Error 400: The SSL certificate could not be parsed.

[svenbovens]

On all our ingresses on GKE we see the following error:

Type     Reason   Age                From                     Message
----     ------   ----               ----                     -------
Warning  GCE      9m (x40 over 10h)  loadbalancer-controller  googleapi: Error 400: The SSL certificate could not be parsed.

It is not clear from the error what certificate is being talked about. (it's also shown on ingresses without tls termination).

Next to that, creating an ingress no longer seems to automatically open up the firewall anymore for the related node ports, so I can imagine this is related to the above error.

Since we have no access on the master nor find any more info with regard to the above, we have no idea on how we can recover from this or where to look for more info.

[nicksardo]

One of your secrets referenced by an ingress must be malformed - check each one. You might be able to look at the activity log in GCP Console to see the name of the certificate which failed to be created. Might point you to the ingress referencing it.

Which k8s master version are you running?

[svenbovens]

Thanks for the tip about the activity log Nick! There was a sequence of the following events about every minute:

• Failed:Delete SSL certificate (error message = Not found (HTTP 404): The resource '...' was not found)
• Create SSL certificate
• Completed:Create SSL certificate

A bit strange but the certificate pointed to in the details was indeed invalid. After fixing it, the event is gone on the ingresses after about an hour.

This does mean that the "firewall issue" is not related though. I'll open a different issue for that one.
We're on 1.9.7-gke.1 since yesterday hoping to fix the what we now know as "firewall issue", before that we were on 1.8.

[svenbovens]

I stand corrected, it wàs related. I just tested creating a new Ingress and the firewall rule is updated properly again with the new port.