Stay organized with collections
Save and categorize content based on your preferences.
You're viewing Apigee and Apigee hybrid documentation.
There is no equivalent
Apigee Edge documentation for this topic.
Symptom
An ApigeeIssue with ReasonAIS_INGRESS_CERT_MISMATCH is
shown when viewing resources in the apigee namespace.
Error messages
After running kubectl -n apigee get apigeeissues, the following error is displayed:
NAME SEVERITY REASON DOCUMENTATION AGE
ingress-cert-mismatch-my-org-my-virtualhost ERROR AIS_INGRESS_CERT_MISMATCH https://cloud.google.com/apigee/docs/hybrid/troubleshooting/AIS_INGRESS_CERT_MISMATCH 5h18m
Cause: Ingress cert mismatch
The private key and certificate stored in the Kubernetes secret referenced by an
ApigeeRouteConfig do not match.
Diagnosis
Run the following command:
kubectl -n apigee describe apigeeissue ISSUE_NAME
Where ISSUE_NAME is the name of the issue. For example,
ingress-cert-mismatch-my-org-my-virtualhost.
The contents of Spec.Details explains the name of the
ApigeeRouteConfig that refers to the Kubernetes secret containing the ingress
certificate and private key.
Resolution
Use kubectl describe to display the name of the ApigeeRouteConfig
which has the mismatched ingress cert and key:
kubectl -n apigee describe apigeeissue ISSUE_NAME
Where ISSUE_NAME is the name of the issue. For example,
ingress-cert-mismatch-my-org-my-virtualhost.
In this example, the ApigeeRouteConfigmy-org-my-virtualhost is
referencing the secret my-org-my-virtualhost.
Determine the virtualhost name from the ApigeeRouteConfig.
The ApigeeRouteConfig's name is in the format:
<Apigee organization>-<virtualhost name>.
In this example, my-org is the Apigee organization and the virtualhost name is
my-virtualhost.
Find the corresponding virtualhost in your overrides.yaml file:
Make sure to include all of the settings shown, including --atomic
so that the action rolls back on failure.
Must gather diagnostic information
If the problem persists even after following the above instructions, gather
the following diagnostic information and then contact Google Cloud Customer Care:
The Google Cloud Project ID.
The name of the Apigee hybrid organization.
The Spec.Details field of the ApigeeIssue.
(optional) Files referenced by sslCertPath and sslKeyPath for the
affected virtualhost.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis document addresses the \u003ccode\u003eAIS_INGRESS_CERT_MISMATCH\u003c/code\u003e error in Apigee hybrid environments, which occurs when the private key and certificate within a Kubernetes secret do not match.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eApigeeIssue\u003c/code\u003e resource, when viewed using \u003ccode\u003ekubectl -n apigee get apigeeissues\u003c/code\u003e, displays this error along with a link to relevant documentation, indicating the mismatch between the ingress certificate and private key.\u003c/p\u003e\n"],["\u003cp\u003eThe issue is diagnosed using \u003ccode\u003ekubectl -n apigee describe apigeeissue ISSUE_NAME\u003c/code\u003e to find the \u003ccode\u003eApigeeRouteConfig\u003c/code\u003e and its associated secret, with the output showing the mismatched certificate and key.\u003c/p\u003e\n"],["\u003cp\u003eResolution involves identifying the \u003ccode\u003evirtualhost\u003c/code\u003e from the \u003ccode\u003eApigeeRouteConfig\u003c/code\u003e's name in the format \u003ccode\u003e<Apigee organization>-<virtualhost name>\u003c/code\u003e, validating that the certificate and key files in the \u003ccode\u003eoverrides.yaml\u003c/code\u003e file match using \u003ccode\u003eopenssl\u003c/code\u003e, and correcting any discrepancies by updating file paths or fixing the file contents.\u003c/p\u003e\n"],["\u003cp\u003eIf you're still having issues, you can use the diagnostic information listed to contact Google Cloud Customer Care.\u003c/p\u003e\n"]]],[],null,["# Ingress cert mismatch\n\n*You're viewing **Apigee** and **Apigee hybrid** documentation.\nThere is no equivalent\n[Apigee Edge](https://docs.apigee.com/api-platform/get-started/get-started) documentation for this topic.*\n| **Note:** This document is applicable for Apigee hybrid users only.\n\n\u003cbr /\u003e\n\nSymptom\n-------\n\n\nAn `ApigeeIssue` with `Reason` `AIS_INGRESS_CERT_MISMATCH` is\nshown when viewing resources in the `apigee` namespace.\n\nError messages\n--------------\n\n\nAfter running `kubectl -n apigee get apigeeissues`, the following error is displayed: \n\n```scdoc\nNAME SEVERITY REASON DOCUMENTATION AGE\ningress-cert-mismatch-my-org-my-virtualhost ERROR AIS_INGRESS_CERT_MISMATCH https://cloud.google.com/apigee/docs/hybrid/troubleshooting/AIS_INGRESS_CERT_MISMATCH 5h18m\n```\n\nCause: Ingress cert mismatch\n----------------------------\n\n\nThe private key and certificate stored in the Kubernetes secret referenced by an\n`ApigeeRouteConfig` do not match.\n\n### Diagnosis\n\n\nRun the following command: \n\n```\nkubectl -n apigee describe apigeeissue ISSUE_NAME\n```\n\n\nWhere \u003cvar translate=\"no\"\u003eISSUE_NAME\u003c/var\u003e is the name of the issue. For example,\n`ingress-cert-mismatch-my-org-my-virtualhost`.\n\n\nSomething similar to the following is returned: \n\n```vb.net\nName: ingress-cert-mismatch-my-org-my-virtualhost\nNamespace: apigee\nLabels: ais-reason=AIS_INGRESS_CERT_MISMATCH\nAnnotations: \u003cnone\u003e\nAPI Version: apigee.cloud.google.com/v1alpha1\nKind: ApigeeIssue\nMetadata:\n Creation Timestamp: 2023-06-12T17:03:43Z\n Generation: 1\n Owner References:\n API Version: apigee.cloud.google.com/v1alpha2\n Kind: ApigeeOrganization\n Name: my-org\n UID: 7e83a52c-ce00-4bed-98be-55835ada1817\n Resource Version: 3281563\n UID: adc775c2-376d-4bf9-9860-500b2b2b8273\nSpec:\n Details: Ingress cert and private key in secret \"my-org-my-virtualhost\" for ApigeeRouteConfig \"my-org-my-virtualhost\" do not match\n Documentation: https://cloud.google.com/apigee/docs/hybrid/troubleshooting/AIS_INGRESS_CERT_MISMATCH\n Reason: AIS_INGRESS_CERT_MISMATCH\n Severity: ERROR\nEvents: \u003cnone\u003e\n``` \n\n```actionscript-3\nSpec:\n Details: Ingress cert and private key in secret \"my-org-my-virtualhost\" for ApigeeRouteConfig \"my-org-my-virtualhost\" do not match\n```\n\n\nThe contents of `Spec.Details` explains the name of the\n`ApigeeRouteConfig` that refers to the Kubernetes secret containing the ingress\ncertificate and private key.\n\n### Resolution\n\n1.\n Use `kubectl describe` to display the name of the `ApigeeRouteConfig`\n which has the mismatched ingress cert and key:\n\n ```\n kubectl -n apigee describe apigeeissue ISSUE_NAME\n ```\n\n\n Where \u003cvar translate=\"no\"\u003eISSUE_NAME\u003c/var\u003e is the name of the issue. For example,\n `ingress-cert-mismatch-my-org-my-virtualhost`.\n\n\n In this example, the `ApigeeRouteConfig` `my-org-my-virtualhost` is\n referencing the secret `my-org-my-virtualhost`.\n2.\n Determine the `virtualhost` name from the `ApigeeRouteConfig`.\n\n\n The `ApigeeRouteConfig`'s name is in the format:\n `\u003cApigee organization\u003e-\u003cvirtualhost name\u003e`.\n\n\n In this example, `my-org` is the Apigee organization and the virtualhost name is\n `my-virtualhost`.\n3. Find the corresponding virtualhost in your `overrides.yaml` file:\n\n ```\n virtualhosts:\n ...\n - name: my-virtualhost\n selector:\n app: apigee-ingressgateway\n sslCertPath: ./certs/vhost.pem\n sslKeyPath: ./certs/vhost.key\n ...\n ```\n4. Validate that the certificate and key files being used match.\n\n\n Using the `sslCertPath` and `sslKeyPath` from the previous step,\n validate the MD5 sums match using `openssl`: \n\n ```\n openssl x509 -noout -modulus -in SSL_CERT_PATH | openssl md5\n ``` \n\n ```\n openssl rsa -noout -modulus -in SSL_KEY_PATH | openssl md5\n ```\n\n\n - Where \u003cvar translate=\"no\"\u003eSSL_CERT_PATH\u003c/var\u003e is the `sslCertPath` from the previous step. For example, `./certs/vhost.pem`.\n - Where \u003cvar translate=\"no\"\u003eSSL_KEY_PATH\u003c/var\u003e is the `sslKeyPath` from the previous step. For example, `./certs/vhost.key`.\n\n \u003cbr /\u003e\n\n The output of the above two commands should match: \n\n ```\n openssl x509 -noout -modulus -in ./certs/vhost.pem | openssl md5\n MD5(stdin)= 40ba189dbe9d6fbfbdde1a8ef803d2d4\n ``` \n\n ```\n openssl rsa -noout -modulus -in ./certs/vhost.key | openssl md5\n MD5(stdin)= 40ba189dbe9d6fbfbdde1a8ef803d2d4\n ```\n5.\n If the output from the previous commands did not match, use one of the following methods to\n correct the problem:\n\n - Update the virtualhost's `sslCertPath` and `sslKeyPath` to point to the correct file paths.\n - Fix the `sslCertPath` or `sslKeyPath` file contents to contain the correct matching certificate and key pair.\n6. Apply the changes to the virtualhost using\n [Helm](/apigee/docs/hybrid/latest/helm-reference):\n\n ```\n helm upgrade ENV_GROUP_NAME apigee-virtualhost/ \\\n --namespace APIGEE_NAMESPACE \\\n --atomic \\\n --set envgroup=ENV_GROUP_NAME \\\n -f OVERRIDES_FILE\n ```\n\n Make sure to include all of the settings shown, including `--atomic`\n so that the action rolls back on failure.\n\nMust gather diagnostic information\n----------------------------------\n\n\nIf the problem persists even after following the above instructions, gather\nthe following diagnostic information and then contact [Google Cloud Customer Care](https://cloud.google.com/support-hub/):\n\n1. The Google Cloud Project ID.\n2. The name of the Apigee hybrid organization.\n3. The `Spec.Details` field of the `ApigeeIssue`.\n4. (optional) Files referenced by `sslCertPath` and `sslKeyPath` for the affected virtualhost."]]
