NGINX Ingress controller version:
0.24.1 but we were also able to replicate the problem in 0.23.0.

Kubernetes version (use kubectl version):

Environment:

• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release): Debian Stretch
• Kernel (e.g. uname -a): Linux ip-172-20-81-79 4.9.0-9-amd64 Basic structure  #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 Linux
• Install tools: Managed by KOPS
• Others:

What happened:

When providing multiple client certificates to nginx in one file, i.e. using the secret auth-tls-secret it did not accept clients authenticating based on the second TLS certificate. It did accept clients authenticating based on the first certificate.

When it does not accept the certificate it generates a 400 bad request "The SSL certificate error".

When trying to replicate the issue using a pure nginx config (i.e. not using the ingress) we were not able to replicate the problem.

The generated nginx configuration looks correct to us, i.e. the certificates get put into the nginx config file and this looks fine to us.

What you expected to happen:

According to the nginx docs you can put multiple client certs in the file referenced in ssl_client_certificate and nginx should accept any one of those. This is also the behavior we saw when trying to isolate the behavior in a pure Docker/Nginx setup, but in ingress nginx it does not work for unknown reasons.

How to reproduce it (as minimally and precisely as possible):

Use the TLS client auth feature with more than one certificate.

Anything else we need to know:

Motivation for use of this feature is having zero-downtime certificate exchange, blue-green-style.

Let us know if we can provide additional info to ease replication of this issue.