Problem with selection in protocol HTTP2


#1

My domain is: gcdo.in

I ran this command: curl -v https://gcdo.in

It produced this output: ALPN, server accepted to use http/1.1
required ALPN, server accepted to use h2

My web server is (include version): k8s ingress

The operating system my web server runs on is (include version): Don’t know

My hosting provider, if applicable, is: IBM blue cloud

I can login to a root shell on my machine (yes or no, or I don’t know): No shell on k8s

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

My stringint requirement is to use HTTP2 for gRPC.

I want my ingress server to choose ALPN, server accepted to use h2

Is there something I have to do differently in order to create the let’s encypt certificate ?


#2

Presumably you just need to adjust your listen line in nginx to support h2:

listen 443 ssl http2;

That will enable clients to negotiate h2 ALPN.

You’re also not sending a full certificate chain, you need to send the intermediate as well.


#3

my ingress is as follows

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.bluemix.net/redirect-to-https: “True”
namespace: default
spec:
rules:

  • host: gcdo.in
    http:
    paths:
    • backend:
      serviceName: helloworld
      servicePort: 443
      tls:
  • hosts:
    • gcdo.in
      secretName: gcdo

where do I have to specify settings for h2? How to send intermediate certificate as well ?

I am a normal user don’t have admin access.


#4

Ah. You might have better luck asking in the k8s Slack channel or Stack Overflow, I’m not sure if there are many Kubernetes experts here.

How to send the intermediate will depend how the cluster is setup - are you using cert-manager or some other way to setup the Let’s Encrypt certificate, etc.


#5

I have received three files while creating certificate. I have used private key and certificate and created a secret in k8s. I have using that secret name in ingress under secretName to velidate the certificate.


#6

If you are manually managing the secret, then you need to concatenate the intermediate (https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt) to the end of the certificate file.

However, this won’t solve your HTTP/2 problem, I have no idea how nginx-ingress works.