Troubleshooting Contour TLS Ingress

If you are unable to access your application with https there may be a configuration error in your Ingress or Secret. If so, the contour/envoy pods will not be listening on port 8443. You can publish the Envoy admin interface on port 9001 to check:

pod=$(kubectl -n heptio-contour get pods --no-headers | head -1 | awk '{ print $1 }')
kubectl -n heptio-contour port-forward $pod 9001

Then from another terminal you can run curl http://127.0.0.1:9001/listeners. You should see output like ["0.0.0.0:8002","0.0.0.0:8080","0.0.0.0:8443"] if you have configured TLS correctly for Contour. If so skip ahead to application debugging.

If Envoy is not listening on port 8443, check your Secret and Ingress configuration.

Secret Configuration

  1. Is your secret type kubernetes.io/tls ?
  2. Does your secret contain a field tls.crt?
  3. Does your secret contain a field tls.key?
  4. Is tls.crt a valid certificate?
  5. Is tls.key a valid private key?

You can use this script to automate these 5 checks:

#!/bin/bash
set -e

echo $0
secret=$1

appid=$(replicatedctl app inspect --template="{{ .ID }}" | sed 's/\r//')
ns=replicated-$appid

if [ -z "$secret" ]; then
        echo "Please pass in your TLS secret name in namespace $ns"
        exit 1
fi

secretType=$(kubectl -n $ns get secret $secret -ojsonpath='{ @.type }')

echo "OK: Secret Exists"
if [ "$secretType" != "kubernetes.io/tls" ]; then
        echo "Wrong secret type: $secretType"
        exit 1
fi

crt=$(kubectl -n $ns get secret $secret -ojsonpath='{ .data.tls\.crt }')

echo $crt | base64 --decode | openssl x509 -noout -text

echo "OK: Certificate is valid"

key=$(kubectl -n $ns get secret $secret -ojsonpath='{ .data.tls\.key }')

echo $key | base64 --decode | openssl rsa -check -noout

echo "Secret is configured correctly"

Ingress Configuration

  1. Does your ingress have a rules or a default backend with a valid host DNS name?
  2. Does your ingress.spec.tls correctly reference your secret by name?
  3. Does your ingress.spec.tls use the same host DNS used in your rules or backend?

Service Configuration

  1. (Upstream TLS only) Does you service have the correct contour.heptio.com/upstream-protocol.tls: "<PORT>" annotation?

Application Debugging

  1. Use curl to access your upstream server by Pod IP and Pod port from the host where Replicated is running. (Find the ip with kubectl get pods -o wide).
  2. Use curl to access your upstream server by Service cluster IP and port from the host where Replicated is running.
  3. Use curl to access your upstream server via Envoy. Look up the Contour/Envoy pod IP in the heptio-contour namespace then add an entry to your /etc/hosts file pointing your valid DNS hostname to that pod IP. The port will be ‘:8443’.
  4. Use curl to access your upstream server by NodePort. Change the entry in /etc/hosts to the private IP of your host. Then access your service on host port 443 with: curl -k https://somebigbank.internal.

If the above is working, then there is firewall or network problem between your browser and the host.