Deploying own TLS certs on a broker that is deployed on AKS (K8S in azure)

Patrick P
Patrick P Member Posts: 1

Hi all together,
I tried to achieve following:
Having custom TLS certificates on our Solace broker that is deployed on an azure Kubernetes services (AKS) cluster. This is due to the requirement that only internal traffic is allowed for internal customers of our solace broker. We have a k8s Loadbalancer that routes all the traffic from our private IP dress range to the broker.
To achieve the requirement I tried the NGINX ingress but that led to nowhere since the ingress can handle only ports 443 and 80. Next step was trying to install the certificate on the broker and having the layer 4 Loadbalancer forward everything accordingly.
Done that with https://docs.solace.com/Configuring-and-Managing/Managing-Server-Certs.htm
Now we get an error inside the broker that states: ({string} is a placeholder that was modified by me)
2021-05-06T09:53:48.825+00:00 <local3.info> developer-production-{string}-solace-primary-0 event: SYSTEM: SYSTEM_SSL_CONNECTION_REJECTED: - - SSL Connection rejected: reason (Connection closed by remote host); connection to {broker cluster ip}:1443 from {Kubernetes proxy IP}:5823
Has anybody of you done such a setup? If so did you run in the same or other issues ? What would you suggest to investigate next ?
If more info is required: I am happy to share it with you.
Best wishes,
Patrick

Comments

  • uherbst
    uherbst Member, Employee Posts: 121 Solace Employee
    edited May 2021 #2

    Hi Patrick,
    so your idea is: Do TLS on the broker, the loadbalancer just forwards tcp connections to the broker TLS port ?
    This is an absolute valid idea and should work (seen that many times before).

    To debug your issue:
    Start with debugging your TLS connection with openssl:
    openssl s_client -connect :
    (any broker port, that does TLS should work: SMF/SEMP/MQTT/whatever).
    If TLS handshake is successful, openssl should output you details, e.g. the server certificate and much more information.
    Does that work for you ?

    (Details for doing that can you find in my article:https://solace.community/discussion/510/how-to-test-tls-connection-and-server-certificate

    Uli