Hostname validation against server's certificate for HTTPs Ingress backends

[specialforest]

When Ingress backend uses HTTPs request forwarding fails with something like:

System.Net.Http.HttpRequestException: 'The SSL connection could not be established, see inner exception.'
AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch

This happens because the ingress controller resolves the backend service to a set of endpoints which are IP addresses. ClusterConfig.Destinations in turn has addresses with just IPs. When forwarding the request there is no information about the destination hostname and therefore server's certificate validation fails.

There are couple workarounds:

1. Use HttpClientConfig.DangerousAcceptAnyServerCertificate
2. Define a transform on the ingress rule to set Host header:

  annotations:
    yarp.ingress.kubernetes.io/transforms: |
      - RequestHeader: Host
        Set: "my.backend.hostname"

I'm creating this for awareness for others running into the same issue and to discuss if there is anything can be done for it to just work.

[MihaZupan]

Thanks for filing the issue.
It feels like we should be adding such a transform by default, both to enable cert validation and properly flow SNI to the service.

[jonmikeli]

Hi @specialforest,

I'm having a similar issue. I've tried to use the HttpClient.DangerousAcceptAnyServerCertificate property but I don't manage to make it work. Still getting the same SSL issue.

The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

When using this setting, is there something else to be done to make it work?

kr