kubectl gives ' x509: certificate signed by unknown authority

[Stephan Grund]

Hi!

When using kubectl to access my cluster I get the following error:

$ kubectl  get nodes

error: error fetching provider config: Get https://llab-tectonic.fokus.fraunhofer.de/identity/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-ca")

Using the flag '--insecure-skip-tls-verify=true' brings the same result.

Any hints?

TIA,

Stephan

[eric....@coreos.com]

Stephan,

It looks like your kubectl OpenID Connect configuration is messed up in some way. https://kubernetes.io/docs/admin/authentication/#using-kubectl 

Our plugin doesn't allow you to skip the certificate check. That's why skip verify doesn't work.

What version of tectonic are you using? What version of kubectl? How did you get your kubeconfig? Have you modified any certs generated by the Tectonic installer?

Eric

[Stephan Grund]

Hi Eric,

thanks for Your reply.

To Your questions.

Am Montag, 22. Januar 2018 18:08:47 UTC+1 schrieb eric....@coreos.com:

 It looks like your kubectl OpenID Connect configuration is messed up in some way. https://kubernetes.io/docs/admin/authentication/#using-kubectl 

OK, I will reread this.

What version of tectonic are you using?

1.8.4-tectonic-3 but it also exists on 1.7.9-tectonic-4

 

What version of kubectl?

tested with 1.7.1, 1.8.4 and 1.9.0

How did you get your kubeconfig?

via the tectonic webpage (My Account/Download Configuration)

 

Have you modified any certs generated by the Tectonic installer?

 

no.

I should have mentioned, that I'm using kubectl on a Windows 10 client.

After posting my question I've tried kubectl on the tectonic installer host

 (CentOS 7) and it works.

Before I have set up this cluster I've tested whit tectonic-1.7.1-tectonic.1

and tectonic-1.7.3-tectonic.1 without problems.

Stephan

[Stephan Grund]

A little update.

I've tested also from a Mac: kubectl gives the same error as under Windows.

On the tectonic install server (Linnux) kubectl can connect to the cluster, when

I'm using the kubeconfig-file which is generated from the installer

(tectonic_1.8.4-tectonic.3/tectonic-installer/linux/clusters/lernlabor_2018-01-22_11-10-21/generated/auth/kubeconfig):

# ~/src/kubectl --kubeconfig=kubeconfig version

Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.4", GitCommit:"9befc2b8928a9426501d3bf62f72849d5cbcd5a3", GitTreeState:"clean", BuildDate:"2017-11-20T05:28:34Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.4+coreos.0", GitCommit:"4292f9682595afddbb4f8b1483673449c74f9619", GitTreeState:"clean", BuildDate:"2017-11-21T17:22:25Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

When I download the kubeconfig via the web-gui I get an error:

# ~/src/kubectl --kubeconfig=/root/Downloads/kube-config version

Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.4", GitCommit:"9befc2b8928a9426501d3bf62f72849d5cbcd5a3", GitTreeState:"clean", BuildDate:"2017-11-20T05:28:34Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Unable to connect to the server: failed to refresh token: oauth2: cannot fetch token: 401 Unauthorized

Response: {"error":"invalid_client","error_description":"Invalid client credentials."}

So, it's a slighly different error message.