Problem with selection in protocol HTTP2

systemlogic · December 31, 2018, 7:36am

My domain is: gcdo.in

I ran this command: curl -v https://gcdo.in

It produced this output: ALPN, server accepted to use http/1.1
required ALPN, server accepted to use h2

My web server is (include version): k8s ingress

The operating system my web server runs on is (include version): Don’t know

My hosting provider, if applicable, is: IBM blue cloud

I can login to a root shell on my machine (yes or no, or I don’t know): No shell on k8s

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

My stringint requirement is to use HTTP2 for gRPC.

I want my ingress server to choose ALPN, server accepted to use h2

Is there something I have to do differently in order to create the let’s encypt certificate ?

_az · December 31, 2018, 7:43am

Presumably you just need to adjust your listen line in nginx to support h2:

listen 443 ssl http2;

That will enable clients to negotiate h2 ALPN.

You’re also not sending a full certificate chain, you need to send the intermediate as well.

systemlogic · December 31, 2018, 7:48am

my ingress is as follows

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.bluemix.net/redirect-to-https: “True”
namespace: default
spec:
rules:

host: gcdo.in
http:
paths:
- backend:
  serviceName: helloworld
  servicePort: 443
  tls:
hosts:
- gcdo.in
  secretName: gcdo

where do I have to specify settings for h2? How to send intermediate certificate as well ?

I am a normal user don’t have admin access.

_az · December 31, 2018, 8:00am

Ah. You might have better luck asking in the k8s Slack channel or Stack Overflow, I’m not sure if there are many Kubernetes experts here.

How to send the intermediate will depend how the cluster is setup - are you using cert-manager or some other way to setup the Let’s Encrypt certificate, etc.

systemlogic · December 31, 2018, 8:03am

I have received three files while creating certificate. I have used private key and certificate and created a secret in k8s. I have using that secret name in ingress under secretName to velidate the certificate.

_az · December 31, 2018, 8:05am

If you are manually managing the secret, then you need to concatenate the intermediate (https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt) to the end of the certificate file.

However, this won’t solve your HTTP/2 problem, I have no idea how nginx-ingress works.

system · January 30, 2019, 8:20am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.