TLS handshake error and certificate signed by unknown authority errors

[Norman Khine]

Hello, I have setup a CoreOS cluster with 3 etcd and 3 workers. All seems to work well, but I am currently seeing these in the my logs

Sep 06 19:56:29 ip-10-0-0-10 k8s_kube-apiserver.2f8103e3_kube-apiserver-ip-10-0-0-10.ec2.inte: I0906 19:56:29.379753       1 logs.go:41] http: TLS handshake error from 10.0.2.6:40824: EOF

core@ip-10-0-0-166 ~ $ journalctl
-- Logs begin at Sun 2016-09-11 23:18:53 UTC, end at Mon 2016-09-12 13:56:41 UTC. --
Sep 11 23:18:53 ip-10-0-0-166.ec2.internal etcd2[964]: could not get cluster response from https://etcd3.k8s:2380: Get https://etcd3.k8s:2380/members: x509: certificate signed by unknown authority
Sep 11 23:18:53 ip-10-0-0-166.ec2.internal etcd2[964]: proxy: could not retrieve cluster information from the given urls
Sep 11 23:18:54 ip-10-0-0-166.ec2.internal etcd2[964]: could not get cluster response from https://etcd1.k8s:2380: Get https://etcd1.k8s:2380/members: x509: certificate signed by unknown authority
Sep 11 23:18:54 ip-10-0-0-166.ec2.internal etcd2[964]: could not get cluster response from https://etcd2.k8s:2380: Get https://etcd2.k8s:2380/members: x509: certificate signed by unknown authority
Sep 11 23:18:54 ip-10-0-0-166.ec2.internal etcd2[964]: could not get cluster response from https://etcd3.k8s:2380: Get https://etcd3.k8s:2380/members: x509: certificate signed by unknown authority
Sep 11 23:18:54 ip-10-0-0-166.ec2.internal etcd2[964]: proxy: could not retrieve cluster information from the given urls

I used https://github.com/kz8s/tack  to setup the cluster

Any advice is much appreciated

[anthony...@coreos.com]

What command line flags / environment variables are you passing to etcd? Judging by the errors, it looks the certificates are signed by a custom CA but --peer-trusted-ca-file is missing so there's no way to verify the certificates can be trusted.

[Norman Khine]

Perhaps my certificates are messed up, as per https://github.com/coreos/coreos-kubernetes/issues/152, will try to rebuild the cluster and see if i can replicate the issue.