Kubernetes: x509 certificate signed by unknown authority, possibly because of ECDSA verification failure

Question

I am new in Kubernetes and stuck on the issue. I was trying to renew letsencrypt SSL certificate. But when I try to get certificate by running following command

kubectl get certificate

System throwing this exception

Error from server: conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: Post https://cert-manager-webhook.default.svc:443/convert?timeout=30s: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cert-manager-webhook-ca")

I have checked the pods also

The "cert-manager-webhook" is in running state. When I check logs of this pod, I get the following response

I have also tried to apply cluster-issuer after deleting it but face same issue

kubectl apply -f cluster-issuer.yaml

I also have done R&D about this but could not find any suitable solution. Whats the issue here? Can someone please help me regarding this? Thanks.

seems to be related https://github.com/jetstack/cert-manager/issues/3338 — mario, Oct 18 '21 at 20:25
I have already checked that issue. ""cert-manager-cainjector" pod status is "CrashLoopBackOff". May be that pod causing this issue? Any idea about that? @mario — Hunzla Ali, Oct 19 '21 at 10:40

score 2 · Answer 1 · answered Oct 19 '21 at 11:34

2

The problem was with "cert-manager-cainjector" pod status which was "CrashLoopBackOff" due to FailedMount as secret was not found for mounting. I have created that secret and after that it start working fine.

answered Oct 19 '21 at 11:34

Hunzla Ali

383
2
5
22

Can you explain how you created the secret? – Fahad Yousuf Apr 24 '22 at 22:55
I have used this command 'kubectl create secret generic azure-secret --from-literal=azurestorageaccountname=xxxxxx --from-literal=azurestorageaccountkey=xxxxxxxx' – Hunzla Ali Apr 26 '22 at 05:11

score 2 · Answer 2 · answered Sep 14 '22 at 23:21

if you are using webhook, check if you have injected the ca, if not you could do it using:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
...
  annotations:
    cert-manager.io/inject-ca-from: "<namespace>/<certificate_name>"

score 2 · Answer 3 · answered Dec 07 '22 at 12:47

In my case, I was attempting to install an older version of cert-manager onto my cluster, and Simply pulling the latest version of cert-manger (1.10.1 at time of writing) and installing that worked.

When attempting to install an older version of cert-manager I saw the following error from the cainjector pod.

error registering secret controller: no matches for kind "MutatingWebhookConfiguration" in version "admissionregistration.k8s.io/v1beta1"

I assume that the API admissionregistration.k8s.io/v1beta1 has been removed between K8s versions 1.21 and 1.24, and that's why I encountered an issue.

Kubernetes: x509 certificate signed by unknown authority, possibly because of ECDSA verification failure

3 Answers3

Linked