CoreOS Kubernetes on AWS script issue

[Gary Denner]

Folks

Any idea how to fix this, we are running this script

https://coreos.com/kubernetes/docs/latest/kubernetes-on-aws.html

And all looks good, it provisions the stuff in AWS, sets up the security groups and all is good (so you think)

then you run sudo /usr/local/bin/kubectl --kubeconfig=kubeconfig get nodes  and it returns with Unable to connect to the server: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, kube-prod-dns, not kube.beta.mydomain.com?

Any help much appreciated.

[Seán C. McCord]

The problem is very much what the error says.  When you generate the cert for the apiserver, you need to specify the name by which you will be accessing the site.  In this case, kube.beta.mydomain.com.

--

Seán C McCord

CyCore Systems, Inc

+1 888 240 0308

[Gary Denner]

Thanks Seán, I did that, I pointed to the my domain that was created on route53 in AWS but it still seems to say the Certificate is invalid for it, anything I need to do to fix that?

[Seán C. McCord]

It's not just a matter of making sure the DNS resolves to your API server node's IP address, it is that you generate the certificate with the subjectAltName  by which you will be calling it.   In the case of the documentation [here](https://coreos.com/kubernetes/docs/latest/openssl.html), this would be the MASTER_DNS_NAME (or MASTER_HOST) that needs to be set.... and then the cert generated.  You will have to regenerate your apiserver's certificate.

[Gary Denner]

Super! Thank you Seán I will take a look there.

Cheers

[Gary Denner]

OK now when I run sudo /usr/local/bin/kubectl --kubeconfig=kubeconfig get nodes it returns nothing, I would have expected some list of nodes right?

On Friday, June 10, 2016 at 3:50:32 PM UTC+1, Gary Denner wrote:

[Seán C. McCord]

Only if you actually _have_ nodes running and communicating.   Are all of your kubelets running and populated with their respective TLS assets?  If they (the kubelets) are running, take a look at one of their logs (journalctl -u kubelet) and see if you can tell what is failing.

[Gary Denner]

Thanks a lot If I run a sudo /usr/local/bin/kubectl --kubeconfig=kubeconfig cluster-info it returns 

Kube Master is running at https://kube.beta.mydomain.com

Heapster is running at https://kube.beta.mydomain.com/api/v1/proxy/namespaces/kube-system/services/heapster

KubeDNS is running at https://kube.beta.mydomain.com/api/v1/proxy/namespaces/kube-system/services/kube-dns

I'll check the journactl logs, thanks again for all your help

[Brandon Philips]

cc'ing Colin, kube-aws maintainer.

[Colin Hom]

Gary-

What is your externalDNSName variable in cluster.yaml set to? I would make sure it's correct and re-render your stack. You can then do "up --export" and use aws cli to update your cloudformation stack.

[Gary Denner]

Hi Colin

My external DNS name is set to 

externalDNSName:  kube.beta2.mydomain.com in the cluster.yaml and its correct

If I run a sudo /usr/local/bin/kubectl --kubeconfig=kubeconfig cluster-info it returns 

Kube Master is running at https://kube.beta2.mydomain.com

Heapster is running at https://kube.beta2.mydomain.com/api/v1/proxy/namespaces/kube-system/services/heapster

KubeDNS is running at https://kube.beta2.mydomain.com/api/v1/proxy/namespaces/kube-system/services/kube-dns

But if I run sudo /usr/local/bin/kubectl --kubeconfig=kubeconfig get nodes it return nothing.

mydomain name is registered in AWS Route 53 as a registered domain.

Thanks

Gary