Closed anastasiagrinman closed 3 years ago
Same here
Any solutions?
Same issue here. Anyone solve this?
Yes, I have solved the issue with using the valid certificate for the docker registry. Self-signed certificates do not work. Only valid certificate works. Kubernetes has an ability to sign and approve certificates.
Does this work for cert-manager
? I get the same error when installing rancher with cert-manager
Full description of how I'm installing and deploying, here: https://github.com/rancher/rancher/issues/25827
Hi all. I;m stuck here too!
What's the reason
+1
You could issue and sign a certificate for the Nginx ingress, docker registry and other services with help of the Kubernetes.
Download and install CFSSL
brew install cfssl
Create a Certificate Signing Request
mkdir cert && cd cert/
cat <<EOF | cfssl genkey - | cfssljson -bare server
{
"hosts": [
"myservername-abc.org.com",
"registry.myservername-abc.org.com",
"myapp.myservername-abc.org.com",
"subdomain.myservername-abc.org.com"
],
"CN": "myservername-abc.org.com",
"key": {
"algo": "ecdsa",
"size": 256
}
}
EOF
Create a Certificate Signing Request (CSR) object to send to the Kubernetes API
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: myservername-abc.org.com
spec:
request: $(cat server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
Describe CSR
kubectl describe csr myservername-abc.org.com
Get the Certificate Signing Request Approved
kubectl certificate approve myservername-abc.org.com
Download the Certificate and Use It
kubectl get csr
kubectl get csr myservername-abc.org.com -o jsonpath='{.status.certificate}' | base64 --decode > server.crt
Check the TLS certificate and CSR
openssl x509 -noout -text -in server.crt
openssl req -text -noout -verify -in server.csr
Create a secret with the TLS certificate
kubectl create secret tls nginx-ingress-tls-secret --key server-key.pem --cert server.crt
@alphara I did all what you suggested, but still getting the same error. Is there a way for me to get the faulty certificate ? Because reading "this certificate is valid for... not for" and not knowing which cert it is, is not very helpful ^^ Here is the log I get:
kubectl get pods -v=10
I0617 08:42:45.331125 5622 loader.go:375] Config loaded from file: /Users/lucas/.kube/config
I0617 08:42:45.331814 5622 round_trippers.go:423] curl -k -v -XGET -H "User-Agent: kubectl/v1.18.3 (darwin/amd64) kubernetes/2e7996e" -H "Accept: application/json, */*" 'https://192.168.99.100:8443/api?timeout=32s'
I0617 08:42:45.331854 5622 round_trippers.go:423] curl -k -v -XGET 'https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration'
I0617 08:42:45.335723 5622 round_trippers.go:443] GET https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration in 3 milliseconds
I0617 08:42:45.335735 5622 round_trippers.go:449] Response Headers:
I0617 08:42:45.335743 5622 round_trippers.go:443] GET https://192.168.99.100:8443/api?timeout=32s in 3 milliseconds
I0617 08:42:45.335746 5622 round_trippers.go:449] Response Headers:
/*see this line ->*I0617 08:42:45.335778 5622 cached_discovery.go:121] skipped caching discovery info due to Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal
I0617 08:42:45.336104 5622 round_trippers.go:423] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.18.3 (darwin/amd64) kubernetes/2e7996e" 'https://192.168.99.100:8443/api?timeout=32s'
I0617 08:42:45.336131 5622 round_trippers.go:423] curl -k -v -XGET 'https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration'
I0617 08:42:45.338656 5622 round_trippers.go:443] GET https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration in 2 milliseconds
I0617 08:42:45.338665 5622 round_trippers.go:449] Response Headers:
I0617 08:42:45.338671 5622 round_trippers.go:443] GET https://192.168.99.100:8443/api?timeout=32s in 2 milliseconds
I0617 08:42:45.338674 5622 round_trippers.go:449] Response Headers:
/*see this line ->*I0617 08:42:45.338737 5622 cached_discovery.go:121] skipped caching discovery info due to Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal
I0617 08:42:45.338751 5622 shortcut.go:89] Error loading discovery information: Get "https://192.168.99.100:8443/api?timeout=32s": Get "https://keycloak.devlocal/auth/realms/k8s/.well-known/openid-configuration": x509: certificate is valid for ingress.local, not keycloak.devlocal
I would greatly appreciate any help on this !
Hi @Bonjour123,
I assume you solve a different problem but try to include IP address 192.168.99.100 to the list of the hosts for issuing a certificate. It would be even more secure to create a subdomain for the IP address, and then you include a subdomain into the lists of hosts.
Ok, I will surely try. Thanks for the help !
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
@Bonjour123,
You need to issue your certificate with CN
and hosts
set to keycloak.devlocal
instead of ingress.local
. Also, you may need to have a cert-manager deployed.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close
@fejta-bot: Closing this issue.
@alphara I am seeing similar Error in my Oauth2-proxy pod:
Error redeeming code during OAuth2 callback: error performing request: Post "https://1-1-4-1.ip.linodeusercontent.com/realms/OAuth2-demo/protocol/openid-connect/token": x509: certificate is valid for ingress.local, not 1-1-4-1.ip.linodeusercontent.com
i wanted to access using http, so dint use any secret, i am not sure which secret is causing the issue here, any idea on this ?
@hmshashank you probably use a secret with self-signed certificate or don't use any. I guess you need to set up a certificate for your domain name instead.
@alphara This is my values.yml file,
config:
clientID: oauth # Replace with your GitHub OAuth app client ID
configFile: |
provider = "keycloak"
provider_display_name="keycloak"
scope = "openid"
login_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy/protocol/openid-connect/auth"
redeem_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy/protocol/openid-connect/token"
validate_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy/protocol/openid-connect/userinfo"
profile_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy/protocol/openid-connect/userinfo"
oidc_issuer_url="http://keycloak.kind.cluster/auth/realms/OAuth2-proxy"
cookie_secure="false"
cookie_csrf_per_request="true"
cookie_csrf_expire="5m"
# Upstream config
http_address="0.0.0.0:80"
email_domains = [ "*" ] # Replace with [ "example.com" ] to limit access to users with specific email domain
cookie_domains = [ "1-1-1-1.ip.linodeusercontent.com" ] # Replace with domain names that the proxy is allowed to redirect to after auth, prepend . for wildcards, i.e. ".example.com"
whitelist_domains = [ "1-1-1-1.ip.linodeusercontent.com" ] # Same as above
ingress:
enabled: true
path: /oauth2
pathType: Prefix
className: nginx
hosts:
- 1-1-1-1.ip.linodeusercontent.com
I dint use any certificates here, all my keycloak endpoints are in http, and my ingress annotations for app are also in http .
We work with regex support on server_name, for example: server_name ~^myservername-(?.+).org.com
We use $sub to define the nginx location, for example: /api/docker/$sub/v2/$1
When using SSL dynamic mode on version 0.26.0 and the TLS is not recognized. Error response from daemon: Get https://myservername-abc.org.com: x509: certificate is valid for ingress.local, not myservername-abc.org.com
This works for us with 0.24.0 or lower. Also, it works when we define the server_alias with non regex expression, but we need to use the regex for our setup.