Ok, so I have a simple deployment in AWS EKS that uses an ALB and Im having issues with the TLS. My setup is as follows:
- I have a CNAME entry in Cloudflare pointing to the ALB.
- Cloudflare TLS settings are "Full (strict)".
- I created a certificate (stuff.stf and *.stuff.stf) in Cloudflare, and imported it into Amazon (steps below).
If the CNAME it's not proxied (in Cloudflare), I get a "ERR_CERT_AUTHORITY_INVALID" error. But if it's proxied, then it works fine.
How could I fix this or, what am I missing?
This are the yamls I used:
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-stuff
namespace: api
labels:
app: stuff
spec:
replicas: 1
selector:
matchLabels:
app: stuff
template:
metadata:
labels:
app: stuff
spec:
containers:
- name: stuff
image: stuff.azurecr.io/stuff-master:12
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: stuff
namespace: api
labels:
app: stuff
spec:
type: NodePort
selector:
app: stuff
ports:
- name: http
port: 8080
targetPort: 8080
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: stuff
namespace: api
annotations:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTP": 8080}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:xxxxxxxxxxxxxxxxxxxx"
spec:
ingressClassName: alb
rules:
- host: stuff.domain.stf
http:
paths:
- path: /stuff
pathType: Prefix
backend:
service:
name: stuff
port:
number: 8080
These are the certificate import steps:
- First I created the certificate in Cloudflare for my domain.
- Then I downloaded the root certificate from Cloudflare.
- I went to the AWS console to import the certificate 3.1. I set the created certificate & private key from step 1. 3.2. I set the chain certificate from Cloudflare
- Once created, that is the ARN I'm using for the ALB annotation.
