🚀 Knowledge Base Beta
Preview our redesigned Knowledge Base. Click here to try it and give us your feedback! Your input helps us improve

How to enable TLSv1 TLSv1.1 on ingress nginx

This document (000021887) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.x
Ingress-Nginx >=2.3.3

Situation

Ingress-Nginx controller versions 2.3.3 and later removed support for TLS 1.0 and TLS 1.1. These versions default to using only TLS 1.2 and TLS 1.3

Resolution

NOTE: These protocols have been disabled as they are deemed insecure. Enabling them can put you at risk. Do so with caution.

Login to the Rancher UI, select the desired downstream cluster from Cluster Management.
For the desired downstream cluster, click on More options >> Edit Config >> Additional Manifest and provide the below HelmChartConfig for 'rke2-ingress-nginx' in this section and click on "Save".

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      config:
        ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
        ssl-ciphers": "@SECLEVEL=0 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA

Note we have added the TLS versions 1 and 1.1 to the protocols as well as @SECLEVEL=0 to the ssl-cipher suites
Alternatively, this configuration can be provided in the manifest file '/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml' on each RKE2 server node followed by a 'rke2-server' service restart.

The TLS version can be confirmed by running the command below:

# kubectl -n kube-system exec -it rke2-ingress-nginx-controller-xxxx -- /dbg conf|grep -i tls

The TLS version can be verified by running a curl command to the service:
```
 # curl -v https://<service_url>
```

Cause

TLSv1 and TLSv1.1 are considered insecure and depreciated and as a result have been disabled by default in Ingress-Nginx controller versions 2.3.3 and later.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:000021887
Creation Date: 25-Jun-2025
Modified Date:11-Sep-2025
- SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Report a Software Vulnerability

Go to Customer Center

SUSE Support

Here When You Need Us

🚀 Knowledge Base Beta Preview our redesigned Knowledge Base. Click here to try it and give us your feedback! Your input helps us improve