0

I am having k8s cluster on centos7.2 with 1 master and 2 slaves. The cluster is working fine as far as it is serving on port 8080 but when I tries to secure Kube-API server by using certificates, I felt into the above error after restarting the kube-apiserver service and it is continuously writing this error in my log file at /var/log/messages.
kube-apiserver is started as-

KUBE_API_ADDRESS="--bind-address=0.0.0.0"
KUBE_API_PORT="--secure-port=6443"
KUBELET_PORT="--kubelet-port=10250"
KUBE_ETCD_SERVERS="--etcd-servers=http://kube-master:2379"
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
KUBE_ALLOW_PRIV="--allow-privileged=true"
KUBE_API_TLS_CERT_FILE="--tls-cert-file=/home/abc/server.cert"
KUBE_API_TLS_PRIVATE_KEY_FILE="--tls-private-key- file=/home/abc/server.key"
KUBE_API_TOKEN_AUTH_FILE="--token-auth-file=/home/abc/token.csv" </br>

I am accessing API server using kubectl command as

kubectl --v=4  --server="https://$ip:6443" --certificate-authority="./ca.crt" --token="abcdTOKEN1234" get nodes

After that I am getting following error-

 2930 helpers.go:153] Connection error: Get https://$ip:6443/api: x509: certificate signed by unknown authority
 2930 helpers.go:96] Unable to connect to the server: x509: certificate signed by unknown authority

I performed same steps on ubuntu 14.04 and are working fine. I am not able to figure out where exactly I'm missing. Can anyone knows where I am wrong ? Thanks in advance.

Yogesh Jilhawar
  • 5,605
  • 8
  • 44
  • 59
  • 1
    If you run `curl -k -H "Authorization: Bearer abcdTOKEN1234" https://$ip:6443` does that work? What about `curl --cacert "./ca.crt" -H "Authorization: Bearer abcdTOKEN1234" https://$ip:6443`? – Robert Bailey May 17 '16 at 06:14
  • It gives me an error saying `NSS error -8101 (SEC_ERROR_INADEQUATE_CERT_TYPE) * Certificate type not approved for application. * Closing connection 0 curl: (60) Certificate type not approved for application.` – Yogesh Jilhawar May 17 '16 at 06:35
  • How did you generate the certificates? Were they generated on the machine running the apiserver? Were they generated on the same machine in the ubuntu setup? – Robert Bailey May 23 '16 at 06:57
  • Sorry for late...was offline....certificates on ubuntu and centos are different. – Yogesh Jilhawar May 26 '16 at 09:42
  • I'd expect them to be different, since the setup scripts generate new certs for each install. What I was wondering is if they were generated in the same way (e.g. on the master vs. on the machine running the setup script). And do they have the same TLS options set? – Robert Bailey May 26 '16 at 15:02
  • I generated certs using the [script](https://github.com/kubernetes/kubernetes/blob/master/cluster/saltbase/salt/generate-cert/make-ca-cert.sh) on master and then copied them on minions. One more thing, how to check or set up TLS options? – Yogesh Jilhawar May 27 '16 at 06:51
  • If you are using easyrsa, then I would expect the certs to have the same TLS options in both cases, but you can check them by running `openssl s_client -status -connect :443` – Robert Bailey Jun 01 '16 at 20:40
  • Can you guys please look into that? https://stackoverflow.com/questions/69611816/kubernetes-x509-certificate-signed-by-unknown-authority-possibly-because-of-ec – Hunzla Ali Oct 18 '21 at 10:18

0 Answers0