TLS cert verification failing when ca.crt only contains root cert and tls.crt contains intermediate and leaf cert

[jpiper]

Description of the problem

When my ingress references TLS secret that has a tls.key, tls.crt and ca.crt, with the ca.crt containing the root cert, and the tls.crt containing the intermediate and leaf cert, the ingress controller says

syncing a non ca/crt secret httpbin/httpbin-test-rw-tls
using default certificate due to an error reading secret 'httpbin-test-rw-tls' on ingress 'httpbin/httpbin-test-rw': secret 'httpbin/httpbin-test-rw-tls' have neither ca.crt nor tls.crt/tls.key pair

When I delete the ca.crt from the TLS object and then edit the ingress to force a reconciliation it all loads fine.

Expected behavior

I expect the certs to load.

Environment information

HAProxy Ingress version: v0.12.6

Command-line options:

        - --default-backend-service=$(POD_NAMESPACE)/ingress-default-backend
        - --configmap=$(POD_NAMESPACE)/haproxy-ingress
        - --sort-backends
        - --reload-strategy=reusesocket

Global options:

    http-port: "10199"
    https-port: "10200"
    ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
    ssl-options: force-tlsv12
    syslog-endpoint: localhost:514
    timeout-client: 60s
    timeout-http-request: 60s```

Ingress objects:

```

[jpiper]

ah, so I noticed you never print the actually error here https://github.com/jcmoraisjr/haproxy-ingress/blob/master/pkg/common/ingress/controller/backend_ssl.go#L45

I changed this to: glog.V(3).Infof("syncing a non ca/crt secret %v (reason: %v)", key, err) and then compiled/deployed and saw that the issue is now:

I0802 23:52:18.689318       7 backend_ssl.go:45] syncing a non ca/crt secret httpbin/httpbin-test-rw-tls (reason: unexpected error creating pem file: failed to verify certificate chain: 
	x509: certificate signed by unknown authority
)

Is haproxy not liking only having the root in the ca.crl?

[jpiper]

I suspect the issue is around

https://github.com/jcmoraisjr/haproxy-ingress/blob/master/pkg/common/net/ssl/ssl.go#L97

Where the cert validation is happening it looks like pem.Decode is being called once so only a single cert is being extracted.

[jpiper]

Changing https://github.com/jcmoraisjr/haproxy-ingress/blob/master/pkg/common/net/ssl/ssl.go#L138-L143

to

	if len(ca) > 0 {
		bundle := x509.NewCertPool()
		bundle.AppendCertsFromPEM(ca)

		intBundle := x509.NewCertPool()
		intBundle.AppendCertsFromPEM(cert)

		opts := x509.VerifyOptions{
			Roots: bundle,
			Intermediates: intBundle,
		}

fixed it for me

[jcmoraisjr]

Hi, does it work if you concatenate crt(first)+ints+root(last) into the same pem file?

[jcmoraisjr]

Fixed in v0.13.2. Closing.