Ingress cert mismatch

You're viewingApigee andApigee hybrid documentation.
There is no equivalent Apigee Edge documentation for this topic.

Note: This document is applicable for Apigee hybrid users only.

Symptom

AnApigeeIssue withReasonAIS_INGRESS_CERT_MISMATCH is shown when viewing resources in theapigee namespace.

Error messages

After runningkubectl -n apigee get apigeeissues, the following error is displayed:

NAME                                          SEVERITY   REASON                      DOCUMENTATION                                                                           AGEingress-cert-mismatch-my-org-my-virtualhost   ERROR      AIS_INGRESS_CERT_MISMATCH   https://cloud.google.com/apigee/docs/hybrid/troubleshooting/AIS_INGRESS_CERT_MISMATCH   5h18m

Cause: Ingress cert mismatch

The private key and certificate stored in the Kubernetes secret referenced by anApigeeRouteConfig do not match.

Diagnosis

Run the following command:

kubectl -n apigee describe apigeeissueISSUE_NAME

WhereISSUE_NAME is the name of the issue. For example,ingress-cert-mismatch-my-org-my-virtualhost.

Something similar to the following is returned:

Name:ingress-cert-mismatch-my-org-my-virtualhostNamespace:apigeeLabels:ais-reason=AIS_INGRESS_CERT_MISMATCHAnnotations:<none>APIVersion:apigee.cloud.google.com/v1alpha1Kind:ApigeeIssueMetadata:CreationTimestamp:2023-06-12T17:03:43ZGeneration:1OwnerReferences:APIVersion:apigee.cloud.google.com/v1alpha2Kind:ApigeeOrganizationName:my-orgUID:7e83a52c-ce00-4bed-98be-55835ada1817ResourceVersion:3281563UID:adc775c2-376d-4bf9-9860-500b2b2b8273Spec:Details:Ingresscertandprivatekeyinsecret"my-org-my-virtualhost"forApigeeRouteConfig"my-org-my-virtualhost"donotmatchDocumentation:https://cloud.google.com/apigee/docs/hybrid/troubleshooting/AIS_INGRESS_CERT_MISMATCHReason:AIS_INGRESS_CERT_MISMATCHSeverity:ERROREvents:<none>
Spec:Details:Ingresscertandprivatekeyinsecret"my-org-my-virtualhost"forApigeeRouteConfig"my-org-my-virtualhost"donotmatch

The contents ofSpec.Details explains the name of theApigeeRouteConfig that refers to the Kubernetes secret containing the ingress certificate and private key.

Resolution

  1. Usekubectl describe to display the name of theApigeeRouteConfig which has the mismatched ingress cert and key:

    kubectl -n apigee describe apigeeissueISSUE_NAME

    WhereISSUE_NAME is the name of the issue. For example,ingress-cert-mismatch-my-org-my-virtualhost.

    In this example, theApigeeRouteConfigmy-org-my-virtualhost is referencing the secretmy-org-my-virtualhost.

  2. Determine thevirtualhost name from theApigeeRouteConfig.

    TheApigeeRouteConfig's name is in the format:<Apigee organization>-<virtualhost name>.

    In this example,my-org is the Apigee organization and the virtualhost name ismy-virtualhost.

  3. Find the corresponding virtualhost in youroverrides.yaml file:

    virtualhosts:...- name: my-virtualhost  selector:    app: apigee-ingressgateway  sslCertPath: ./certs/vhost.pem  sslKeyPath: ./certs/vhost.key...

  4. Validate that the certificate and key files being used match.

    Using thesslCertPath andsslKeyPath from the previous step, validate the MD5 sums match usingopenssl:

    openssl x509 -noout -modulus -inSSL_CERT_PATH | openssl md5
    openssl rsa -noout -modulus -inSSL_KEY_PATH | openssl md5

    • WhereSSL_CERT_PATH is thesslCertPath from the previous step. For example,./certs/vhost.pem.
    • WhereSSL_KEY_PATH is thesslKeyPath from the previous step. For example,./certs/vhost.key.

    The output of the above two commands should match:

    openssl x509 -noout -modulus -in ./certs/vhost.pem | openssl md5MD5(stdin)= 40ba189dbe9d6fbfbdde1a8ef803d2d4
    openssl rsa -noout -modulus -in ./certs/vhost.key | openssl md5MD5(stdin)= 40ba189dbe9d6fbfbdde1a8ef803d2d4

  5. If the output from the previous commands did not match, use one of the following methods to correct the problem:

    • Update the virtualhost'ssslCertPath andsslKeyPath to point to the correct file paths.
    • Fix thesslCertPath orsslKeyPath file contents to contain the correct matching certificate and key pair.

  6. Apply the changes to the virtualhost usingHelm:

    helm upgradeENV_GROUP_NAME apigee-virtualhost/ \  --namespaceAPIGEE_NAMESPACE \  --atomic \  --set envgroup=ENV_GROUP_NAME \  -fOVERRIDES_FILE

    Make sure to include all of the settings shown, including--atomic so that the action rolls back on failure.

Must gather diagnostic information

If the problem persists even after following the above instructions, gather the following diagnostic information and then contactGoogle Cloud Customer Care:

  1. The Google Cloud Project ID.
  2. The name of the Apigee hybrid organization.
  3. TheSpec.Details field of theApigeeIssue.
  4. (optional) Files referenced bysslCertPath andsslKeyPath for the affected virtualhost.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-05 UTC.