Ingress deployment encountering AWS ALB certificate validation error

williamTiller · June 21, 2025, 1:47pm

Hi. I’m trying to deploy an ingress which looks like this:

kind: Ingress
metadata:
  name: "shuffle-ingress"
  namespace: "shuffle"
  annotations:
    <http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>: 'internet-facing'
    <http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>: 'ip'
    <http://alb.ingress.kubernetes.io/group.name|alb.ingress.kubernetes.io/group.name>: 'my-ingress-group'
    <http://alb.ingress.kubernetes.io/load-balancer-name|alb.ingress.kubernetes.io/load-balancer-name>: 'alb-shared'
    <http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>: '[{"HTTPS":443}]'
    <http://alb.ingress.kubernetes.io/certificate-arn|alb.ingress.kubernetes.io/certificate-arn>: 'arn:aws:acm:us-east-1:xxxxxxx'
    <http://alb.ingress.kubernetes.io/ssl-policy|alb.ingress.kubernetes.io/ssl-policy>: 'ELBSecurityPolicy-TLS13-1-2-2021-06'
    <http://alb.ingress.kubernetes.io/actions.ssl-redirect|alb.ingress.kubernetes.io/actions.ssl-redirect>: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    <http://external-dns.alpha.kubernetes.io/hostname|external-dns.alpha.kubernetes.io/hostname>: <http://shuffle.my-site.com|shuffle.my-site.com>
  labels:
    app: 'shuffle'
spec:
  ingressClassName: 'alb'
  rules:
  - host: '<http://shuffle.my-site.com|shuffle.my-site.com>'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service: 
            name: "frontend"
            port: 
              number: 80```


And this is the services of the frontend:


```apiVersion: v1
kind: Service
metadata:
  namespace: shuffle
  annotations:
    kompose.cmd: kompose convert -f docker-compose.yml
    kompose.version: 1.26.0 (40646f47)
  creationTimestamp: null
  labels:
    io.kompose.service: frontend
  name: frontend
spec:
  type: NodePort
  ports:
    - name: "80"
      port: 80
      targetPort: 80
      nodePort: 30007
    - name: "443"
      port: 443
      targetPort: 443
      nodePort: 30008
  selector:
    io.kompose.service: frontend
# status:
#   loadBalancer: {}```


It already worked on my ALB. But I started to get this error log on the pod of the AWS LB controller:


```{"level":"error","ts":"2025-05-26T12:03:37Z","msg":"Reconciler error","controller":"ingress","object":{"name":"my-ingress-group"},"namespace":"","name":"my-ingress-group","reconcileID":"xxxx","error":"operation error Elastic Load Balancing v2: CreateListener, https response error StatusCode: 400, RequestID: c0e3cc8c-xxxxxx, api error ValidationError: Certificate ARN 'arn:aws:acm:us-east-1:xxxxxxxx' is not valid"}```


I already checked and the ARN is correct on the ingress. And the cert it's still valid:


```{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-east-1:xxxxxxxxx",
        "DomainName": "*.<http://my-site.com|my-site.com>",
        "SubjectAlternativeNames": [
            "*.<http://my-site.com|my-site.com>"
        ],
        "DomainValidationOptions": [
            {
                "DomainName": "*.<http://my-site.com|my-site.com>",
                "ValidationDomain": "*.<http://my-site.com|my-site.com>",
                "ValidationStatus": "SUCCESS",
                "ResourceRecord": {
                    "Name": "_xxxxxxxxx.my-site.com.",
                    "Type": "CNAME",
                    "Value": "xxxxxxxxxxx.acm-validations.aws."
                },
                "ValidationMethod": "DNS"
            }
        ],
        "Serial": "XXXXXXXXXXXXXXXXXXXXXXXXX",
        "Subject": "CN=*.<http://my-site.com|my-site.com>",
        "Issuer": "Amazon",
        "CreatedAt": "2025-02-13T09:54:45.026000-03:00",
        "IssuedAt": "2025-02-13T09:55:29.153000-03:00",
        "Status": "ISSUED",
        "NotBefore": "2025-02-12T21:00:00-03:00",
        "NotAfter": "2026-03-14T20:59:59-03:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [
            "arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxx:loadbalancer/app/alb-shared/xxxxxxxxxx"
        ],
        "Type": "AMAZON_ISSUED",
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            },
            {
                "Name": "TLS_WEB_CLIENT_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.2"
            }
        ],
        "RenewalEligibility": "ELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "ENABLED"
        }
    }
}```


Anyone can help me here?

williamTiller · June 21, 2025, 1:56pm

Here are the IAM_policy perms:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "<http://elasticloadbalancing.amazonaws.com|elasticloadbalancing.amazonaws.com>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeTags",
                "ec2:GetCoipPoolUsage",
                "ec2:DescribeCoipPools",
                "ec2:GetSecurityGroupsForVpc",
                "ec2:DescribeIpamPools",
                "ec2:DescribeRouteTables",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTrustStores",
                "elasticloadbalancing:DescribeListenerAttributes",
                "elasticloadbalancing:DescribeCapacityReservation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cognito-idp:DescribeUserPoolClient",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "iam:ListServerCertificates",
                "iam:GetServerCertificate",
                "waf-regional:GetWebACL",
                "waf-regional:GetWebACLForResource",
                "waf-regional:AssociateWebACL",
                "waf-regional:DisassociateWebACL",
                "wafv2:GetWebACL",
                "wafv2:GetWebACLForResource",
                "wafv2:AssociateWebACL",
                "wafv2:DisassociateWebACL",
                "shield:GetSubscriptionState",
                "shield:DescribeProtection",
                "shield:CreateProtection",
                "shield:DeleteProtection"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:*:security-group/*",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "CreateSecurityGroup"
                },
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Resource": "arn:aws:ec2:*:*:security-group/*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateTargetGroup"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:DeleteRule"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:RemoveTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
            ],
            "Condition": {
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:RemoveTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetIpAddressType",
                "elasticloadbalancing:SetSecurityGroups",
                "elasticloadbalancing:SetSubnets",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:ModifyListenerAttributes",
                "elasticloadbalancing:ModifyCapacityReservation",
                "elasticloadbalancing:ModifyIpPools"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticloadbalancing:CreateAction": [
                        "CreateTargetGroup",
                        "CreateLoadBalancer"
                    ]
                },
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets"
            ],
            "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:SetWebAcl",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:ModifyRule",
                "elasticloadbalancing:SetRulePriorities"
            ],
            "Resource": "*"
        }
    ]
}```

williamTiller · June 21, 2025, 2:42pm

And here are the logs of the AWS LB controller pod:

{"level":"error","ts":"2025-05-26T12:03:08Z","msg":"Reconciler error","controller":"ingress","object":{"name":"my-ingress-group"},"namespace":"","name":"my-ingress-group","reconcileID":"859cf6d2-d287-46b7-ad1d-094889d0ee27","error":"operation error Elastic Load Balancing v2: CreateListener, https response error StatusCode: 400, RequestID: 6ec96d68-3578-4b35-9943-05dcfef52595, api error ValidationError: Certificate ARN 'arn:aws:acm:us-east-1:590183765660:certificate/xxxxxxxxxxx' is not valid"}
{"level":"info","ts":"2025-05-26T12:03:36Z","logger":"controllers.ingress","msg":"Auto Create SG","LB SGs":[{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"},"sg-04b0fd86563027888"],"backend SG":"sg-04b0fd86563027888"}
{"level":"info","ts":"2025-05-26T12:03:36Z","logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"my-ingress-group\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-socmarveladingres-0a3100f263\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]},{\"ipProtocol\":\"tcp\",\"fromPort\":443,\"toPort\":443,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::Listener\":{\"443\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":443,\"protocol\":\"HTTPS\",\"defaultActions\":[{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"contentType\":\"text/plain\",\"statusCode\":\"404\"}}],\"certificates\":[{\"certificateARN\":\"arn:aws:acm:us-east-1:590183765660:certificate/xxxxxxxxxxx\"},{\"certificateARN\":\"arn:aws:acm:us-east-1:590183765660:certificate/xxxxxxxxxxx\"}],\"sslPolicy\":\"ELBSecurityPolicy-TLS13-1-2-2021-06\"}},\"80\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":80,\"protocol\":\"HTTP\",\"defaultActions\":[{\"type\":\"redirect\",\"redirectConfig\":{\"port\":\"443\",\"protocol\":\"HTTPS\",\"statusCode\":\"HTTP_301\"}}]}}},\"AWS::ElasticLoadBalancingV2::ListenerRule\":{\"443:1\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN\"},\"priority\":1,\"actions\":[{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":[{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/shuffle/shuffle-ingress-frontend:80/status/targetGroupARN\"}}]}}],\"conditions\":[{\"field\":\"host-header\",\"hostHeaderConfig\":{\"values\":[\"<http://shuffle.my-site.com|shuffle.my-site.com>\"]}},{\"field\":\"path-pattern\",\"pathPatternConfig\":{\"values\":[\"/*\"]}}]}},\"443:2\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN\"},\"priority\":2,\"actions\":[{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":[{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/wazuh/wazuh-dashboard-ingress-dashboard:80/status/targetGroupARN\"}}]}}],\"conditions\":[{\"field\":\"host-header\",\"hostHeaderConfig\":{\"values\":[\"<http://soc.my-site.com|soc.my-site.com>\"]}},{\"field\":\"path-pattern\",\"pathPatternConfig\":{\"values\":[\"/*\"]}}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"alb-shared\",\"type\":\"application\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-xxxxxxxx\"},{\"subnetID\":\"subnet-0fd3eea307a0076fe\"},{\"subnetID\":\"subnet-xxxxxxxx\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-04b0fd86563027888\"]}}},\"AWS::ElasticLoadBalancingV2::TargetGroup\":{\"shuffle/shuffle-ingress-frontend:80\":{\"spec\":{\"name\":\"k8s-shuffle-frontend-d757b8ed08\",\"targetType\":\"ip\",\"port\":80,\"protocol\":\"HTTP\",\"protocolVersion\":\"HTTP1\",\"ipAddressType\":\"ipv4\",\"healthCheckConfig\":{\"port\":\"traffic-port\",\"protocol\":\"HTTP\",\"path\":\"/\",\"matcher\":{\"httpCode\":\"200\"},\"intervalSeconds\":15,\"timeoutSeconds\":5,\"healthyThresholdCount\":2,\"unhealthyThresholdCount\":2}}},\"wazuh/wazuh-dashboard-ingress-dashboard:80\":{\"spec\":{\"name\":\"k8s-wazuh-dashboar-2c58cb1ac3\",\"targetType\":\"ip\",\"port\":5601,\"protocol\":\"HTTP\",\"protocolVersion\":\"HTTP1\",\"ipAddressType\":\"ipv4\",\"healthCheckConfig\":{\"port\":\"traffic-port\",\"protocol\":\"HTTP\",\"path\":\"/\",\"matcher\":{\"httpCode\":\"200,301,302,303\"},\"intervalSeconds\":15,\"timeoutSeconds\":5,\"healthyThresholdCount\":2,\"unhealthyThresholdCount\":2}}}},\"K8S::ElasticLoadBalancingV2::TargetGroupBinding\":{\"shuffle/shuffle-ingress-frontend:80\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-shuffle-frontend-d757b8ed08\",\"namespace\":\"shuffle\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/shuffle/shuffle-ingress-frontend:80/status/targetGroupARN\"},\"targetType\":\"ip\",\"serviceRef\":{\"name\":\"frontend\",\"port\":80},\"networking\":{\"ingress\":[{\"from\":[{\"securityGroup\":{\"groupID\":\"sg-04b0fd86563027888\"}}],\"ports\":[{\"protocol\":\"TCP\",\"port\":80}]}]},\"ipAddressType\":\"ipv4\",\"vpcID\":\"vpc-008d2aad07247272d\"}}}},\"wazuh/wazuh-dashboard-ingress-dashboard:80\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-wazuh-dashboar-2c58cb1ac3\",\"namespace\":\"wazuh\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/wazuh/wazuh-dashboard-ingress-dashboard:80/status/targetGroupARN\"},\"targetType\":\"ip\",\"serviceRef\":{\"name\":\"dashboard\",\"port\":80},\"networking\":{\"ingress\":[{\"from\":[{\"securityGroup\":{\"groupID\":\"sg-04b0fd86563027888\"}}],\"ports\":[{\"protocol\":\"TCP\",\"port\":5601}]}]},\"ipAddressType\":\"ipv4\",\"vpcID\":\"vpc-008d2aad07247272d\"}}}}}}}"}
{"level":"info","ts":"2025-05-26T12:03:37Z","logger":"controllers.ingress","msg":"creating listener","stackID":"my-ingress-group","resourceID":"443"}
{"level":"error","ts":"2025-05-26T12:03:37Z","msg":"Reconciler error","controller":"ingress","object":{"name":"my-ingress-group"},"namespace":"","name":"my-ingress-group","reconcileID":"fa87f145-e274-4305-adfe-80c35d3a0c64","error":"operation error Elastic Load Balancing v2: CreateListener, https response error StatusCode: 400, RequestID: c0e3cc8c-d89a-491a-8efd-955c8d0b3f37, api error ValidationError: Certificate ARN 'arn:aws:acm:us-east-1:590183765660:certificate/xxxxxxxxxxx' is not valid"}```