2

I have created a certificate using ACM. Now, I want to create a TLS secret using kubernetes, so that I can use the secret to configure Ingress Resource.

I am trying to create a TLS secret using kubectl create secret tls fsi-secret --cert=fsi.chain.pem --key=fsi.key.pem However, it returns an error saying error: failed to load key pair tls: failed to parse private key

The private key was created using a password, so after reading through a bit, I decided to use the unencrypted private key, so I did the following:

openssl rsa -in fsi.key.pem -out fsi.key.decrypted.pem -passin pass: abcdefgxxxx

The above step generated an unencrypted version of the original private key. Next I tried the create secret command above just changing the --key to use the unencrypted key:

kubectl create secret tls fsi-secret --cert=fsi.chain.pem --key=fsi.key.decrypted.pem

however, this resulted in error: failed to load key pair tls: private key does not match public key.

I am creating this tls secret in order to use it in the ingress resource definition.

Any help would be appreciated.

mc0e
  • 5,866
  • 18
  • 31
Cricket
  • 41
  • 1
  • 2
  • 3

2 Answers2

1

The one thing you should check is the chain order of your certificate as the first certificate will be checked against the private key. So, having your cert like this:

-----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----

will make sure the order is right.

You can find more in-depth sources regarding that topic below:

If that's still not the case, please let us know and update your question.

Wytrzymały Wiktor
  • 806
  • 4
  • 10
  • Hello @Cricket and welcome to StackOverflow! Please remember to [react to answers for your questions](https://stackoverflow.com/help/someone-answers). That way we know if the answers were helpful and other community members could also benefit from them. Try to [accept answer](https://stackoverflow.com/help/accepted-answer) that is the final solution for your issue, upvote answers that are helpful and comment on those which could be improved or require additional attention. Enjoy your stay! – Wytrzymały Wiktor May 13 '21 at 07:47
0

Experienced this issue when creating a Kubernetes secret from a rooot certificate and an intermediate certificate.

The issue was a error with my concatenated certificate file.

I used the command below to concatenate the root certificate and the intermediate certificate:

cat root-certificate.crt intermediate-certificate.pem > bundled-certificate.crt

When I ran the command below to generate the secret:

kubectl create secret tls myapp-tls --key=my-cert-private.key --cert=bundled-certificate.crt --namespace production --dry-run=client -o yaml > myapp_bundle_cert.yaml

I get the error:

error: tls: private key does not match public key

Here's how I fixed it:

When I checked the concatenated certificate file. I found that there was an overlap that looked like this:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

All I had to do was to fix the formatting:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

Afterwhich, when I ran the command:

kubectl create secret tls myapp-tls --key=my-cert-private.key --cert=bundled-certificate.crt --namespace production --dry-run=client -o yaml > myapp_bundle_cert.yaml

It worked fine.

Promise Preston
  • 223
  • 3
  • 10