- The LinkerD installed with cert-manager and prepare all linkerd namespaces with their respective issuers and certificates with automatic renewal.
- The command ./linkerd check does not show any error.
- The issuers - linkerd-trust-anchor and webhook-issuer are valid
- The certificates linkerd-identity-issuer, linkerd-policy-validator, linkerd-proxy-injector, linkerd-sp-validator also valid and not expires.
When I try to apply policy A receive error:
Error from server (InternalError): error when creating ".\templates\servers.yaml": Internal error occurred: failed calling webhook "linkerd-policy-validator.linkerd.io": Post "https://linkerd-policy-validator.linkerd.svc:443/?timeout=10s": x509: certificate has expired or is not yet valid
And there is error "Failed to connect error=invalid certificate: CertExpired" in side car container log:
[ 0.000771s] INFO ThreadId(01) linkerd2_proxy::rt: Using single-threaded proxy runtime [ 0.001299s] INFO ThreadId(01) linkerd2_proxy: Admin interface on 0.0.0.0:4191 [ 0.001311s] INFO ThreadId(01) linkerd2_proxy: Inbound interface on 0.0.0.0:4143 [
0.001313s] INFO ThreadId(01) linkerd2_proxy: Outbound interface on 127.0.0.1:4140 [ 0.001314s] INFO ThreadId(01) linkerd2_proxy: Tap interface on 0.0.0.0:4190 [ 0.001316s] INFO ThreadId(01) linkerd2_proxy: Local identity is gpproxyserver-tlm.rainbowstaging-main.serviceaccount.identity.linkerd.cluster.local [ 0.001321s] INFO ThreadId(01) linkerd2_proxy: Identity verified via linkerd-identity-headless.linkerd.svc.cluster.local:8080 (linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local) [ 0.001323s] INFO ThreadId(01) linkerd2_proxy: Destinations resolved via linkerd-dst-headless.linkerd.svc.cluster.local:8086 (linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local) [ 0.003971s] WARN ThreadId(01) policy:watch{port=4191}:controller{addr=linkerd-policy.linkerd.svc.cluster.local:8090}:endpoint{addr=192.168.163.207:8090}: rustls::session: Sending fatal alert BadCertificate [
0.004033s] WARN ThreadId(01) policy:watch{port=4191}:controller{addr=linkerd-policy.linkerd.svc.cluster.local:8090}:endpoint{addr=192.168.163.207:8090}: linkerd_reconnect: Failed to connect error=invalid certificate: CertExpired [ 0.032277s] INFO ThreadId(02) daemon:identity: linkerd_app: Certified identity: gpproxyserver-tlm.rainbowstaging-main.serviceaccount.identity.linkerd.cluster.local [ 24.056844s] WARN ThreadId(01) inbound:server{port=8000}:controller{addr=linkerd-dst-headless.linkerd.svc.cluster.local:8086}:endpoint{addr=192.168.163.207:8086}: rustls::session: Sending fatal alert BadCertificate [
24.057004s] WARN ThreadId(01) inbound:server{port=8000}:controller{addr=linkerd-dst-headless.linkerd.svc.cluster.local:8086}:endpoint{addr=192.168.163.207:8086}: linkerd_reconnect: Failed to connect error=invalid certificate: CertExpired [ 24.074130s] WARN ThreadId(01) outbound:server{orig_dst=10.98.31.55:5672}: rustls::session: Sending fatal alert BadCertificate [ 24.132043s] INFO ThreadId(01) inbound:server{port=8000}: linkerd_proxy_http::upgrade: tcp duplex error: client: Broken pipe (os error 32) [ 2117.365594s] WARN ThreadId(01) inbound:server{port=8000}:controller{addr=linkerd-dst-headless.linkerd.svc.cluster.local:8086}:endpoint{addr=192.168.163.207:8086}: rustls::session: Sending fatal alert BadCertificate [ 2117.369126s] WARN ThreadId(01) inbound:server{port=8000}:controller{addr=linkerd-dst-headless.linkerd.svc.cluster.local:8086}:endpoint{addr=192.168.163.207:8086}: linkerd_reconnect: Failed to connect error=invalid certificate: CertExpired [ 2117.377137s] WARN ThreadId(01) outbound:server{orig_dst=10.98.31.55:5672}: rustls::session: Sending fatal alert BadCertificate [ 2117.388693s] INFO ThreadId(01) inbound:server{port=8000}: linkerd_proxy_http::upgrade: tcp duplex error: client: Broken pipe (os error 32)
