We've been following the guide for automatic sidecar injection in istio-0.5.0 on kubernetes 1.9.2, but have so far been unsuccessful due to certificate issues on the api-server.
When pods are created, the webhook is called, but the api-server rejects the certficate presented by istio-sidecar-injector/inject, stating:
W0205 09:15:27.389473 1 admission.go:257] Failed calling webhook, failing open sidecar-injector.istio.io: failed calling admission webhook "sidecar-injector.istio.io": Post https://istio-sidecar-injector.istio-system.svc:443/inject: x509: certificate signed by unknown authority
E0205 09:15:27.389501 1 admission.go:258] failed calling admission webhook "sidecar-injector.istio.io": Post https://istio-sidecar-injector.istio-system.svc:443/inject: x509: certificate signed by unknown authority
Our API server has been configured with the following flags:
- --allow-privileged=true
- --kubelet-client-certificate=/etc/kubernetes/pki/admin.pem
- --kubelet-client-key=/etc/kubernetes/pki/admin-key.pem
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --tls-ca-file=/etc/kubernetes/pki/ca.pem
- --tls-cert-file=/etc/kubernetes/pki/kube-apiserver-server.pem
- --tls-private-key-file=/etc/kubernetes/pki/kube-apiserver-server-key.pem
- --secure-port=6443
- --enable-bootstrap-token-auth
- --storage-backend=etcd3
- --service-cluster-ip-range=10.254.0.0/16
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --client-ca-file=/etc/kubernetes/pki/ca.pem
- --insecure-port=8080
- --insecure-bind-address=127.0.0.1
- --admissioncontrol=MutatingAdmissionWebhook,Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --authorization-mode=RBAC
- --oidc-issuer-url=https://sts.windows.net/[...removed...]/
- --oidc-client-id=spn:[...removed...]
- --oidc-username-claim=upn
- --oidc-groups-claim=groups
- --v=0
- --advertise-address=10.1.1.200
- --etcd-servers=http://etcd-0:2379,http://etcd-1:2379,http://etcd-2:2379
The certificate has been signed by the ca.pem file, which we have given to the api-server via the --tls-ca-file flag, but still no cigar.
Any ideas out there on how we can get the kubernetes API admission controller to trust the certificate presented by the sidecar-injector?
Related
I am getting below certification error while i am trying to call any API https://:8243/ from a react based frontend application. I have defined my rest API in wso2 EI 6.3. I am not using wso2 APIM.
What i did to resolve this issue:
1. I created a new self signed certificate and created a new key store. Updated carbon.xml, axis2.xml file. Restart the server. I am able to see my certificate in wso2 Ei GUI.
2. I accepted the certificate in browser.
But still i am not able to get rid of this error.
Is this error coming due to self signed certificate? If i will be using any CA signed certificate then this issue will not be there?
Any help or pointer is highly appreciated.
[2020-04-07 08:54:48,841] [-1] [] [HTTPS-Listener I/O dispatcher-2] ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
BR//
Vipin Nirwal
I was able to resolve this issue. I followed the below steps.
I created a self CA first. Then created a certificate signed by my own CA. Import the root certificate of my CA into the browser As this CA needs to be trusted by browser.
After this update carbon.xml, files inside axis2 directory and catalina-server.xml file with proper jks file and password for keystores.
Restarted the server.
You can try to debug it yourself by enabling SSL debug logs in the EI server. In the SSL logs, you can check whether the client certificate and the server certificate is matching. Have a look at the following blog.
https://medium.com/#nipunadilhara/enabling-ssl-debug-logs-for-wso2-products-30833d5de88e
I'm trying to secure our NIFI environment with SSL. I'm gettin the following error:
This site can’t provide a secure connection <I.P> uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I got a Comodo certificate that i requested at my org and got it approved. I have a .key as well which was generated during CSR. I imported the comodo cert into the keystore. Then, I imported both the comodo root cert and .key into truststore. NIFI version is 1.9.2
nifi.properties:
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=mypassword
nifi.security.keyPasswd=
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=mypassword
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
last few lines of the logs:
2019-07-12 02:29:55,877 INFO [main] o.eclipse.jetty.server.AbstractConnector Started ServerConnector#45e97963{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2019-07-12 02:29:55,877 INFO [main] org.eclipse.jetty.server.Server Started #28943ms
2019-07-12 02:29:55,906 INFO [main] org.apache.nifi.nar.NarAutoLoader Starting NAR Auto-Loader for directory ./extensions ...
2019-07-12 02:29:55,907 INFO [main] org.apache.nifi.nar.NarAutoLoader NAR Auto-Loader started
2019-07-12 02:29:55,907 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
2019-07-12 02:29:55,907 INFO [main] org.apache.nifi.web.server.JettyServer https://<I.P>:8443/nifi
2019-07-12 02:29:55,907 INFO [main] org.apache.nifi.web.server.JettyServer https://127.0.0.1:8443/nifi
2019-07-12 02:29:55,909 INFO [main] org.apache.nifi.BootstrapListener Successfully initiated communication with Bootstrap
2019-07-12 02:29:55,909 INFO [main] org.apache.nifi.NiFi Controller initialization took 19369037824 nanoseconds (19 seconds).
Can you show the output of using the OpenSSL s_client tool to connect to the host? I'm assuming <I.P> is a manual substitution for the actual host IP? Using this version of NiFi, the certificate must have valid SubjectAlternativeName entries for the hostname(s) and IP address(es) you wish to access the service using.
You also want to ensure that the keystore contains the public certificate and private key. The truststore should contain the public certificate and any CA certificates used to sign it (depending on your threshold for desired specificity on accepting incoming certificates for client certificate authentication).
I am trying to use go get or godep to pull some dependency for my project but I see this in my mac
KALEI-M-V11L:election kalei$ dep ensure
The following issues were found in Gopkg.toml:
✗ unable to deduce repository and source type for "k8s.io/apiextensions-apiserver": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/apiextensions-apiserver?go-get=1": Get https://k8s.io/apiextensions-apiserver?go-get=1: x509: certificate signed by unknown authority
✗ unable to deduce repository and source type for "k8s.io/apimachinery": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/apimachinery?go-get=1": Get https://k8s.io/apimachinery?go-get=1: x509: certificate signed by unknown authority
✗ unable to deduce repository and source type for "k8s.io/client-go": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/client-go?go-get=1": Get https://k8s.io/client-go?go-get=1: x509: certificate signed by unknown authority
✗ unable to deduce repository and source type for "sigs.k8s.io/controller-runtime": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://sigs.k8s.io/controller-runtime?go-get=1": Get https://sigs.k8s.io/controller-runtime?go-get=1: x509: certificate signed by unknown authority
✗ unable to deduce repository and source type for "k8s.io/code-generator": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/code-generator?go-get=1": Get https://k8s.io/code-generator?go-get=1: x509: certificate signed by unknown authority
✗ unable to deduce repository and source type for "k8s.io/api": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/api?go-get=1": Get https://k8s.io/api?go-get=1: x509: certificate signed by unknown authority
If I do curl to https://k8s.io/api?go-get=1, it works perfectly so looks like go doesn't trust the cert somehow.
Is there a way to configure it?
According to the go docs
On UNIX systems the environment variables SSL_CERT_FILE and
SSL_CERT_DIR can be used to override the system default locations for
the SSL certificate file and SSL certificate files directory,
respectively.
Sample
SSL_CERT_FILE=/path/to/x509_encoded_cert_file dep ensure
SSL_CERT_DIR=/path/to/dir/ dep ensure
In mandrill webhook, I added https://xxxx/mandrills/email_bounced_back
The error I got is:
Error: POST to https://xxxx/mandrills/email_bounced_back failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I used https://www.sslshopper.com/ssl-checker to check and seems ok (green)
I am using cPanel & WHM 64.0 (build 20)
I want to create connection to a server with https connection, I want to use self signed ssl key, but when open the connection with Connector.open(url) the following exception is eccured :
javax.microedition.pki.CertificateException: Certificate was issued by an unrecognized entity
com.sun.midp.pki.X509Certificate.verifyChain(), bci=6
- com.sun.midp.ssl.Handshake.parseChain(), bci=106
- com.sun.midp.ssl.Handshake.rcvCert(), bci=92
- com.sun.midp.ssl.Handshake.doHandShake(), bci=77
- com.sun.midp.ssl.SSLStreamConnection.(), bci=161
- com.sun.midp.io.j2me.https.Protocol.connect(), bci=215
- com.sun.midp.io.j2me.http.Protocol.streamConnect(), bci=164
- com.sun.midp.io.j2me.http.Protocol.startRequest(), bci=7
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=33
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=3
- com.sun.midp.io.j2me.https.Protocol.getSecurityInfo(), bci=5
- main.MainMidlet.commandAction(MainMidlet.java:66)
- javax.microedition.lcdui.Display$ChameleonTunnel.callScreenListener(), bci=39
- com.sun.midp.chameleon.layers.SoftButtonLayer.processCommand(), bci=62
- com.sun.midp.chameleon.layers.SoftButtonLayer.soft1(), bci=27
- com.sun.midp.chameleon.layers.SoftButtonLayer.keyInput(), bci=48
- com.sun.midp.chameleon.CWindow.keyInput(), bci=30
- javax.microedition.lcdui.Display$DisplayEventConsumerImpl.handleKeyEvent(), bci=43
- com.sun.midp.lcdui.DisplayEventListener.process(), bci=252
- com.sun.midp.events.EventQueue.run(), bci=130
- java.lang.Thread.run(), bci=5
can any body help me with a sample code to solve problem.
The server's self-signed certificate isn't trusted by the client. Either get it signed by a CA or exported into the client's truststore.