I ran this command:
I’m using the generated certificate for above for doing the both the Server & Client validation. Just to give a scenario , I have applied the same generated cert at “Kubernetes Ingress” level & at the Pod(Nginx process running) Level .
It produced this output:
Since the generated cert " Extended Key usage" field specifies both Server & Client validation hence I was expecting the above workflow from Kubernetes Ingress to Pod should work seamlessly.
The operating system my web server runs on is (include version):
Using Kuberntes to run Nginx web server and to which the request should come from Kubernetes Ingress controller.
Error+
I’m getting SSL error while accessing the Kubernetes ingress controller.
400 The SSL certificate error
400 Bad Request
The SSL certificate error
nginx/1.15.7
Please suggest what is wrong in my approach , can’t I use the same LE certificate for both server & Client validation . If not then what is the purpose of Extended key usage field which specifies both Client & Server cert.
@JuergenAuer Thanks, there was some other issue. Its working now,
But just want to confirm is this assumption correct that the LE issued certificates can be used for Server as well as Client authentication since the " Extended Key usage" field specifies both Server and Client validation.
Yes, they can be used for client authentication. However, it's practical use isn't that big IMHO. A private CA for client authentication has more potential.
If LE is used, you might want to consider some sort of user-subdomain with a per-user sub-subdomain or something like that. It's not very wise to use just a single certificate for all users, because that would require sharing the private key and makes revoking the certificate a living hell.