Hi All
I have followed the standalone server TLS documentation for Vault TLS. The Vault is working for 1.18 and 1.19 versions of k8s. In 1.20, the vault status inside the vault server pod displays the following error. Is there a change needed for certificate creation in k8s 1.20?
Error checking seal status: Get “https://127.0.0.1:8200/v1/sys/seal-status”: x509: certificate signed by unknown authority
I have tried changing the signer name to kubernetes.io/kubelet-serving as mentioned in k8s docs
Thanks
Guru
Guru,
Did you generate new certificate in 1.20 or using the cert generated in 1.18 or 1.19? The certificate engine / API’s are changed in 1.20. Probably not a bad idea to regenerate certs and deploy the certs and check.
Thanks for replying.
I am creating the certificate in k8s 1.20.
~Guru
Hi,
I am seeing this issue with k3s 1.19 version as well.
Client Version: version.Info{Major:“1”, Minor:“19”, GitVersion:“v1.19.13+k3s1”, GitCommit:“99eadcc10bce2527ae1ab0964b540a4f52a53504”, GitTreeState:“clean”, BuildDate:“2021-07-22T20:29:55Z”, GoVersion:“go1.15.14”, Compiler:“gc”, Platform:“linux/amd64”}
Server Version: version.Info{Major:“1”, Minor:“19”, GitVersion:“v1.19.13+k3s1”, GitCommit:“99eadcc10bce2527ae1ab0964b540a4f52a53504”, GitTreeState:“clean”, BuildDate:“2021-07-22T20:29:55Z”, GoVersion:“go1.15.14”, Compiler:“gc”, Platform:“linux/amd64”}
This is with a fresh install of k3s 1.19 and also from an upgrade to 1.17 to 1.19
vault status -ca-cert=/vault/userconfig/vault-secret-tls/vault.ca
Error checking seal status: Get “https://127.0.0.1:8200/v1/sys/seal-status”: x509: certificate signed by unknown authority
cat /vault/userconfig/vault-secret-tls/vault.ca
-----BEGIN CERTIFICATE-----
MIIBdjCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
dmVyLWNhQDE2MjcwMzA5ODIwHhcNMjEwNzIzMDkwMzAyWhcNMzEwNzIxMDkwMzAy
WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MjcwMzA5ODIwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQFtkhNu/xMpTG4/LrJGs63zzeQtWSSmOe81VyidtLV
4wh2ppqGZ+xpgb/ydIpFeMxuOk1nREtcnsElHgn4FRKMo0IwQDAOBgNVHQ8BAf8E
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU/+85OFJdpqRztMRAScE2
e8YtjYowCgYIKoZIzj0EAwIDRwAwRAIgBetDyaM6jklYXAzcE8enkt32vAst7GUo
BByx4I1stKoCIEXY0+GuMEGqtpSh7g+Bv25youl79f4kgTYJMGHsKUnU
-----END CERTIFICATE-----
I am using a helm chart to deploy the vault pod and due to this issue, the pods which are stuck in init state as the webhook also fails.
openssl genrsa -out {TMPDIR}/vault.key 2048;
set -e;
cat <<EOF >{TMPDIR}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = {SERVICE}
DNS.2 = {SERVICE}.{NAMESPACE}
DNS.3 = {SERVICE}.{NAMESPACE}.svc
DNS.4 = {SERVICE}.{NAMESPACE}.svc.cluster.local
IP.1 = 127.0.0.1
EOF
echo "openssl req -new -key {TMPDIR}/vault.key -subj “/CN={SERVICE}.{NAMESPACE}.svc” -out {TMPDIR}/server.csr -config {TMPDIR}/csr.conf"
openssl req -new -key {TMPDIR}/vault.key -subj "/CN=system:node:{SERVICE}.{NAMESPACE}.svc/O=system:nodes" -out {TMPDIR}/server.csr -config {TMPDIR}/csr.conf;
export CSR_NAME=vault-csr;
cat <<EOF >{TMPDIR}/csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${CSR_NAME}
spec:
groups:
- system:authenticated
request: (cat {TMPDIR}/server.csr | base64 | tr -d ‘\n’)
signerName: kubernetes.io/kubelet-serving
usages:
- digital signature
- key encipherment
- server auth
EOF
Any leads will be appreciated.
What is the CA cert you used? From which name space did you extract the cert ?