Stay organized with collectionsSave and categorize content based on your preferences.
You're viewingApigeeandApigee hybriddocumentation. There is no equivalentApigee Edgedocumentation for this topic.
Symptom
AnApigeeIssuewithReasonAIS_INGRESS_CERT_MISMATCHis
shown when viewing resources in theapigeenamespace.
Error messages
After runningkubectl -n apigee get apigeeissues, the following error is displayed:
NAME SEVERITY REASON DOCUMENTATION AGE
ingress-cert-mismatch-my-org-my-virtualhost ERROR AIS_INGRESS_CERT_MISMATCH https://cloud.google.com/apigee/docs/hybrid/troubleshooting/AIS_INGRESS_CERT_MISMATCH 5h18m
Cause: Ingress cert mismatch
The private key and certificate stored in the Kubernetes secret referenced by anApigeeRouteConfigdo not match.
Diagnosis
Run the following command:
kubectl -n apigee describe apigeeissueISSUE_NAME
WhereISSUE_NAMEis the name of the issue. For example,ingress-cert-mismatch-my-org-my-virtualhost.
The contents ofSpec.Detailsexplains the name of theApigeeRouteConfigthat refers to the Kubernetes secret containing the ingress
certificate and private key.
Resolution
Usekubectl describeto display the name of theApigeeRouteConfigwhich has the mismatched ingress cert and key:
kubectl -n apigee describe apigeeissueISSUE_NAME
WhereISSUE_NAMEis the name of the issue. For example,ingress-cert-mismatch-my-org-my-virtualhost.
In this example, theApigeeRouteConfigmy-org-my-virtualhostis
referencing the secretmy-org-my-virtualhost.
Determine thevirtualhostname from theApigeeRouteConfig.
TheApigeeRouteConfig's name is in the format:<Apigee organization>-<virtualhost name>.
In this example,my-orgis the Apigee organization and the virtualhost name ismy-virtualhost.
Find the corresponding virtualhost in youroverrides.yamlfile:
Make sure to include all of the settings shown, including--atomicso that the action rolls back on failure.
Must gather diagnostic information
If the problem persists even after following the above instructions, gather
the following diagnostic information and then contactGoogle Cloud Customer Care:
The Google Cloud Project ID.
The name of the Apigee hybrid organization.
TheSpec.Detailsfield of theApigeeIssue.
(optional) Files referenced bysslCertPathandsslKeyPathfor the
affected virtualhost.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document addresses the \u003ccode\u003eAIS_INGRESS_CERT_MISMATCH\u003c/code\u003e error in Apigee hybrid environments, which occurs when the private key and certificate within a Kubernetes secret do not match.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eApigeeIssue\u003c/code\u003e resource, when viewed using \u003ccode\u003ekubectl -n apigee get apigeeissues\u003c/code\u003e, displays this error along with a link to relevant documentation, indicating the mismatch between the ingress certificate and private key.\u003c/p\u003e\n"],["\u003cp\u003eThe issue is diagnosed using \u003ccode\u003ekubectl -n apigee describe apigeeissue ISSUE_NAME\u003c/code\u003e to find the \u003ccode\u003eApigeeRouteConfig\u003c/code\u003e and its associated secret, with the output showing the mismatched certificate and key.\u003c/p\u003e\n"],["\u003cp\u003eResolution involves identifying the \u003ccode\u003evirtualhost\u003c/code\u003e from the \u003ccode\u003eApigeeRouteConfig\u003c/code\u003e's name in the format \u003ccode\u003e<Apigee organization>-<virtualhost name>\u003c/code\u003e, validating that the certificate and key files in the \u003ccode\u003eoverrides.yaml\u003c/code\u003e file match using \u003ccode\u003eopenssl\u003c/code\u003e, and correcting any discrepancies by updating file paths or fixing the file contents.\u003c/p\u003e\n"],["\u003cp\u003eIf you're still having issues, you can use the diagnostic information listed to contact Google Cloud Customer Care.\u003c/p\u003e\n"]]],[],null,["# Ingress cert mismatch\n\n*You're viewing **Apigee** and **Apigee hybrid** documentation.\nThere is no equivalent\n[Apigee Edge](https://docs.apigee.com/api-platform/get-started/get-started) documentation for this topic.*\n| **Note:** This document is applicable for Apigee hybrid users only.\n\n\u003cbr /\u003e\n\nSymptom\n-------\n\n\nAn `ApigeeIssue` with `Reason` `AIS_INGRESS_CERT_MISMATCH` is\nshown when viewing resources in the `apigee` namespace.\n\nError messages\n--------------\n\n\nAfter running `kubectl -n apigee get apigeeissues`, the following error is displayed: \n\n```scdoc\nNAME SEVERITY REASON DOCUMENTATION AGE\ningress-cert-mismatch-my-org-my-virtualhost ERROR AIS_INGRESS_CERT_MISMATCH https://cloud.google.com/apigee/docs/hybrid/troubleshooting/AIS_INGRESS_CERT_MISMATCH 5h18m\n```\n\nCause: Ingress cert mismatch\n----------------------------\n\n\nThe private key and certificate stored in the Kubernetes secret referenced by an\n`ApigeeRouteConfig` do not match.\n\n### Diagnosis\n\n\nRun the following command: \n\n```\nkubectl -n apigee describe apigeeissue ISSUE_NAME\n```\n\n\nWhere \u003cvar translate=\"no\"\u003eISSUE_NAME\u003c/var\u003e is the name of the issue. For example,\n`ingress-cert-mismatch-my-org-my-virtualhost`.\n\n\nSomething similar to the following is returned: \n\n```vb.net\nName: ingress-cert-mismatch-my-org-my-virtualhost\nNamespace: apigee\nLabels: ais-reason=AIS_INGRESS_CERT_MISMATCH\nAnnotations: \u003cnone\u003e\nAPI Version: apigee.cloud.google.com/v1alpha1\nKind: ApigeeIssue\nMetadata:\n Creation Timestamp: 2023-06-12T17:03:43Z\n Generation: 1\n Owner References:\n API Version: apigee.cloud.google.com/v1alpha2\n Kind: ApigeeOrganization\n Name: my-org\n UID: 7e83a52c-ce00-4bed-98be-55835ada1817\n Resource Version: 3281563\n UID: adc775c2-376d-4bf9-9860-500b2b2b8273\nSpec:\n Details: Ingress cert and private key in secret \"my-org-my-virtualhost\" for ApigeeRouteConfig \"my-org-my-virtualhost\" do not match\n Documentation: https://cloud.google.com/apigee/docs/hybrid/troubleshooting/AIS_INGRESS_CERT_MISMATCH\n Reason: AIS_INGRESS_CERT_MISMATCH\n Severity: ERROR\nEvents: \u003cnone\u003e\n``` \n\n```actionscript-3\nSpec:\n Details: Ingress cert and private key in secret \"my-org-my-virtualhost\" for ApigeeRouteConfig \"my-org-my-virtualhost\" do not match\n```\n\n\nThe contents of `Spec.Details` explains the name of the\n`ApigeeRouteConfig` that refers to the Kubernetes secret containing the ingress\ncertificate and private key.\n\n### Resolution\n\n1.\n Use `kubectl describe` to display the name of the `ApigeeRouteConfig`\n which has the mismatched ingress cert and key:\n\n ```\n kubectl -n apigee describe apigeeissue ISSUE_NAME\n ```\n\n\n Where \u003cvar translate=\"no\"\u003eISSUE_NAME\u003c/var\u003e is the name of the issue. For example,\n `ingress-cert-mismatch-my-org-my-virtualhost`.\n\n\n In this example, the `ApigeeRouteConfig` `my-org-my-virtualhost` is\n referencing the secret `my-org-my-virtualhost`.\n2.\n Determine the `virtualhost` name from the `ApigeeRouteConfig`.\n\n\n The `ApigeeRouteConfig`'s name is in the format:\n `\u003cApigee organization\u003e-\u003cvirtualhost name\u003e`.\n\n\n In this example, `my-org` is the Apigee organization and the virtualhost name is\n `my-virtualhost`.\n3. Find the corresponding virtualhost in your `overrides.yaml` file:\n\n ```\n virtualhosts:\n ...\n - name: my-virtualhost\n selector:\n app: apigee-ingressgateway\n sslCertPath: ./certs/vhost.pem\n sslKeyPath: ./certs/vhost.key\n ...\n ```\n4. Validate that the certificate and key files being used match.\n\n\n Using the `sslCertPath` and `sslKeyPath` from the previous step,\n validate the MD5 sums match using `openssl`: \n\n ```\n openssl x509 -noout -modulus -in SSL_CERT_PATH | openssl md5\n ``` \n\n ```\n openssl rsa -noout -modulus -in SSL_KEY_PATH | openssl md5\n ```\n\n\n - Where \u003cvar translate=\"no\"\u003eSSL_CERT_PATH\u003c/var\u003e is the `sslCertPath` from the previous step. For example, `./certs/vhost.pem`.\n - Where \u003cvar translate=\"no\"\u003eSSL_KEY_PATH\u003c/var\u003e is the `sslKeyPath` from the previous step. For example, `./certs/vhost.key`.\n\n \u003cbr /\u003e\n\n The output of the above two commands should match: \n\n ```\n openssl x509 -noout -modulus -in ./certs/vhost.pem | openssl md5\n MD5(stdin)= 40ba189dbe9d6fbfbdde1a8ef803d2d4\n ``` \n\n ```\n openssl rsa -noout -modulus -in ./certs/vhost.key | openssl md5\n MD5(stdin)= 40ba189dbe9d6fbfbdde1a8ef803d2d4\n ```\n5.\n If the output from the previous commands did not match, use one of the following methods to\n correct the problem:\n\n - Update the virtualhost's `sslCertPath` and `sslKeyPath` to point to the correct file paths.\n - Fix the `sslCertPath` or `sslKeyPath` file contents to contain the correct matching certificate and key pair.\n6. Apply the changes to the virtualhost using\n [Helm](/apigee/docs/hybrid/latest/helm-reference):\n\n ```\n helm upgrade ENV_GROUP_NAME apigee-virtualhost/ \\\n --namespace APIGEE_NAMESPACE \\\n --atomic \\\n --set envgroup=ENV_GROUP_NAME \\\n -f OVERRIDES_FILE\n ```\n\n Make sure to include all of the settings shown, including `--atomic`\n so that the action rolls back on failure.\n\nMust gather diagnostic information\n----------------------------------\n\n\nIf the problem persists even after following the above instructions, gather\nthe following diagnostic information and then contact [Google Cloud Customer Care](https://cloud.google.com/support-hub/):\n\n1. The Google Cloud Project ID.\n2. The name of the Apigee hybrid organization.\n3. The `Spec.Details` field of the `ApigeeIssue`.\n4. (optional) Files referenced by `sslCertPath` and `sslKeyPath` for the affected virtualhost."]]
