2

I reinstalled some nodes and a master. Now on the master I am getting:

Sep 15 04:53:58 master kube-apiserver[803]: I0915 04:53:58.413581 803 logs.go:41] http: TLS handshake error from $ip:54337: remote error: bad certificate

Where $ip is one of the nodes.

So I likely need to delete or recreate certificates. What would the location of those be? Any recommended commands to recreate or remove those or copy them from node to master or vice versa? Whatever gets me past this error message...

Mykola
  • 188
  • 7
retep
  • 61
  • 1
  • 5

1 Answers1

1

Take a look through the Creating Certificates section of authentication.md. It walks you through the certificates that you need to create and how to pass them to the system components, and you should be able to use that to re-generate certificates for your cluster.

rjdkolb
  • 10,377
  • 11
  • 69
  • 89
Robert Bailey
  • 17,866
  • 3
  • 50
  • 58
  • OK. I'm curious why I get the error on just one of the nodes (not the other). I intend to setup certs for masters/nodes in the future. But for right now I don't need/desire/want/care about it. What (option on apiserver or kubelet) is forcing this check. How do I move past it. – retep Sep 15 '15 at 23:57
  • for my "remote error: bad certificate" problem I found that this is triggered when I add in a couple of skydns pods. so digging further there. – retep Sep 16 '15 at 02:06
  • What configuration are you using to launch the kube2sky pod? If you pass the `--kube_master_url` flag and no `--kubeconfig` flag, then you will get a client connection to the master that doesn't authenticate the master certificate (see https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/kube2sky/kube2sky.go#L416) which should work if you can connect to the insecure port on the apiserver (it is inaccessible by default). – Robert Bailey Sep 16 '15 at 16:59
  • Thank you for that comment. I changed my master url from http://$publicip:2379 (etcd) to http://$publicip:8080 (api server) and now working perfectly. also popped an issue on the sky2dns github to clarify slightly the docs for that argument. – retep Sep 18 '15 at 00:11
  • 1
    I am also facing the same error. I am using https connection to access the apiserver with certificates. Any suggestions ? – Yogesh Jilhawar May 15 '16 at 13:37
  • @YogeshJilhawar are you facing the same error after reinstalling nodes? If not, you should ask a new question with more specifics about your problem. – Robert Bailey May 16 '16 at 04:41
  • @RobertBailey I asked the question on stack overflow at [this link](http://stackoverflow.com/questions/37239795/http-tls-handshake-error-from-ipport-remote-error-bad-certificate) – Yogesh Jilhawar May 16 '16 at 06:09