I am trying to use my own CAs on k8s for internal https communication.
I read the documentation Certificate Management with kubeadm where I use on my conf file the paths as described:
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
controllerManager:
extraArgs:
cluster-signing-cert-file: /etc/kubernetes/pki/ca.crt
cluster-signing-key-file: /etc/kubernetes/pki/ca.key
When I launch the master prime node I get the following error:
error execution phase certs/apiserver: couldn't load CA certificate ca: ca certificate is not a certificate authority
I tried to find a way to define the authority and I found this Certificates. I do think that this is what I am looking for as this is referring to how to produce your own self signed CAs.
The CAs that I want to apply are from an official authority.
Is there something that I am missing here and I can not figure out?
I am running on 1.19.2 version
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:41:02Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:32:58Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
You have got a private key and server certificate signed by an external CA with it's private key. You really do not have the CA's private key itself.
If you were using the self signed CA option then you actually got the private key of CA with you and kubeadm could use that to sign and generate all the server and client certificates for the control plane components.
You need to follow the External CA mode of kubeadm where in you just provide the ca.crt in /etc/kubernetes/pki/ca.crt location.
This will make use of the server certificate to host Kubernetes API Server over https which is what you are trying to achieve.
Please note the following
In this case you will not be able to use kubernetes to issue certificate by approving certificate signing request because you do not have the private key of the CA to sign a CSR.
Since kubeadm is running in external CA mode; all the certificates for the control plane components must be provided by the user, because kubeadm cannot generate them by itself.
Related
As a part of the POC, I followed the article https://www.ais.com/how-to-configure-point-to-site-vpn-connection-using-azure-certificate-authentication/ and configured Point-to-Site.
In summary: I have created the Root & Client Certificate and configured the Virtual Gateway
Here we are generating the root certificate
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=VPNRoot" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
Here we are generating the client certificate from the root certificate
New-SelfSignedCertificate -Type Custom -DnsName VPNCert -KeySpec Signature -Subject "CN=VPNCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
Now that it works, my goal is to replace the certificates ("Root" and "Client") with production ready certificates.
From the Certificate Authority, what kind of certificates should be requested?
Note: Our Azure Tenant is something like xyznp.onmicrosoft.com
Note that In Azure Point to Site, you can use a root certificate that was generated using an Enterprise solution, or you can generate a self-signed certificate.
Refer : About Azure Point-to-Site VPN connections - Azure VPN Gateway
When you are using the enterprise solution certificate chain in the root certificate, you should acquire the .cer file for the root certificate that want to use.
And generate a client certificate with the common name value format name#yourdomain.com. In your case it should be in the format xyznp#onmicrosoft.com
Refer : Connect to a VNet using P2S VPN & certificate authentication: portal - Azure VPN Gateway
NOTE : Verify the authentication order on the client certificate if you used a certificate that was issued by an Enterprise CA solution and but having trouble for authenticating.
By double-clicking the client certificate, choosing the Details tab, and then selecting Enhanced Key Usage, you can verify the authentication list order like below.
Make sure Client Authentication is listed first. If it isn't, create a client certificate based on the user template with Client Authentication listed as the first item.
Refer: Connect to a VNet using P2S VPN & certificate authentication: portal - Azure VPN Gateway
I am trying to create a TLS secret for our key-cert pair that is issued by Entrust (third party CA) .
The cert has an intermediate CA and a root CA . This documentation has instructions on how to create a TLS secret - but I do not see instructions on how this can be done when we have a root/intermediate CA .
Any inputs would be appreciated.
you can use cert-manager. they can help you to create secret of crt and key with your root ca. you can check there documentation.
install cert-manager
details
I can connect fine with Python to any external https site without this error:
SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))
But I have a local webserver on my laptop with a self-signed certificate that works fine in itself but Python generates an _ssl.c:1108 error when I try to connect to it.
Any ideas?
The python client does not have access and trust the CA certificate that signed the web server certificate. In your case that is the self-signed web server certificate.
To get the python client working, you can do the following:
disable certificate verification. That is not a good idea but I guess is ok for a quick test. The emphasis is on "it is not recommended".
Download the self-signed certificate and make it accessible to the python client and specify it as trusted CA certificate.
Download and install a certificate from well known CAs such as LetsEncrypt (free) or commercial CAs. This is the recommended approach.
You could go into depth on the items mentioned herein and get a conceptual understanding how TLS operates.
EDIT 1: You could also get a free certificate from LetsEncrypt CA. Or you could get a free test certificate from most of the commercial CAs like DigiCert etc. See this link for getting and installing a free test certificate signed by a DigiCert test CA.
See this for details on python client configuration for TLS.
I'm trying to set up Drone using TLS but the drone agent can't connect to the server with the error:
connection failed, retry in 15s. websocket. Dial wss://drone-server:8000/ws/broker: x509: certificate signed by unknown authority
I've generated the necessary files and my docker-compose file for the drone server has DRONE_SERVER_CERT and DRONE_SERVER_KEY values set with the certificates, so I think the only problem is that it's self-signed. But I'm not sure how to set up the certificates with the drone image to have it recognize the certificate's CA. Is there a way to set that up or am I going about this in completely the wrong way?
As far as I understand the drone CLI client, uses the systems' trusted certificate storage as most* applications do. So for your client to start trusting the server's self signed certificate, you should add the CA cert to your system storage.
A good guide on how to install a CA cert can be found in this answer.
*browsers usually have their own CA cert DB
I'm using an autosign script in Puppet to sign certificates. This is actually working, but I'm experimenting a problem when a machine try to request again a certificate (eg. ssl directory is removed). In this cases, a cached certificate is used and obviously does not match with the certificate created by the agent. Here is an example output:
Info: Creating a new SSL key for foo.bar.com
Info: Caching certificate for ca
Info: Caching certificate for foo.bar.com
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: 41:B7:ED:3C:EC:A9:EF:A9:51:8C:6C:46:94:B1:30:09:72:2F:CC:D2:13:BA:A5:63:A7:2D:C5:FB:BD:DF:A5:B4
I don't want/can't remove certificates by hand executing puppet cert clean so I tried to use allow_duplicate_certs but seems to be buggy since... quite a lot time.
Do you know any other option to re-autosign a certificate when the host already have a signed certificate in the CA?