Kubernetes login failed with x509: certificate signed by unknown authority

891 views
Skip to first unread message

Tene Thomas

unread,
Jun 4, 2019, 4:01:33 AM6/4/19
to Vault
I am using Kubernetes default service account to login with vault. I have configured K8s service account, token and certificate in vault.

vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="https://$K8S_HOST:8443" kubernetes_ca_cert="$SA_CA_CRT"

But I am getting the following error during the login process:

https://xxxxxxxx:8443/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority; nested exception is org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Internal Server Error\n\tat o.s.v.a.VaultLoginException.create(VaultLoginException.java:64)\n\tat o.s.v.a.KubernetesAuthentication.login(KubernetesAuthentication.java:107)


How do I resolve this problem?



Michel Vocks

unread,
Jun 4, 2019, 4:33:48 AM6/4/19
to Vault
Hi Tene,

it seems like the used certificate from your Kubernetes API Server is not trusted by the Vault host instance.
You need to add a valid and trusted certificate to your Kubernetes API Server or manually add the certificate to the local certificate trust store (which depends on the used OS) on the host instance from Vault.

Cheers,
Michel

Tene Thomas

unread,
Jun 4, 2019, 5:28:56 AM6/4/19
to Vault
Hi Michel

If I understand right, the error is thrown by k8s when vault tried to call the TokenReview api right?
Also, k8s only provided the certificate to vault.
So how is this a problem? Could you please help me understand?

Thanks
Tene

Michel Vocks

unread,
Jun 4, 2019, 9:21:43 AM6/4/19
to Vault

If I understand right, the error is thrown by k8s when vault tried to call the TokenReview api right?
Also, k8s only provided the certificate to vault.
So how is this a problem? Could you please help me understand?

Vault tries to access the Kubernetes API which uses HTTPS. When the response arrives with the public certificate from the Kubernetes API, it is checked if the certificate is trusted or not by validating the signature of the certificate.
Vault (e.g. Go) uses the system trust store to do the signature validation. You can also validate that by manually calling the Kubernetes API via cURL from the host where the Vault instance runs.



Tene Thomas

unread,
Jun 4, 2019, 10:37:16 AM6/4/19
to Vault
Is it the same certificate we gave as kubernetes_ca_cert in vault config for kubernetes?
I executed this command in the vault host and I still get the same error

keytool -import -file public.cert -storetype JKS -keystore server.truststore
Reply all
Reply to author
Forward
0 new messages