X509: certificate signed by unknown authority

Terraform
1

Hi Team,

When i am trying to install eks cluster i am getting below error.
can you help on this issue.
Error: Post “https://0964692BCB2AC7F55C5ABBDBC1DD6A70.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/configmaps”: x509: certificate signed by unknown authority

on allow_nodes.tf line 17, in resource “kubernetes_config_map” “aws_auth”:
17: resource “kubernetes_config_map” “aws_auth” {

###############################allow_nodes.tf###############

########################################################################################
# setup provider for kubernetes

data "external" "aws_iam_authenticator" {
  program = ["sh", "-c", "aws-iam-authenticator token -i example | jq-win64.exe -r -c .status"]
}

provider "kubernetes" {
  host                      = "${aws_eks_cluster.tf_eks.endpoint}"
  cluster_ca_certificate    = "${base64decode(aws_eks_cluster.tf_eks.certificate_authority.0.data)}"
  token                     = "${data.external.aws_iam_authenticator.result.token}"
  load_config_file          = false
  version = "~> 1.5"
}

# Allow worker nodes to join cluster via config map
resource "kubernetes_config_map" "aws_auth" {
  metadata {
    name = "aws-auth"
    namespace = "kube-system"
  }
  data = {
    mapRoles = <<EOF
- rolearn: ${aws_iam_role.tf-eks-node.arn}
  username: system:node:{{EC2PrivateDNSName}}
  groups:
    - system:bootstrappers
    - system:nodes
EOF
  }
  depends_on = [
    "aws_eks_cluster.tf_eks","aws_autoscaling_group.tf_eks"  ]
}
2

I also need help from @admins, I have the same problem with deployments and services.

Error: Failed to create deployment: Post "https://XXXXX.xx.region.eks.amazonaws.com/apis/apps/v1/namespaces/default/deployments": x509: certificate signed by unknown authority

  on main.tf line 117, in resource "kubernetes_deployment" "example":
 117: resource "kubernetes_deployment" "example" {

Error: Post 
"https://XXXXX.xxx.region.eks.amazonaws.com/api/v1/namespaces/default/services": x509: certificate signed by unknown authority

  on main.tf line 162, in resource "kubernetes_service" "example":
 162: resource "kubernetes_service" "example" {


Error: Post "https://xxxx.xxx.region.eks.amazonaws.com/api/v1/namespaces/kube-system/configmaps": x509: certificate signed by unknown authority

  on .terraform/modules/eks/aws_auth.tf line 64, in resource "kubernetes_config_map" "aws_auth":
  64: resource "kubernetes_config_map" "aws_auth" {
3

Did anyone manager to solve this? Just stumbled upon the same problem after recreating an EKS cluster…

4

Did you try refreshing the token?

5

In my case it was me being dumb and base64 encoding the CA cert instead of decoding…

6

Just ran into this as well, I believe this is the first time we have run updates on our clusters since upgrading to 0.14.5. The solution for us was a modification in the kubernetes provider block, but only for the first apply (even an empty apply will fix it).

We had to change from this:

provider "kubernetes" {
  token                  = data.aws_eks_cluster_auth.eks.token
  host                   = aws_eks_cluster.eks_cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority.0.data)
}

To this:

provider "kubernetes" {
  token    = data.aws_eks_cluster_auth.eks.token
  host     = aws_eks_cluster.eks_cluster.endpoint
  insecure = true
  exec {
    api_version = "client.authentication.k8s.io/v1alpha1"
    args        = ["eks", "get-token", "--cluster-name", var.cluster_name]
    command     = "aws"
  }
}

Then we ran terraform apply and we were able to revert the config back to just using the data block to look up the token and certificate. Weird.

Hope this helps someone else!