Configured DH param for ingress nginx controller but not working

[gravops]

What happened: To enable 2048 bit Diffie Hellman, I configured ssl-dh-param in config map and restarted controller pods but not showing 2048 bit.

What you expected to happen: Site URL to show Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller
Release: v1.9.6
Build: 6a73aa3
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6

Kubernetes version (use kubectl version): 1.26

Environment: Production

• Cloud provider or hardware configuration: AWS

• OS (e.g. from /etc/os-release): centos rhel fedora

• Kernel (e.g. uname -a): 5.10.186-179.751.amzn2.x86_64

• Install tools:

  • Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc. EKS

• Basic cluster related info:

  • kubectl version GitVersion:"v1.26.12-eks-5e0fdde
  • kubectl get nodes -o wide

• How was the ingress-nginx-controller installed:

  • If helm was used then please show output of helm ls -A | grep -i ingress
  • If helm was used then please show output of helm -n <ingresscontrollernamespace> get values <helmreleasename>
  • If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
  • if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances

• Current State of the controller:

  • kubectl describe ingressclasses
    Name: nginx
    Labels: app.kubernetes.io/component=controller
    app.kubernetes.io/instance=ingress-nginx
    app.kubernetes.io/managed-by=Helm
    app.kubernetes.io/name=ingress-nginx
    app.kubernetes.io/part-of=ingress-nginx
    app.kubernetes.io/version=1.9.6
    argocd.argoproj.io/instance=ingress-nginx
    helm.sh/chart=ingress-nginx-4.9.1
    Annotations:
    Controller: k8s.io/ingress-nginx
    Events:
  • kubectl -n <ingresscontrollernamespace> get all -A -o wide
    NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
    pod/ingress-nginx-controller-5bc5558b8f-7mr77 1/1 Running 0 7h46m XXXXXXX XXXXXXX
    pod/ingress-nginx-controller-5bc5558b8f-r4dln 1/1 Running 0 7h48m XXXXXXX XXXXXXX

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/ingress-nginx-controller LoadBalancer XXXXXXX XXXXXXX 80:32151/TCP,443:30545/TCP 465d app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx

NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/ingress-nginx-controller 2/2 2 2 465d controller registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx

NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
replicaset.apps/ingress-nginx-controller-5bbcb99494 0 0 0 210d controller registry.k8s.io/ingress-nginx/controller:v1.3.1@sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974 app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx,pod-template-hash=5bbcb99494
replicaset.apps/ingress-nginx-controller-5bc5558b8f 2 2 2 15d controller registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx,pod-template-hash=5bc5558b8f
replicaset.apps/ingress-nginx-controller-5fb97d6b54 0 0 0 24h controller registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx,pod-template-hash=5fb97d6b54
replicaset.apps/ingress-nginx-controller-7b7896d8b5 0 0 0 465d controller registry.k8s.io/ingress-nginx/controller:v1.3.1@sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974 app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx,pod-template-hash=7b7896d8b5

• kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
  Name: ingress-nginx-controller-5bc5558b8f-7mr77
  Namespace: ingress-nginx
  Priority: 0
  Service Account: ingress-nginx
  Node: ip-10-138-174-103.ec2.internal/10.138.174.103
  Start Time: Fri, 15 Mar 2024 10:49:17 +0530
  Labels: app.kubernetes.io/component=controller
  app.kubernetes.io/instance=ingress-nginx
  app.kubernetes.io/managed-by=Helm
  app.kubernetes.io/name=ingress-nginx
  app.kubernetes.io/part-of=ingress-nginx
  app.kubernetes.io/version=1.9.6
  helm.sh/chart=ingress-nginx-4.9.1
  pod-template-hash=5bc5558b8f
  Annotations: cni.projectcalico.org/containerID: 2a256f2c80337fc6b28691c793c8e5d6a10b75359282e1a224c61d1825bf4778
  cni.projectcalico.org/podIP: 172.16.101.56/32
  cni.projectcalico.org/podIPs: 172.16.101.56/32
  kubectl.kubernetes.io/restartedAt: 2023-08-17T12:56:45-04:00
  metrics.dynatrace.com/filter: { "mode": "include", "names": [ "nginx_ingress_controller_ingress_upstream_latency_seconds" ] }
  metrics.dynatrace.com/path: /metrics
  metrics.dynatrace.com/port: 10254
  metrics.dynatrace.com/scrape: true
  Status: Running
  IP: 172.16.101.56
  IPs:
  IP: 172.16.101.56
  Controlled By: ReplicaSet/ingress-nginx-controller-5bc5558b8f
  Containers:
  controller:
  Container ID: containerd://339f018c55472fe7163260462afe10483fb6a0d31b9ce4b439cc3132b9b9c497
  Image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c
  Image ID: registry.k8s.io/ingress-nginx/controller@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c
  Ports: 80/TCP, 443/TCP
  Host Ports: 0/TCP, 0/TCP
  SeccompProfile: RuntimeDefault
  Args:
  /nginx-ingress-controller
  --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
  --election-id=ingress-nginx-leader
  --controller-class=k8s.io/ingress-nginx
  --ingress-class=nginx
  --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
  --v=3
  State: Running
  Started: Fri, 15 Mar 2024 10:49:19 +0530
  Ready: True
  Restart Count: 0
  Limits:
  cpu: 250m
  memory: 512Mi
  Requests:
  cpu: 250m
  memory: 512Mi
  Liveness: http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
  Readiness: http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
  Environment:
  POD_NAME: ingress-nginx-controller-5bc5558b8f-7mr77 (v1:metadata.name)
  POD_NAMESPACE: ingress-nginx (v1:metadata.namespace)
  LD_PRELOAD: /usr/local/lib/libmimalloc.so
  Mounts:
  /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-jqppx (ro)
  Conditions:
  Type Status
  Initialized True
  Ready True
  ContainersReady True
  PodScheduled True
  Volumes:
  kube-api-access-jqppx:
  Type: Projected (a volume that contains injected data from multiple sources)
  TokenExpirationSeconds: 3607
  ConfigMapName: kube-root-ca.crt
  ConfigMapOptional:
  DownwardAPI: true
  QoS Class: Guaranteed
  Node-Selectors: kubernetes.io/os=linux
  Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
  node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
  Events:

• kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
  Name: ingress-nginx-controller
  Namespace: ingress-nginx
  Labels: app.kubernetes.io/component=controller
  app.kubernetes.io/instance=ingress-nginx
  app.kubernetes.io/managed-by=Helm
  app.kubernetes.io/name=ingress-nginx
  app.kubernetes.io/part-of=ingress-nginx
  app.kubernetes.io/version=1.9.6
  argocd.argoproj.io/instance=ingress-nginx
  helm.sh/chart=ingress-nginx-4.9.1
  Annotations: argocd.argoproj.io/sync-options: Prune=false
  certmanager.k8s.io/cluster-issuer: letsencrypt
  external-dns.alpha.kubernetes.io/hostname:
  XXXXXXX
  nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2 TLSv1.3
  service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags:
  product_id=XXXXXXX
  service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
  service.beta.kubernetes.io/aws-load-balancer-internal: true
  service.beta.kubernetes.io/aws-load-balancer-type: nlb
  Selector: app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
  Type: LoadBalancer
  IP Family Policy: SingleStack
  IP Families: IPv4
  IP: XXXXXXX
  IPs: XXXXXXX
  LoadBalancer Ingress: XXXXXXX
  Port: http 80/TCP
  TargetPort: http/TCP
  NodePort: http 32151/TCP
  Endpoints: 172.16.101.56:80,172.16.94.254:80
  Port: https 443/TCP
  TargetPort: https/TCP
  NodePort: https 30545/TCP
  Endpoints: XXXXX
  Session Affinity: None
  External Traffic Policy: Cluster
  LoadBalancer Source Ranges: XXXXXXX
  Events:

• Current state of ingress object, if applicable:

  • kubectl -n <appnamespace> get all,ing -o wide
  • kubectl -n <appnamespace> describe ing <ingressname>
  • If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag

• Others:

  • Any other related information like ;
    • copy/paste of the snippet (if applicable)
    • kubectl describe ... of any custom configmap(s) created and in use
    • Any other related information that may help

How to reproduce this issue:

I followed this documentation to configure dhparam https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param but it didn't work for me.
I can see correct diffie hellman bit size in the cert which is present in the pod.
ingress-nginx-controller-5bc5558b8f-7mr77:/etc/ingress-controller/ssl$ openssl dhparam -noout -text -check -in ingress-nginx-lb-dhparam.pem
DH Parameters: (2048 bit)

But on sslscan it shows:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits
As minimally and precisely as possible. Keep in mind we do not have access to your cluster or application.
Help up us (if possible) reproducing the issue using minikube or kind.

Install minikube/kind

• Minikube https://minikube.sigs.k8s.io/docs/start/
• Kind https://kind.sigs.k8s.io/docs/user/quick-start/

Install the ingress controller

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml

Install an application that will act as default backend (is just an echo app)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml

Create an ingress (please add any additional annotation required)

echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo-bar
annotations:
kubernetes.io/ingress.class: nginx
spec:
ingressClassName: nginx # omit this if you're on controller version below 1.0.0
rules:
- host: foo.bar
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: http-svc
port:
number: 80
" | kubectl apply -f -

make a request

POD_NAME=$(k get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o NAME)
kubectl exec -it -n ingress-nginx $POD_NAME -- curl -H 'Host: foo.bar' localhost

--->

Anything else we need to know:
All details shared

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gravops]

I used document to configure DH param https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param but still it shows 1024 bits in sslscan for my site.

On controller pod i can see
ingress-nginx-controller-5bc5558b8f-7mr77:/etc/ingress-controller/ssl$ openssl dhparam -noout -text -check -in ingress-nginx-lb-dhparam.pem
DH Parameters: (2048 bit)

Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits

[longwuyuan]

/remove-kind bug
/kind support
/triage needs-information

The issue description does not show the minimal required info like -

• k describe pod $controllerpodname -n ingress-nginx
• k describe cm $ingress-nginx-controller -n ingress-nginx
• k describe secret $secretname -n ingress-nginx
• nginx.conf inside pod
• Other such related info

Edit the issue description and show the info that readers can analyse

[gravops]

Updated comments.

[github-actions]

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

[gravops]

Please close this. No longer required.