Kube-dns reports x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate

220 views

Skip to first unread message

dylanjh...@gmail.com

unread,

Jun 10, 2018, 3:45:39 AM6/10/18

to Kubernetes user discussion and Q&A

Kubernetes v1.10.0 with kube-dns 1.14.8, using the gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.8 container image.

I have a self signed certificate on the apiserver, which understandably throws the usual verification errors if accessed with curl (from the command line of anything), without -k. The log output from kube-dns however seems to imply that -k is used, although I can find no evidence of curl actually existing on the container, which leads me to believe that the binary curl is not actually being called, but the curl command is just being output to "help". The existence of toCurl in round_trippers.go seems to back this theory up.
https://github.com/kubernetes/dns/blob/master/vendor/k8s.io/client-go/transport/round_trippers.go:350

The problem I am facing is this error message:

```
I0610 06:47:06.051414 1 round_trippers.go:398] curl -k -v -XGET -H "User-Agent: kube-dns/1.14.10 (linux/amd64)" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp... rest of barer token" -H "Accept: application/vnd.kubernetes.protobuf, */*" https://172.17.0.1:443/api/v1/services?resourceVersion=0
`E0610 06:47:05.058513 1 reflector.go:201] k8s.io/dns/pkg/dns/dns.go:189: Failed to list *v1.Endpoints: Get https://172.17.0.1:443/api/v1/endpoints?resourceVersion=0: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "10.16.23.40")`
```
10.16.23.40 is the "real" address of my master, 172.17.0.1 is the service address of the master.

Yes, the certificate is self-signed, and therefore "signed by an unknown authority" is understandable, but if its making the call with -k (or whatever its equivalent is within the code) Then that should not be an issue.

Naturally, I can copy & paste that curl command and, while I get 40X error, I do NOT get a verification error, as reported by kube-dns

I have attached the output of openssh x509 on the certificate served by 172.17.0.1 / 10.16.23.40 for review. Please let me know if you need more information.

How can I get around this problem? Thanks in advance.

Dylan

PS. Below is the certificate information as output by openssl x509 -text:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8b:2b:4c:f3:6b:b5:83:60
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=10.16.23.40
Validity
Not Before: Jun 9 12:25:49 2018 GMT
Not After : Oct 25 12:25:49 2045 GMT
Subject: C=UK, ST=state, L=Bradford, O=system:nodes, OU=Me, CN=10.16.23.40
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:f2:9c:71:a5:d7:91:35:9b:e3:56:02:7a:1a:
ac:3e:c1:ee:4f:a4:44:b5:cf:0c:2e:dd:15:39:89:
40:ca:0e:66:c5:4d:a1:01:2a:0b:c9:36:32:bd:32:
e4:b3:ad:a8:65:d3:04:57:18:2d:83:1c:dd:cf:f8:
62:85:70:db:c4:50:84:e5:4a:02:84:e2:9e:d5:4c:
c5:9c:ef:2a:ac:70:40:bf:f6:71:39:ea:67:08:65:
68:a1:1d:20:8f:a1:54:11:35:12:62:47:2e:a2:c6:
57:8d:41:20:d1:46:b1:3b:4a:c4:75:c2:5f:d6:61:
40:9b:ed:d4:fa:78:93:b6:e9:b6:21:d7:a7:70:c0:
d6:a1:ff:95:ec:27:1d:12:c8:48:0d:d3:42:1c:19:
af:86:d6:da:74:ec:fd:0e:1f:ff:21:cd:0a:dc:16:
f2:3c:70:16:68:63:9b:a8:03:4f:28:ca:f0:ec:de:
4d:85:69:94:cb:5c:8f:bc:66:aa:39:97:2d:88:4e:
6c:8e:c6:a1:34:d8:8d:05:f2:7f:a9:62:35:13:43:
af:dc:19:3b:ac:ff:30:c3:32:11:da:60:14:a0:6d:
07:18:0d:d0:fb:37:80:65:ea:9e:90:1e:13:cd:bc:
0f:b2:f6:22:5a:73:5f:41:e1:68:6c:f2:2a:53:17:
12:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:10:FA:C6:90:43:72:CE:41:20:A9:7C:09:CB:DB:C3:48:D4:5E:85:DF
DirName:/CN=10.16.23.40
serial:CD:94:F9:44:0F:AA:CA:3F

X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, DNS:cluster.local, DNS:k8s.comodoca.net, IP Address:10.16.23.40, IP Address:172.17.0.1
Signature Algorithm: sha256WithRSAEncryption
8c:a2:66:97:ad:07:08:dd:29:83:5c:6c:d6:74:ed:09:dc:c8:
f8:07:ad:53:51:6d:a1:44:89:33:71:22:16:b9:20:f5:8b:5c:
20:68:a6:15:4e:2a:b8:af:7a:ae:97:31:e1:94:70:b5:b4:7e:
68:24:a3:56:50:15:c8:1f:f7:2b:d3:8b:b7:86:79:dd:ae:ec:
d8:1b:9e:94:ce:05:17:8f:a4:2f:3f:a7:cb:50:95:86:80:78:
7a:a8:f5:c4:ef:8c:e1:0d:3f:d4:88:cb:9d:17:bf:14:c2:0a:
ee:4b:f2:a7:24:40:32:9b:2e:75:ba:12:ca:c0:04:a4:06:65:
ea:34:19:8d:e3:c4:d8:d7:20:5e:73:4d:b6:fa:9b:06:da:15:
87:45:80:b0:e5:68:13:65:0b:bd:8c:b9:00:62:d5:5a:31:c1:
85:1c:ba:0e:9f:0b:47:28:80:b1:98:f1:1e:32:37:93:7b:63:
63:55:79:2a:56:9d:65:f2:f7:35:40:a2:a6:41:c7:dc:62:7f:
de:8f:0d:9d:fa:b9:f1:8a:c8:40:0c:0c:16:86:6e:0b:e6:16:
8b:73:c3:f2:6b:f6:19:c0:1c:35:ee:27:8d:cc:4a:bf:a9:5d:
cd:6f:b6:8e:33:85:05:5a:21:82:e0:cf:57:d1:30:7b:84:50:
5a:2c:61:54

Reply all

Reply to author

Forward

0 new messages