Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

kubectl exec fails "cannot validate certificate because it doesn't contain any IP SANs"

Tags:

ssl

kubernetes

I'm trying to use kubectl exec to enter one of my containers, but I'm getting stuck on this error.

$ kubectl exec -it ubuntu -- bash
error: Unable to upgrade connection: {
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "x509: cannot validate certificate for <worker_node_ip> because it doesn't contain any IP SANs",
    "code": 500
}

I have configured kubectl with my CA certificate and admin keys, etc according to this guide https://coreos.com/kubernetes/docs/1.0.6/configure-kubectl.html

Update

I also found the same error in the API server's logs

E1125 17:33:16.308389 1 errors.go:62] apiserver received an error that is not an unversioned.Status: x509: cannot validate certificate for <worker_node_ip> because it doesn't contain any IP SANs

Does this mean I have configured the certs incorrectly on my worker/master nodes or on kubectl on my local machine?

like image 454
esecules Avatar asked Nov 25 '15 01:11

esecules

3 Answers

That message is coming from the master trying to connect to the node (the flow of traffic is kubectl -> master API -> kubelet -> container). When starting the master, are you setting --kubelet_certificate_authority? If so, the master expects to be able to validate the kubelet's serving cert, which means it needs to be valid for the hostnames/IP addresses the master uses to connect to it.

like image 183
Jordan Liggitt Avatar answered Nov 10 '22 13:11

Jordan Liggitt

If you're using Kubernetes with a Google Container Cluster, this may fix the issue as it did for me:

gcloud container clusters get-credentials <cluster-name> \
    --project <project-name> --zone <zone>
like image 45
cahen Avatar answered Nov 10 '22 13:11

cahen

If you used this command to create your certificate:

openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
    -CAcreateserial -out server-cert.pem

Then your issue can be resolved by doing the following as the 'client' cert uses an -extfile extfile.cnf:

echo subjectAltName = IP:worker_node_ip > extfile.cnf
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
   -out server-cert.pem -extfile extfile.cnf

You can specify any number of IP addresses, such as IP:127.0.0.1,IP:127.0.1.1 (non localhost as well).

like image 27
George Avatar answered Nov 10 '22 11:11

George
Sign in to Comment

Related questions

Tomcat 6 and TLSv1.2 In Java
Heroku redirect Next.js React client app http to https
Define cipher suite for TLS in JCA
Force Chrome to accept any SSL certificate regardless of who it was signed by? [closed]
How to set custom DH group in Java SSLEngine to prevent Logjam attack?
Making HTTPS request in iOS 9 with self-signed certificate [closed]
Docker container not connecting to https endpoints
Is current request being made over SSL with Azure deployment
SSL not working for Tomcat 8
cert in /etc/ssl/cert.pem expired today (MacOS Mojave)
Azure DevOps Powershell script Could not create SSL/TLS secure channel
Is Java SSL broken in OpenJDK on Ubuntu?
TLS connection using SSLSocket is slow in Android OS
make rails url helpers use the appropriate protocol?
Expired SSL Certificate and Encryption
how to install certificate in browser settings using command prompt?
How to create SSL certificate with Unicode characters in the Organization name (or other fields)?
Getting "No certificate matches private key"
Get SSLContext for default system truststore in Java(JSEE)
secure HTTP communication for components of commercial product

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!