In the context of a CPanel Softaculous-installed Nextcloud, what could it possibly mean that, regardless how I set the certificate through #CPanel, ak.modusresearch.com returns with the following clearly bogus certificate:
-
In the context of a CPanel Softaculous-installed Nextcloud, what could it possibly mean that, regardless how I set the certificate through #CPanel, ak.modusresearch.com returns with the following clearly bogus certificate:
Common Name: #Kubernetes #Ingress Controller Fake Certificate
Organization: #AcmeCo
Not Before: Sat, 28 Feb 2026 15:37:53 GMT ?????
DNS Name: ingress.localIn what sort of twisted Universe would supplying such a thing make sense? Also interesting is the Not Before which was pretty much the moment I requested the page, but gave the same when asked an hour later.
-
In the context of a CPanel Softaculous-installed Nextcloud, what could it possibly mean that, regardless how I set the certificate through #CPanel, ak.modusresearch.com returns with the following clearly bogus certificate:
Common Name: #Kubernetes #Ingress Controller Fake Certificate
Organization: #AcmeCo
Not Before: Sat, 28 Feb 2026 15:37:53 GMT ?????
DNS Name: ingress.localIn what sort of twisted Universe would supplying such a thing make sense? Also interesting is the Not Before which was pretty much the moment I requested the page, but gave the same when asked an hour later.
Is there a Certificate object in the namespace? is cert-manager working properly to do the ACME certbot handshakes?
-
Is there a Certificate object in the namespace? is cert-manager working properly to do the ACME certbot handshakes?
@praxiscode I like your words but little idea what they might mean.
What is a cert Object? The server does run certbot for LetsEncrypt, those all work fine, but what is the rationale for a Kubernetes Ingress FAKE Certificate to even exist as a concept?
-
R relay@relay.mycrowd.ca shared this topic
-
@praxiscode I like your words but little idea what they might mean.
What is a cert Object? The server does run certbot for LetsEncrypt, those all work fine, but what is the rationale for a Kubernetes Ingress FAKE Certificate to even exist as a concept?
That cert exists to facilitate encryption of the connection while SNI negotiation takes place. You're still seeing it because the Ingress controller hasn't attached the certificate secret to the Ingress yet.
If you were running cert-manager to auto-negotiate certificates with letsencrypt, you would see a Certificate object (kubectl get cert) in the same namespace as the ingress.
Perhaps the certificate secret hasn't been applied to the Ingress; did you check that?
-
That cert exists to facilitate encryption of the connection while SNI negotiation takes place. You're still seeing it because the Ingress controller hasn't attached the certificate secret to the Ingress yet.
If you were running cert-manager to auto-negotiate certificates with letsencrypt, you would see a Certificate object (kubectl get cert) in the same namespace as the ingress.
Perhaps the certificate secret hasn't been applied to the Ingress; did you check that?
This command will engage in SNI negotiations, but it also shows the fake cert, which reinforces the idea that the certificate secret hasn't been attached to the Ingress.
openssl s_client -connect ak.modusresearch.com:443 -servername ak.modusresearch.com -showcerts </dev/null | openssl x509 -noout -text
-
@praxiscode I like your words but little idea what they might mean.
What is a cert Object? The server does run certbot for LetsEncrypt, those all work fine, but what is the rationale for a Kubernetes Ingress FAKE Certificate to even exist as a concept?
Another bit of context is perhaps a warning about the low standards for Canadian Web Hosting support. In my experience, only Microsoft was worse, excluding Bell and Rogers of course. Not recommended. Support appears to only keep office hours⦠in India. 'Urgent' on a ticket means within the week.
-
This command will engage in SNI negotiations, but it also shows the fake cert, which reinforces the idea that the certificate secret hasn't been attached to the Ingress.
openssl s_client -connect ak.modusresearch.com:443 -servername ak.modusresearch.com -showcerts </dev/null | openssl x509 -noout -text
@praxiscode ok, making more sense now. Just for fun I will send these two posts of yours to cwh support for when they wake up, give it a hour or two, then jump in with a blunt instrument hunting Ingress.
I would expect, if they installed it, they will go aha! Like when on the 8th day they remembered they do in fact have an assassin process that killed Tomcat once a minute.
Thing is, this certificate doesn't have a passphrase, if that's the Secret, and hasn't changed config in years outside of certain renewals that worked without incident.
I'm keen to see what they say. Thanks for all this!
