custom certificate isn't working

[taraszka]

I followed the example with my own TLS certificate and got the following errors:

no certificate matching TLS ClientHello

The cert works as the same PEM used with a standalone Caddy (not an ingress), which works fine. I bet it comes from the Go library, as I couldn't find this error message in an ingress source code.

My values.yaml:

replicaCount: 1
ingressController:
  config:
    email: "hello@example.com"
    onDemandTLS: true
    onDemandAsk: 'http://answer-caddy-service.answer-caddy.svc:8080/ask'
loadBalancer:
  enabled: true
  annotations:
    "io.cilium/lb-ipam-ips": "10.10.10.1"
    "lbipam.cilium.io/sharing-key": "10101011"
    "lbipam.cilium.io/sharing-cross-namespace": '*'

The ingress service yaml that did not work:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example.com
  namespace: example
spec:
  ingressClassName: caddy
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: traefik
            port:
              number: 80
  tls:
    - secretName: mycerts
      hosts:
      - example.com

The secret mycerts exists in the example namespace and was created in the following way:

kubectl create secret tls mycerts --key ./tls.key --cert ./tls.crt

[taraszka]

Ah, okay. It comes from certmagic/handshake.go, part of debug log (params):

{"level":"debug","ts":1735399322.6772225,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"31.0.26.31","remote_port":"2841","server_name":"example.com","remote":"31.0.26.31:2841","identifier":"example.com","cipher_suites":[4867,4866,4865,52393,52392,52394,49200,49196,49192,49188,49172,49162,159,107,57,65413,196,136,129,157,61,53,192,132,49199,49195,49191,49187,49171,49161,158,103,51,190,69,156,60,47,186,65,49169,49159,5,4,49170,49160,22,10,255],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}