed is different from the domain name of the HTTPS certificate.</p>
</td>
<td class="cellrowborder" valign="top" width="36.38363836383638%" headers="mcps1.3.2.1.4.1.2 "><p id="cce_faq_00455__p171310451433">The error similar to the following is displayed when the <strong id="cce_faq_00455__b7305124111511">curl</strong> command is executed:</p>
<pre class="screen" id="cce_faq_00455__screen4186155118310">SSL: certificate subject name 'example.com' does not match target host name 'test.com'</pre>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.1.4.1.3 "><p id="cce_faq_00455__p1047222215318">Configure a certificate that matches the domain name for the ingress.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="cce_faq_00455__note1236313541364"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_faq_00455__p1034220212212">You can run the following command to check the certificate information, such as expiration time and domain name. <strong id="cce_faq_00455__b19585154021711">ca.crt</strong> specifies the certificate path.</p>
<pre class="screen" id="cce_faq_00455__screen82252227418">openssl x509 -in <i><span class="varname" id="cce_faq_00455__varname5688183913718">ca.crt</span></i> -subject -noout -text</pre>
</div></div>
<div class="section" id="cce_faq_00455__section1833503715469"><h4 class="sectiontitle">Updating a Certificate</h4><ul id="cce_faq_00455__ul317314383477"><li id="cce_faq_00455__li11173638194714">To update a TLS certificate, modify the secret where the certificate is imported to on CCE. The TLS certificate is imported to a secret first. CCE then automatically handles the certificate configurations on the ELB console and gives a name to the certificate (started with <strong id="cce_faq_00455__b21152062184">k8s_plb_default</strong>). This certificate, which is generated by CCE, <strong id="cce_faq_00455__b2011596181816">cannot be modified or deleted from the ELB console</strong>.</li><li id="cce_faq_00455__li6173123814710">To update a certificate created on the ELB console, modify the certificate on the ELB console. There is no need to manually set up the cluster secret.</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_faq_00205.html">Network Exception Troubleshooting</a></div>
</div>
</div>
View Git Blame Copy Permalink