Reputation: 9
couldn't get current server API group l failed to verify certificate: x509: certificate signed by unknown authority
I'm creating a username named "client" in kubernetes for a developer. I'm running a local master node. I completed the following steps:
openssl req -new -key client.key -out client.csr -subj "/CN=client/0=dev
sudo openssl x509 -req -in client.csr -CA /root/.ke/ca.crt -CAKey /root/ca.key -CAcreateserial -out client.crt -days 500
openssl x509 -in client.crt -noout -text
configure kubectl for user:
kubectl config -set-cluster master-node --server=https://192.168.0.93:8443 --certificate=authority=/ca.crt
kubectl config set-credentials client --client-certification=client.crt --client=client.key
kubectl config set-context client --cluster=master --user=client
kubectl config use-context client
My config file is:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: BASE64 CERT. I pasted ca.crt and tried client.crt as well.
server: https://master-node:6443
name: kubernetes - cluster:
certificate-authority: /home/hernan/RBAC/client.crt
server: https://192.168.0.93:6443 name: master
contexts:
- context:
cluster: master
user: client
name: client - context:
cluster: master
user: hernan
name: hernan - context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: client
kind: Config
preferences: {}
users:
- name: client
user:
client-certificate: /home/hernan/RBAC/client.crt
client-key: /home/hernan/RBAC/client.key
I'm running kubectl --kubeconfig=/home/.kube/config.client get pods and I get
E0620 11:31:07.299522 15030 memcache.go:265] couldn't get current server API group list: Get "https://192.168.0.93:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority
unknown authority
Any ideas?
I tried using the ca.crt and client.crt in the certificate-authority-data encoded field. All the files have the correct permissions. I regenerated the files after checking with openssl x509 -noout -modulus -in client.crt | openssl md5.
Upvotes: 0
Views: 8729
Answers (1)
Reputation: 9
I solved this by using the correct certificate from /etc/kubernetes/pki to generate the client.crt file at the beginning of the process.
sudo do openssl x509 -req -in client.csr -CA /root/.ke/ca.crt -CAKey /root/ca.key -CAcreateserial -out client.crt -days 500
replaced /root/.ke/ca.crt with /etc/kubernetes/pki/ca.crt and the same with the key.
Upvotes: 0
Related Questions
- pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"
- x509 certificate signed by unknown authority- Kubernetes
- kubectl unable to connect to server: x509: certificate signed by unknown authority
- Doing SSL client authentication in python
- Kubernetes Dashboard Installation giving x509: certificate signed by unknown authority error
- x509: certificate signed by unknown authority metrics-server