jaadds opened a new issue, #2717: URL: https://github.com/apache/apisix-ingress-controller/issues/2717
## Overview I'm seeking help to understand why ApisixTls resources are not enabling HTTPS. The SSL handshake fails with "failed to match any SSL certificate by SNI" error. ## Environment - **APISIX Ingress Controller Version:** 2.0.1 - **APISIX Version:** 3.14.1 - **Kubernetes:** 1.34 - **Helm Chart:** apisix/apisix from https://apache.github.io/apisix-helm-chart ## Setup Steps ### 1. Add Helm repos ```bash helm repo add apisix https://apache.github.io/apisix-helm-chart helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update ``` ### 2. Install APISIX with Ingress Controller Save this as `helm-values.yaml`: ```yaml apisix: enabled: true # Enable SSL/TLS on APISIX ssl: enabled: true containerPort: 9443 sslProtocols: "TLSv1.2 TLSv1.3" admin: enabled: true type: ClusterIP credentials: admin: edd1c9f034335f136f87ad84b625c8f1 allow: ipList: - 0.0.0.0/0 # Service configuration service: type: NodePort # NodePort required for externalTrafficPolicy compatibility http: servicePort: 80 tls: servicePort: 443 # External HTTPS port etcd: enabled: true replicaCount: 1 persistence: enabled: false ingress-controller: enabled: true gatewayProxy: createDefault: true apisix: adminService: namespace: ingress-apisix ``` Install: ```bash helm install apisix apisix/apisix --namespace ingress-apisix --create-namespace -f helm-values.yaml ``` ### 3. Deploy sample backend ```bash kubectl apply -f https://raw.githubusercontent.com/apache/apisix-ingress-controller/refs/heads/v2.0.0/examples/httpbin/deployment.yaml ``` ### 4. Create ApisixRoute ```yaml apiVersion: apisix.apache.org/v2 kind: ApisixRoute metadata: namespace: default name: getting-started-ip spec: ingressClassName: apisix http: - name: getting-started-ip match: hosts: - test.local paths: - /ip backends: - serviceName: httpbin servicePort: 80 ``` ### 5. Port-forward ```bash kubectl port-forward svc/apisix-gateway -n ingress-apisix 9080:80 8443:443 & ``` ### 6. Test HTTP - Works ✅ ```bash curl -v --resolve test.local:9080:127.0.0.1 http://test.local:9080/ip ``` Response: ``` * Connected to test.local (127.0.0.1) port 9080 > GET /ip HTTP/1.1 > Host: test.local:9080 < HTTP/1.1 200 OK < Content-Type: application/json < Server: APISIX/3.14.1 { "origin": "127.0.0.1" } ``` **HTTP routing works correctly.** ### 7. Create TLS Secret and ApisixTls Apply the TLS Secret: ```yaml apiVersion: v1 kind: Secret metadata: name: test-tls namespace: default type: kubernetes.io/tls data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNRENDQWhpZ0F3SUJBZ0lVV0VzMmJLdjl1WnhhYVAxMHBCY2Y5VnhyS2p3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF3d0tkR1Z6ZEM1c2IyTmhiREFlRncweU5qQXlNRFV4TnpReU5ERmFGdzB5TnpBeQpNRFV4TnpReU5ERmFNQlV4RXpBUkJnTlZCQU1NQ25SbGMzUXViRzlqWVd3d2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEQk45NDlhZjlCWXF6SFFGWkVPcmI2WEFSMFZpZ1cyaGhTL3dYRUl6R0YKdlFlWVBMalo1d201WU9jcnVKRWwveUd1eUxPSFlyN1hQenVSL0pJSUxzdkh6SmhNSmZJd2pkcXZxNGF5Wmd4cAphazA5bll0eXFIdGY0SEV1ZjdTS3J2QzRFMjNBWEcvVWE5OHNFcDQ3MkZucnAwdjRYR3dzemNSMXJXL3d3ZDZOCmZ0SlRXdnVSWGRDZDArdnJhQUZRTlBCbk12WDRWM2hpMjYzWTdDbTBqdFVhZ3Z1bExDWWgrTklJVlFVWGwyVEwKaCtBVTJEazhKMHJOMHVYOWdUOGludzFJcnJFVWx6M2xHZzZNdEpDRDRGVUt1VVUzZFM4YWtXM3hzWVBSM1c4SwpOVXFHL3RKR2dPNVBoa29rVkIzRmVZZ21wUmY0K1RiZGpnaVAwT094NlQyekFnTUJBQUdqZURCMk1CMEdBMVVkCkRnUVdCQlJablBreW9EeE8xc1djVkFpOTFQUUxDSXJEa1RBZkJnTlZIU01FR0RBV2dCUlpuUGt5b0R4TzFzV2MKVkFpOTFQUUxDSXJEa1RBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUNNR0ExVWRFUVFjTUJxQ0NuUmxjM1F1 Ykc5agpZV3lDRENvdWRHVnpkQzVzYjJOaGJEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFnUW1yZklCUS9hQ0JiWFhFClFzSnE1S3hPT08wNEkxWnMyaHBiTml3b0t5UUM2czJiR2R4TFlBUEVEbCtRKzJVa2lrYXY3NzcxRVQ0M1hOU24KNDV5S0lMUjU3ZkYzTmZkU0Rmd2JDTWlCMGVNMHJpZU1uL3dtNnNpcXQ1U3h5cm1XbTlSQVJwZGpSY3ZjTEg1QwpUaXdxSkZhd0MzMHZJWXdFWWl3T1hKcFJRTExTbHlWVUhxRHU1dUdjWlRQWW8zV1FzYjFuMEk1ZnR4TUVhbTBpCnVZblBYSGgzanF1THlVLzlhQXo0N0VGWmNxaUJJQjZDTkVObjViM2pjZkFCTVBNQWRVR0lKS001cVJ3TSsyaisKSFdMYjhra0RnV1IrMDhUNzRBUlZsbGtPNTFsYUJmVVhmcFdJbEtwTTQ2Yk5ockpHUVY1Nkxremc3eXBra2J6Sgp5bkdZd1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRREJOOTQ5YWY5QllxekgKUUZaRU9yYjZYQVIwVmlnVzJoaFMvd1hFSXpHRnZRZVlQTGpaNXdtNVlPY3J1SkVsL3lHdXlMT0hZcjdYUHp1UgovSklJTHN2SHpKaE1KZkl3amRxdnE0YXlaZ3hwYWswOW5ZdHlxSHRmNEhFdWY3U0tydkM0RTIzQVhHL1VhOThzCkVwNDcyRm5ycDB2NFhHd3N6Y1Ixclcvd3dkNk5mdEpUV3Z1UlhkQ2QwK3ZyYUFGUU5QQm5Ndlg0VjNoaTI2M1kKN0NtMGp0VWFndnVsTENZaCtOSUlWUVVYbDJUTGgrQVUyRGs4SjByTjB1WDlnVDhpbncxSXJyRVVsejNsR2c2TQp0SkNENEZVS3VVVTNkUzhha1czeHNZUFIzVzhLTlVxRy90SkdnTzVQaGtva1ZCM0ZlWWdtcFJmNCtUYmRqZ2lQCjBPT3g2VDJ6QWdNQkFBRUNnZ0VBR2p1OW50VC9aUjlDbWlMd0UzOXRUSHlsMWkzRWI2WFkyNXZvYW9Ma3ZHVzMKM0VHU1QzT0E3SHh0cG8vK2xRd1l4S1JYUzdCcWZNc0hDWUVqU3AwZjZkYXJidHRRRUt1UjMzd0lZN3hiUHd6Qgp3L1haOHcxUkF1bDBOSDMrUXo0UlRNekdmL0dNOVdoWCtxSGtmZmVYN2RqZkJhOTJ1SGFQai9LbVdpZllVWm1FCkFnZmZZb3hDbFZ3ZCtYM0FSS083NWRKUEpVeEgwZHA0YUpydXFlVmZrWmo5c3RwcCtqRlRpNUFvanZ4eHE1WUsKZDNGYTFKT2VTMFJkSWowNlM2RVlEZjlWanU1cUl3dGtCejJpMEFES0hENzF6VE9QZjJYenMzcFFXRlpE QkhFdAptV3lUWUxIdGtvY2FjSEhZTkdIdWFZeHlwQUp6SkJVRjNUeUZjQVNxZ1FLQmdRRG1yT3M1WkhDdVM4UU1RRVpUCmc2b2NqQ3VpNEVacTRBbnlteWRwWEprN0lhNmkyNFhaQjkvbmNrejVCdVdRNTRCbnpTeHEyK29WNFFqOHg5eloKb2RkL2pwWWdlRUNYdUZ5bllWS1d3MXZNTzNqcW13c1ZpZUVINjk1TUl1TnY2NVFyRC8rY0dBUWszNHZKMk5ETQp3ZmVpK3JmNDZGeTMvTXFMWkl4bmlTKzYwd0tCZ1FEV2JqandUN0Q0blQ5NnNmeWhJUFIxR1NxOTlZQS9WbkpnCjN2VzlZcHA0ek9qYUI0RENzc1lRbUZkelFzaTF5OEZUYVRrQkE1WExlLzFJbUY5R084NHVEL2I1UlNvam9UZHEKcVVySTk3WUVOSXpoMCtjQVZhcjFRajRpUW0vTk5obTZTbGNOd0ZEOWpuU3d3ZXlaREd3Zk1Cb2M3RGJKbThScApRSnFwZkdMbG9RS0JnUUNwczlFaFdla2o4UTE3emRWdkgxQUl6SDVWeHhWSER5ZUNXZTYycnE3ME42VllucE5yCnhVVk42bU1DV2JhTjBpSS9PMHhRR1JXdm51eVR1eDJZNWwyNXM5WnljTVZrV1BlaEZCSkVZOWltK2FITlJ0N3kKcTRybjN2aWRucFVnQTNudjdFY3FPT2pqajZveGh0YWxySlZZUzRjSkVUa1ZDbDZnQ2dyWktLMzZqUUtCZ0Vucwo0aEJuU1BuTkxJOWVRVnhEZ2tQRWsybTk4NkxpYUxoZzVaT1BKUFkwbnFwY0g5WC8wQ3owZUdHeVNvUHlaUW9lCm9wcG81QUd0RTFzdHZOcjN6MU11Q2RWU05QN25tN1ZYL0FKZzlBMXJHSTdhZ1M4cVdiQUlVR2Q3UkJRWmJMRSsKNDloSHp5UTdNcHVsbjYzOERHS01NTlI3MHorY VJoS0xSVWJkTFROQkFvR0JBTW1EWHMyajJqdVdVQnM4SXphWgoveWNYalQvM2g1TjFKNmRrTGpEK1lZUXd2b1lRZWM4UXRWc2FicExwYU9tSW9HazkzWm1Xai9HdmJtaHdhUGgxCnE5R0t0L2dtbDhoVWlyaXViSW5GTCtEbGtLM3VSbStDN2VxNU1hWUNHS3Y4VWtQL2tCZHhSL0daRVlWQ1BIVXUKWjhhYnk0UmxOVHZyckVHdTVHRXBmN3ZqCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K ``` Apply the ApisixTls: ```yaml apiVersion: apisix.apache.org/v2 kind: ApisixTls metadata: name: test-tls namespace: default spec: hosts: - test.local - '*.test.local' secret: name: test-tls namespace: default ``` ### 8. Test HTTPS - Fails ❌ ```bash curl -v --resolve test.local:8443:127.0.0.1 https://test.local:8443/ip ``` Error: ``` * Added test.local:8443:127.0.0.1 to DNS cache * Hostname test.local was found in DNS cache * Trying 127.0.0.1:8443... * Handling connection for 8443 Connected to test.local (127.0.0.1) port 8443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (IN), TLS alert, internal error (592): * OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error * Closing connection curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error ``` ### APISIX Logs ``` 2026/02/06 09:46:46 [error] 49#49: *27685 [lua] init.lua:217: ssl_client_hello_phase(): failed to match any SSL certificate by SNI: test.local, context: ssl_client_hello_by_lua*, client: 127.0.0.1, server: 0.0.0.0:9443 ``` ## Questions 1. Is there additional configuration required to make ApisixTls sync SSL certificates to APISIX? 2. Should the ApisixTls and the ApisixRoute be in the same namespace? 3. Are there any known issues with ApisixTls in version 2.0.1? 4. Is there a recommended workaround (e.g., using standard Kubernetes Ingress with TLS section instead)? Any guidance would be greatly appreciated. Thank you! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
