Add nginx ingress SSL certificate crisis detection (#100)

elskow · web-flow · commit 34ee3d0cab1a · 2025-07-23T09:57:57.000-05:00
* feat(rules): add nginx ingress SSL certificate crisis detection

Add new rule CRE-2025-0120 to detect critical SSL certificate failures in NGINX Ingress Controllers

* chore: rename into failure instead of crisis
diff --git a/rules/cre-2025-0121/nginx-ingress-ssl-failure.yaml b/rules/cre-2025-0121/nginx-ingress-ssl-failure.yaml
@@ -0,0 +1,93 @@
+rules:
+  - cre:
+      id: CRE-2025-0120
+      severity: 0
+      title: NGINX Ingress Controller SSL Certificate Failure
+      category: load-balancer-problems
+      author: Prequel
+      description: |
+        Critical NGINX Ingress Controller SSL certificate validation failure detected. This pattern indicates
+        cascading SSL failures where certificate verification errors lead to upstream connection failures
+        and service unavailability. The failure sequence shows SSL handshake failures, certificate verification
+        errors, and resulting HTTP error responses that affect client connectivity.
+      cause: |
+        - SSL certificate expiration without renewal
+        - Invalid or self-signed certificates in production
+        - Broken certificate chain or missing intermediate certificates
+        - Certificate authority (CA) bundle misconfiguration
+        - Certificate hostname mismatch (CN/SAN validation failure)
+        - Upstream services using untrusted or expired certificates
+        - SSL/TLS protocol version incompatibility
+        - Certificate revocation or CA compromise
+        - Misconfigured SSL verification settings
+        - Network time synchronization issues affecting certificate validity
+      impact: |
+        - CRITICAL: Complete service unavailability for SSL-enabled endpoints
+        - All HTTPS traffic fails with SSL handshake errors
+        - Client applications receive 502 Bad Gateway or 503 Service Unavailable responses
+        - Loss of secure communication channels and encrypted data transmission
+        - Potential security exposure if SSL verification is disabled as workaround
+        - Cascading failures across SSL-dependent microservices
+        - Browser security warnings and user trust degradation
+        - API integrations and automated systems fail due to SSL verification
+        - Revenue loss from e-commerce and secure transaction failures
+        - Compliance violations for systems requiring encrypted communication
+      impactScore: 10
+      tags:
+        - nginx
+        - ingress-controller
+        - ssl-certificate
+        - tls-handshake
+        - certificate-verification
+        - load-balancer
+        - kubernetes
+        - security
+        - high-availability
+        - service-unavailability
+      mitigation: |
+        IMMEDIATE ACTIONS:
+        - Check SSL certificate expiration: `openssl x509 -in cert.pem -text -noout | grep -A2 Validity`
+        - Verify certificate chain: `openssl verify -CAfile ca-bundle.pem server.crt`
+        - Test SSL connectivity: `openssl s_client -connect hostname:443 -servername hostname`
+        - Check NGINX SSL configuration: `nginx -t && nginx -s reload`
+        - Monitor SSL handshake errors in real-time: `tail -f /var/log/nginx/error.log | grep SSL`
+
+        RECOVERY STEPS:
+        1. Replace expired/invalid certificates with valid ones
+        2. Update certificate chain with proper intermediate certificates
+        3. Verify CA bundle contains trusted root certificates
+        4. Restart NGINX Ingress Controller: `kubectl rollout restart deployment/nginx-ingress-controller`
+        5. Test SSL endpoints: `curl -v https://your-domain.com/health`
+        6. Monitor certificate auto-renewal processes
+
+        PREVENTION:
+        - Implement automated certificate monitoring and alerting
+        - Set up certificate auto-renewal with cert-manager or similar tools
+        - Configure certificate expiration alerts (30, 7, 1 days before expiry)
+        - Implement SSL health checks in monitoring systems
+        - Use certificate transparency monitoring for unauthorized certificates
+        - Regular SSL configuration audits and security scans
+        - Implement proper certificate lifecycle management
+        - Set up backup certificate authorities and failover mechanisms
+      references:
+        - https://kubernetes.github.io/ingress-nginx/user-guide/tls/
+        - https://nginx.org/en/docs/http/ngx_http_ssl_module.html
+        - https://cert-manager.io/docs/
+        - https://www.openssl.org/docs/man1.1.1/man1/verify.html
+        - https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
+      applications:
+        - name: nginx-ingress-controller
+          version: ">= 1.0.0"
+        - name: nginx
+          version: ">= 1.15.0"
+      mitigationScore: 7
+    metadata:
+      gen: 1
+      id: L67VM4E8FeoKezgjWfo9gt
+      kind: prequel
+    rule:
+      set:
+        event:
+          source: cre.log.nginx
+        match:
+          - regex: "SSL.*certificate.*verify.*failed|SSL.*handshake.*failed|certificate.*verify.*error|upstream.*SSL.*certificate.*verify.*failed|SSL.*connect.*error|upstream.*ssl.*handshake|502.*Bad.*Gateway|503.*Service.*Unavailable|upstream.*timed.*out.*SSL"
diff --git a/rules/cre-2025-0121/test.log b/rules/cre-2025-0121/test.log
@@ -0,0 +1,38 @@
+2024/07/01 14:30:15 [error] 123#123: *456 SSL certificate verify failed (18: self signed certificate) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/status HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/status", host: "api.example.com"
+2024/07/01 14:30:15 [error] 123#123: *456 upstream SSL certificate verify failed (18: self signed certificate) while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/status HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/status", host: "api.example.com"
+2024/07/01 14:30:16 [error] 123#123: *789 SSL connect error while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/data HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/data", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:16 +0000] "GET /api/v1/status HTTP/1.1" 502 157 "-" "curl/8.7.1" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="502" upstream_response_time="0.005"
+2024/07/01 14:30:17 [error] 123#123: *890 SSL handshake failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /health HTTP/1.1", upstream: "https://172.20.0.3:443/health", host: "api.example.com"
+2024/07/01 14:30:17 [error] 123#123: *890 upstream SSL certificate verify failed (20: unable to get local issuer certificate) while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /health HTTP/1.1", upstream: "https://172.20.0.3:443/health", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:17 +0000] "GET /health HTTP/1.1" 502 Bad Gateway 157 "-" "curl/8.7.1" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="502" upstream_response_time="0.003"
+2024/07/01 14:30:18 [error] 123#123: *901 certificate verify error: (10:certificate has expired) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/secure HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/secure", host: "api.example.com"
+2024/07/01 14:30:18 [error] 123#123: *901 SSL connect error (certificate verify failed) while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/secure HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/secure", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:18 +0000] "GET /api/v1/secure HTTP/1.1" 503 Service Unavailable 157 "-" "curl/8.7.1" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="503" upstream_response_time="0.002"
+2024/07/01 14:30:19 [error] 123#123: *912 SSL certificate verify failed (19: self signed certificate in certificate chain) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/data HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/data", host: "api.example.com"
+2024/07/01 14:30:19 [error] 123#123: *912 upstream SSL certificate verify failed (19: self signed certificate in certificate chain) while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/data HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/data", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:19 +0000] "GET /api/v1/data HTTP/1.1" 502 Bad Gateway 157 "-" "curl/8.7.1" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="502" upstream_response_time="0.004"
+2024/07/01 14:30:20 [error] 123#123: *923 SSL handshake failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown) while SSL handshaking to upstream, client: 10.244.0.1, server: web.example.com, request: "GET / HTTP/1.1", upstream: "https://172.20.0.4:443/", host: "web.example.com"
+2024/07/01 14:30:20 [error] 123#123: *923 SSL connect error (handshake failure) while connecting to upstream, client: 10.244.0.1, server: web.example.com, request: "GET / HTTP/1.1", upstream: "https://172.20.0.4:443/", host: "web.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:20 +0000] "GET / HTTP/1.1" 503 Service Unavailable 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.4:443" upstream_status="503" upstream_response_time="0.001"
+2024/07/01 14:30:21 [error] 123#123: *934 certificate verify error: (62:hostname mismatch) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "POST /api/v1/submit HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/submit", host: "api.example.com"
+2024/07/01 14:30:21 [error] 123#123: *934 upstream SSL certificate verify failed (62: hostname mismatch) while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "POST /api/v1/submit HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/submit", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:21 +0000] "POST /api/v1/submit HTTP/1.1" 502 Bad Gateway 157 "-" "curl/8.7.1" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="502" upstream_response_time="0.006"
+2024/07/01 14:30:22 [error] 123#123: *945 SSL certificate verify failed (21: unable to verify the first certificate) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/metrics HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/metrics", host: "api.example.com"
+2024/07/01 14:30:22 [error] 123#123: *945 SSL connect error (certificate chain verification failed) while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/metrics HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/metrics", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:22 +0000] "GET /api/v1/metrics HTTP/1.1" 503 Service Unavailable 157 "-" "Prometheus/2.45.0" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="503" upstream_response_time="0.002"
+2024/07/01 14:30:23 [error] 123#123: *956 upstream timed out (110: Connection timed out) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/slow HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/slow", host: "api.example.com"
+2024/07/01 14:30:23 [error] 123#123: *956 upstream timed out SSL while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/slow HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/slow", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:23 +0000] "GET /api/v1/slow HTTP/1.1" 502 Bad Gateway 157 "-" "curl/8.7.1" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="502" upstream_response_time="5.001"
+2024/07/01 14:30:24 [error] 123#123: *967 SSL handshake failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/legacy HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/legacy", host: "api.example.com"
+2024/07/01 14:30:24 [error] 123#123: *967 upstream SSL handshake failed (no shared cipher) while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/legacy HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/legacy", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:24 +0000] "GET /api/v1/legacy HTTP/1.1" 503 Service Unavailable 157 "-" "curl/8.7.1" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="503" upstream_response_time="0.003"
+2024/07/01 14:30:25 [error] 123#123: *978 certificate verify error: (9:certificate is not yet valid) while SSL handshaking to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/future HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/future", host: "api.example.com"
+2024/07/01 14:30:25 [error] 123#123: *978 SSL connect error (certificate not yet valid) while connecting to upstream, client: 10.244.0.1, server: api.example.com, request: "GET /api/v1/future HTTP/1.1", upstream: "https://172.20.0.3:443/api/v1/future", host: "api.example.com"
+10.244.0.1 - - [01/Jul/2024:14:30:25 +0000] "GET /api/v1/future HTTP/1.1" 502 Bad Gateway 157 "-" "curl/8.7.1" ssl_protocol="TLSv1.3" ssl_cipher="TLS_AES_256_GCM_SHA384" upstream_addr="172.20.0.3:443" upstream_status="502" upstream_response_time="0.004"
+
+# Backend API Logs
+backend-api_1  | 2024/07/01 14:30:15 [error] 25#25: *1 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca) while SSL handshaking, client: 172.20.0.2, server: 0.0.0.0:443
+2024/07/01 14:30:16 [error] 25#25: *2 no suitable peer certificate available while SSL handshaking, client: 172.20.0.2, server: 0.0.0.0:443
+2024/07/01 14:30:17 [error] 25#25: *3 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown) while SSL handshaking, client: 172.20.0.2, server: 0.0.0.0:443
+2024/07/01 14:30:18 [error] 25#25: *4 SSL_do_handshake() failed (SSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired) while SSL handshaking, client: 172.20.0.2, server: 0.0.0.0:443
+2024/07/01 14:30:19 [error] 25#25: *5 SSL_do_handshake() failed (SSL: error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied) while SSL handshaking, client: 172.20.0.2, server: 0.0.0.0:443
diff --git a/rules/tags/tags.yaml b/rules/tags/tags.yaml
@@ -345,6 +345,9 @@ tags:
   - name: nginx
     displayName: Nginx
     description: Problems related to Nginx, such as weak ciphers, configuration errors, or performance issues
+  - name: ingress-controller
+    displayName: Ingress Controller
+    description: Problems related to Kubernetes Ingress Controllers, such as SSL certificate validation failures, routing issues, or backend connectivity problems
   - name: tls
     displayName: TLS
     description: Problems related to TLS, such as weak ciphers, configuration errors, or performance issues
@@ -818,6 +821,12 @@ tags:
   - name: critical-failure
     displayName: Critical Failure
     description: Failures that cause immediate service termination or data loss
-  - name: ingress-controller
-    displayName: Ingress Controller
-    description: Problems related to Kubernetes Ingress Controllers, such as SSL certificate validation failures, routing issues, or backend connectivity problems
+  - name: ssl-certificate
+    displayName: SSL Certificate
+    description: Problems related to SSL/TLS certificate validation, expiration, trust chain issues, or handshake failures
+  - name: tls-handshake
+    displayName: TLS Handshake
+    description: Problems during TLS/SSL handshake process including cipher negotiation, protocol version mismatches, and connection establishment failures
+  - name: certificate-verification
+    displayName: Certificate Verification
+    description: Issues with SSL/TLS certificate verification including trust chain validation, certificate authority verification, and hostname matching
