Skip to content

How to enable TLSv1 TLSv1.1 on ingress nginx

This document (000021887) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.x
Ingress-Nginx >=2.3.3

Situation

Ingress-Nginx controller versions 2.3.3 and later removed support for TLS 1.0 and TLS 1.1. These versions default to using only TLS 1.2 and TLS 1.3

Resolution

NOTE: These protocols have been disabled as they are deemed insecure. Enabling them can put you at risk. Do so with caution.

  1. Login to the Rancher UI, select the desired downstream cluster from Cluster Management.
  2. For the desired downstream cluster, click on More options >> Edit Config >> Additional Manifest and provide the below HelmChartConfig for 'rke2-ingress-nginx' in this section and click on "Save".
  3. apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata:   name: rke2-ingress-nginx   namespace: kube-system spec:   valuesContent: |-     controller:       config:         ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" ssl-ciphers": "@SECLEVEL=0 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
  4. Note we have added the TLS versions 1 and 1.1 to the protocols as well as @SECLEVEL=0 to the ssl-cipher suites
  5. Alternatively, this configuration can be provided in the manifest file '/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml' on each RKE2 server node followed by a 'rke2-server' service restart.
  6. The TLS version can be confirmed by running the command below:

# kubectl -n kube-system exec -it rke2-ingress-nginx-controller-xxxx -- /dbg conf|grep -i tls
7. The TLS version can be verified by running a curl command to the service:

 # curl -v https://<service_url>

Cause

TLSv1 and TLSv1.1 are considered insecure and depreciated and as a result have been disabled by default in Ingress-Nginx controller versions 2.3.3 and later. 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.