lima icon indicating copy to clipboard operation
lima copied to clipboard

Published 20 hours ago verified publisher icon lima-vm

Unable to access K3s cluster from Host system (MacOS, M1) from Lima VM. (`x509: certificate signed by unknown authority`)

Open developer1622 opened this issue 1 year ago • 3 comments

Description

Hi Team,

I really do not know where to post this or guide me if it is not the correct place; thanks.

I am unsure if this is a bug or something from my side issue.

I set up K3s in Lima VM in MacOS by using the following link

K3s Set Up in LimaVM

All things are okay in my Lima VM, however, I am unable to access the K8s Cluster in my MacOS, though I did the

# $ export KUBECONFIG=$(limactl list k3s --format 'unix://{{.Dir}}/copied-from-guest/kubeconfig.yaml') On my MacOS (M1 Chip), I am running into the following error when I access K3s cluster.

On-Host-Machine-MacOS:lima-test ramu$ kubectl get pods -A
E0401 10:16:35.103374   17263 memcache.go:265] couldn't get current server API group list: Get "https://127.0.0.1:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority
Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority

I have tried adding the certificates to the MacOS keychain. However, the keychain says this root certificate cannot be trusted.

Same issue with Rancher Desktop on my MacOS,

===

    client-key-data: REDACTED<Certificate Authoirity Key>

2024-03-31T19:02:21.682Z: Error starting lima: Error: self signed certificate in certificate chain
    at TLSSocket.onConnectSecure (node:_tls_wrap:1543:34)
    at TLSSocket.emit (node:events:513:28)
    at TLSSocket._finishInit (node:_tls_wrap:962:8)
    at TLSWrap.onhandshakedone (node:_tls_wrap:746:12) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN'
}

Does anyone know how to resolve this in MacOS with Lima VM where K3s has been installed?

Thanks.

developer1622 avatar Apr 01 '24 05:04 developer1622

I have followed this article also. Thanks

https://medium.com/nttlabs/containerd-and-lima-39e0b64d2a59

developer1622 avatar Apr 01 '24 09:04 developer1622

@developer1622 is this still an issue for you? Is it your personal machine or a work machine? I have a feeling that probably you have some proxy environment variable on your host that is causing the request not to hit https://localhost:6443 properly.

Ranjandas avatar Jun 14 '24 08:06 Ranjandas

The CA is part of the kubeconfig, so it is supposed to work - as long as it is talking to the right cluster, that is...

afbjorklund avatar Jun 14 '24 08:06 afbjorklund