Passbolt SSL alert number 42 Helm Kubernetes K3s

chandr-andr · April 5, 2024, 12:10am

Checklist
[ +] I have read intro post: About the Installation Issues category
[ +] I have read the tutorials, help and searched for similar issues
[ +] I provide relevant information about my server (component names and versions, etc.)
[ +] I provide a copy of my logs and healthcheck
[ +] I describe the steps I have taken to trouble shoot the problem
[ + ] I describe the steps on how to reproduce the issue

Hi, everyone!
I’m trying to deploy passbolt on my cluster. Unfortunately, I’ve hit an unsolvable error.

I’m using K3s with cert-manager.

There are my configuration files (I masked my domain with domain).
My values.yaml:

redisDependencyEnabled: false

redis:
  auth:
    password: my_redis_password

mariadb:
  auth:
    password: my_mariadb_password
  primary:
    persistence:
      storageClass: openebs-hostpath
  secondary:
    persistence:
      storageClass: openebs-hostpath

passboltEnv:
  plain:
    APP_FULL_BASE_URL: https://passbolt.domain.net
    PASSBOLT_SSL_FORCE: true
  secret:
    CACHE_CAKE_DEFAULT_PASSWORD: my_redis_password
    DATASOURCES_DEFAULT_PASSWORD: my_mariadb_password

app:
  # -- Configure pasbolt deployment init container that waits for database
  databaseInitContainer:
    # -- Toggle pasbolt deployment init container that waits for database
    enabled: false
  # Allowed options: mariadb, mysql or postgresql
  database:
    kind: mariadb
  cache:
    # Use CACHE_CAKE_DEFAULT_* variables to configure the connection to redis instance
    # on the passboltEnv configuration section
    redis:
      # -- By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php
      # That instructs passbolt to store sessions on redis and to use it as a general cache.
      enabled: false
      sentinelProxy:
        # -- Inject a haproxy sidecar container configured as a proxy to redis sentinel
        # Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy
        enabled: false

cronJobEmail:
  enabled: false
  schedule: "* * * * *"
  extraPodLabels: {}

# -- Configure passbolt container livenessProbe
livenessProbe:
  httpGet:
    port: https
    scheme: HTTPS
    path: /healthcheck/status.json
    httpHeaders:
      - name: Host
        value: my-passbolt.passbolt.svc.cluster.local
  initialDelaySeconds: 20
  periodSeconds: 10
# -- Configure passbolt container RadinessProbe
readinessProbe:
  httpGet:
    port: https
    scheme: HTTPS
    httpHeaders:
      - name: Host
        value: my-passbolt.passbolt.svc.cluster.local
    path: /healthcheck/status.json
  initialDelaySeconds: 5
  periodSeconds: 10

tls:
  # -- Generates a secret with a self-signed cerfificate that is injected on ingress and passbolt container
  autogenerate: false
  # -- Name of an existing kubernetes secret that contains a SSL certificate to inject on ingress and passbolt container
  existingSecret: passbolt-cert-secret

ingress:
  # -- Enable passbolt ingress
  enabled: true
  # -- Configure passbolt ingress annotations
  annotations: {}
  # -- Configure passbolt ingress hosts
  hosts:
    - host: passbolt.domain.net
      paths:
        - path: /
          pathType: ImplementationSpecific
  # -- Configure passbolt ingress tls
  tls:
    # If secretname is not empty, the tls entry will use it, otherwise will
    # have a default name based on the release
    - secretName: passbolt-cert-secret
      hosts:
        - passbolt.domain.net

My certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: passbolt-cert-secret
  namespace: passbolt
spec:
  secretName: passbolt-cert-secret

  subject:
    organizations:
      - domain.net

  duration: 2160h # 90d
  renewBefore: 360h # 15d
  usages:
    - digital signature
    - key encipherment
  dnsNames:
    - passbolt.domain.net
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
    group: cert-manager.io

The certificate is ready and a secret is created.

When I go to any browser and make a request to https://passbolt.domain.net, I get Internal Server Error and logs show this error.

2024/04/04 23:00:06 [info] 184#184: *8 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443

Could you please tell me what I did wrong?

Full logs:

2024-04-05 00:07:18,511 INFO reaped unknown pid 2777 (exit status 0)
2024-04-05 00:07:18,511 INFO reaped unknown pid 2778 (exit status 0)
2024-04-05 00:07:18,511 INFO reaped unknown pid 2781 (exit status 0)
2024-04-05 00:07:18,511 INFO reaped unknown pid 2782 (exit status 0)
10.42.0.1 - - [05/Apr/2024:00:07:18 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
10.42.0.1 - - [05/Apr/2024:00:07:28 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
2024-04-05 00:07:28,490 INFO reaped unknown pid 2788 (exit status 0)
2024-04-05 00:07:28,490 INFO reaped unknown pid 2787 (exit status 0)
2024-04-05 00:07:28,491 INFO reaped unknown pid 2791 (exit status 0)
2024-04-05 00:07:28,491 INFO reaped unknown pid 2792 (exit status 0)
10.42.0.1 - - [05/Apr/2024:00:07:28 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
2024-04-05 00:07:38,499 INFO reaped unknown pid 2798 (exit status 0)
2024-04-05 00:07:38,499 INFO reaped unknown pid 2797 (exit status 0)
2024-04-05 00:07:38,499 INFO reaped unknown pid 2801 (exit status 0)
2024-04-05 00:07:38,499 INFO reaped unknown pid 2802 (exit status 0)
10.42.0.1 - - [05/Apr/2024:00:07:38 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
10.42.0.1 - - [05/Apr/2024:00:07:38 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
10.42.0.1 - - [05/Apr/2024:00:07:48 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
2024-04-05 00:07:48,499 INFO reaped unknown pid 2808 (exit status 0)
2024-04-05 00:07:48,499 INFO reaped unknown pid 2807 (exit status 0)
2024-04-05 00:07:48,499 INFO reaped unknown pid 2811 (exit status 0)
2024-04-05 00:07:48,499 INFO reaped unknown pid 2812 (exit status 0)
10.42.0.1 - - [05/Apr/2024:00:07:48 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
10.42.0.1 - - [05/Apr/2024:00:07:58 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
2024-04-05 00:07:58,501 INFO reaped unknown pid 2817 (exit status 0)
2024-04-05 00:07:58,501 INFO reaped unknown pid 2818 (exit status 0)
2024-04-05 00:07:58,501 INFO reaped unknown pid 2821 (exit status 0)
2024-04-05 00:07:58,501 INFO reaped unknown pid 2822 (exit status 0)
10.42.0.1 - - [05/Apr/2024:00:07:58 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
10.42.0.1 - - [05/Apr/2024:00:08:08 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
2024-04-05 00:08:08,494 INFO reaped unknown pid 2826 (exit status 0)
2024-04-05 00:08:08,494 INFO reaped unknown pid 2828 (exit status 0)
2024-04-05 00:08:08,494 INFO reaped unknown pid 2831 (exit status 0)
2024-04-05 00:08:08,494 INFO reaped unknown pid 2832 (exit status 0)
10.42.0.1 - - [05/Apr/2024:00:08:08 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
10.42.0.1 - - [05/Apr/2024:00:08:18 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
2024-04-05 00:08:18,498 INFO reaped unknown pid 2837 (exit status 0)
2024-04-05 00:08:18,498 INFO reaped unknown pid 2838 (exit status 0)
2024-04-05 00:08:18,498 INFO reaped unknown pid 2842 (exit status 0)
2024-04-05 00:08:18,498 INFO reaped unknown pid 2841 (exit status 0)
10.42.0.1 - - [05/Apr/2024:00:08:18 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.28"
2024/04/05 00:08:22 [info] 181#181: *1057 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443
2024/04/05 00:08:22 [info] 181#181: *1058 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443
2024/04/05 00:08:23 [info] 181#181: *1059 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443
2024/04/05 00:08:23 [info] 181#181: *1060 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443
2024/04/05 00:08:23 [info] 181#181: *1061 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443
2024/04/05 00:08:23 [info] 181#181: *1062 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443
2024/04/05 00:08:23 [info] 181#181: *1063 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443
2024/04/05 00:08:23 [info] 181#181: *1064 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443