Letsencrypt Openssl verification failed kubectl

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.mevofit.com

I ran this command: certbot certonly --manual -d *.mevofit.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

I have generated ssl from this command and upload it to nginx ingress controller with following command:

# kubectl create secret tls mevofit-wildcard-ssl-certs --namespace mevofit --key privkey.pem --cert cert.pem

I used privkey.pem and cert.pem to generate kubernetes secret.

I am getting openssl verification failed in backend application.

Hi @karamjitsingh, and welcome to the LE community forum :slight_smile:

I know little about kubernetes...
But I would try using the fullchain.pem file instead of the cert.pem file.
If that fails, check if the cert type is as expected [RSA vs ECDSA].
If that fails... we should wait for more expirienced helpers.

4 Likes

I also don't know anything about kubernetes (and I want to keep it that way), but your site mevofit.com is serving an Amazon certificate chained up to the "Starfield Technologies, Inc." root certificate.

5 Likes

@rg305 I am able to fix issue by using fullchain.pem instead of cert.pem

Thanks

4 Likes

Interesting. Didn't know that Amazon had a cross-sign (or two) from GoDaddy. :thinking:

3 Likes

no we setup this for testing purpose we are shifting application to kubernetes current live mevofit.com is still pointing AWS LB

That comment was about Amazon's "root" certificate, not your certificate. :slightly_smiling_face:

4 Likes