kube-sidecar-injector icon indicating copy to clipboard operation
kube-sidecar-injector copied to clipboard

Published 20 hours ago verified publisher icon morvencao

remote error: tls: bad certificate

Open clarechu opened this issue 4 years ago • 7 comments

hello, According to your method, find the following problem in the sidecar-injector-webhook-deployment-57cb9d9954-qqqlt pod log

remote error: tls: bad certificate

api-server

W0611 14:21:25.798710 1 dispatcher.go:168] Failed calling webhook, failing open sidecar-injector.istio.io: failed calling webhook "sidecar-injector.istio.io": Post https://sidecar-injector.istio-system.svc:443/mutate?timeout=30s: x509: certificate signed by unknown authority

clarechu avatar Jun 11 '20 15:06 clarechu

Getting the same error, any news on this?

gabrielecastellano avatar Feb 26 '21 17:02 gabrielecastellano

Getting the same error, any news on this?

We haven't solved the problem yet?

clarechu avatar Mar 02 '21 13:03 clarechu

Have you solved it now?

clarechu avatar Mar 02 '21 13:03 clarechu

Hello, I am still stuck with that problem and have no hint of what causes it. It seems that the CSR is accepted, but then the server does not recognize the certificate.

gabrielecastellano avatar Mar 05 '21 12:03 gabrielecastellano

Hello, I had this issue on a different project and it turned out that the cause is a deprecation of X.509 CommonName in Go 1.15. The Kubernetes API Server in my cluster had been compiled with Go 1.15. Looking at Kubernetes API server logs I found that this was the cause of the rejection with tls: bad certificate.

Basically -subj "/CN=${service}.${namespace}.svc" in webhook-create-signed-cert.sh is not enough. It also needs -addext "subjectAltName = DNS:${service}.${namespace}.svc"

I haven't tested in this repo, but I believe this is the problem you're facing here.

anjz avatar Jun 11 '21 10:06 anjz

Hello, I had this issue on a different project and it turned out that the cause is a deprecation of X.509 CommonName in Go 1.15. The Kubernetes API Server in my cluster had been compiled with Go 1.15. Looking at Kubernetes API server logs I found that this was the cause of the rejection with tls: bad certificate.

Basically -subj "/CN=${service}.${namespace}.svc" in webhook-create-signed-cert.sh is not enough. It also needs -addext "subjectAltName = DNS:${service}.${namespace}.svc"

I haven't tested in this repo, but I believe this is the problem you're facing here.

OK, I'll try. Thank you

clarechu avatar Jun 11 '21 11:06 clarechu

TheCertificateSigningRequest v1beta1 API has been deprecated in k8s 1.19 and was removed in k8s 1.22, see: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#certificatesigningrequest-v122 It is replaced with the CertificateSigningRequest v1 API, and in v1 API, the signerName is required and limited, and it is no longer suitable to sign certificate for webhook server, so I change the code to use self generate CA and certificate, see: https://github.com/morvencao/kube-sidecar-injector/pull/38 It also simplify the deploy steps, we don't need to handle CSR creation and approval, if you're still interested, please refer to the new doc: https://github.com/morvencao/kube-sidecar-injector/blob/master/README.md

morvencao avatar Feb 26 '22 05:02 morvencao