Installing passbolt Helm chart in a kubernetes cluster with ingress enabled throwing: “The plain HTTP request was sent to HTTPS port” when trying to access passbolt URL.
This issue is due to NGINX trying to reach backend passbolt service in HTTP instead of HTTPS which passbolt don’t like.
Adding "nginx.ingress.kubernetes.io/backend-protocol: “HTTPS” to passbolt ingress annotations resolved the issue.
Hello, can you send some snippet? It hasn’t worked for me… This is my extra-values.yaml
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
hosts:
- host: passbolt.my.custom.domain
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: passbolt-tls
hosts:
- passbolt.my.custom.domain
passboltEnv:
plain:
APP_FULL_BASE_URL: https://passbolt.my.custom.domain
Thanks in advance
Hello, I had the same issue.
It happens because the backend is using HTTPS and the client sends traffic via HTTP. Here you can find a deeper explanation about this topic: ssl - How NGINX Ingress controller back-end protocol annotation works in path based routing? - Stack Overflow
If the annotation suggested by @said678 doesn’t solve, check the tls secret created during the installation. Your nginx-ingress-controller expects SSL certificate but probably the original request is plain http.
In the tls secret you should see the cert-manager annotations, for example:
cert-manager.io/certificate-name
cert-manager.io/issuer-name
If not, you can try these configurations:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: passbolt.my.custom.domain
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
hosts:
- host: passbolt.my.custom.domain
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-release-passbolt
port:
number: 433
tls:
- secretName: my-release-passbolt-sec-tls
hosts:
- passbolt.my.custom.domain
Finally, be sure to inherit by the chart this value:
tls:
autogenerate: true
I am still having this issue,
I am using rancher on k3s and nginx controller installed + cert manager.
Below is my yaml for ingress :
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
field.cattle.io/publicEndpoints: >-
[{"addresses":["172.10.100.11"],"port":443,"protocol":"HTTPS","serviceName":"default:my-release-passbolt","ingressName":"default:main-ing","hostname":"passbolt.ridhoswasta.com","path":"/","allNodes":false}]
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
creationTimestamp: '2024-03-20T15:48:20Z'
generation: 2
managedFields:
- apiVersion: networking.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
manager: nginx-ingress
operation: Update
subresource: status
time: '2024-03-20T15:48:21Z'
- apiVersion: networking.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:field.cattle.io/publicEndpoints: {}
f:kubernetes.io/ingress.class: {}
f:nginx.ingress.kubernetes.io/backend-protocol: {}
f:spec:
f:rules: {}
f:tls: {}
manager: agent
operation: Update
time: '2024-03-20T15:53:00Z'
name: main-ing
namespace: default
resourceVersion: '43437392'
uid: 7d6f120e-b7f2-4850-97a6-386ec8f41bd6
spec:
rules:
- host: passbolt.ridhoswasta.com
http:
paths:
- backend:
service:
name: my-release-passbolt
port:
number: 443
path: /
pathType: Prefix
tls:
- hosts:
- passbolt.ridhoswasta.com
secretName: tls-secret
status:
loadBalancer:
ingress:
- ip: 172.10.100.11
I have tried everything suggestion on the online but nothing can fix this now.
below is the nginx logs :
125.165.104.162 - - [20/Mar/2024:15:53:07 +0000] "GET /auth/is-authenticated.json HTTP/1.1" 400 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "-"
125.165.104.162 - - [20/Mar/2024:15:54:07 +0000] "GET /users/me.json?api-version=v2 HTTP/1.1" 400 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "-"