kubectl unable to connect to server: x509: certificate signed by unknown authority
SslKubernetesKubectlSsl Problem Overview
i'm getting an error when running kubectl one one machine (windows)
the k8s cluster is running on CentOs 7 kubernetes cluster 1.7 master, worker
Here's my .kube\config
apiVersion: v1
clusters:
cluster:
certificate-authority-data: REDACTED
server: https://10.10.12.7:6443
name: kubernetes
contexts:
context:
cluster: kubernetes
user: system:node:localhost.localdomain
name: system:node:localhost.localdomain@kubernetes
current-context: system:node:localhost.localdomain@kubernetes
kind: Config
preferences: {}
users:
name: system:node:localhost.localdomain
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- cluster: certificate-authority-data: REDACTED server: https://10.10.12.7:6443 name: kubernetes contexts:
- context: cluster: kubernetes user: system:node:localhost.localdomain name: system:node:localhost.localdomain@kubernetes current-context: system:node:localhost.localdomain@kubernetes kind: Config preferences: {} users:
name: system:node:localhost.localdomain user: client-certificate-data: REDACTED client-key-data: REDACTED
the cluster is built using kubeadm with the default certificates on the pki directory
kubectl unable to connect to server: x509: certificate signed by unknown authority
Ssl Solutions
Solution 1 - Ssl
One more solution in case it helps anyone:
My scenario:
- using Windows 10
- Kubernetes installed via Docker Desktop ui 2.1.0.1
- the installer created config file at
~/.kube/config - the value in
~/.kube/configforserverishttps://kubernetes.docker.internal:6443 - using proxy
Issue: kubectl commands to this endpoint were going through the proxy, I figured it out after running kubectl --insecure-skip-tls-verify cluster-info dump which displayed the proxy html error page.
Fix: just making sure that this URL doesn't go through the proxy, in my case in bash I used export no_proxy=$no_proxy,*.docker.internal
Solution 2 - Ssl
Run:
gcloud container clusters get-credentials standard-cluster-1 --zone us-central1-a --project devops1-218400
here devops1-218400 is my project name. Replace it with your project name.
Solution 3 - Ssl
So kubectl doesn't trust the cluster, because for whatever reason the configuration has been messed up (mine included). To fix this, you can use openssl to extract the certificate from the cluster
openssl.exe s_client -showcerts -connect IP:PORT
IP:PORT should be what in your config is written after server:
Copy paste stuff starting from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (these lines included) into a new text file, say... myCert.crt If there are multiple entries, copy all of them.
Now go to .kube\config and instead of
certificate-authority-data: <wrongEncodedPublicKey>`
put
certificate-authority: myCert.crt
(it assumes you put myCert.crt in the same folder as the config file) If you made the cert correctly it will trust the cluster (tried renaming the file and it no longer trusted afterwards). I wish I knew what encoding certificate-authority-data uses, but after a few hours of googling I resorted to this solution, and looking back I think it's more elegant anyway.
Solution 4 - Ssl
I got the same error while running $ kubectl get nodes as a root user. I fixed it by exporting kubelet.conf to environment variable.
$ export KUBECONFIG=/etc/kubernetes/kubelet.conf
$ kubectl get nodes
Solution 5 - Ssl
For my case, its simple worked by adding --insecure-skip-tls-verify at end of kubectl commands, for single time.
Solution 6 - Ssl
Sorry I wasn't able to provide this earlier, I just realized the cause:
So on the master node we're running a kubectl proxy
kubectl proxy --address 0.0.0.0 --accept-hosts '.*'
I stopped this and voila the error was gone.
I'm now able to do
kubectl get nodes NAME STATUS AGE VERSION centos-k8s2 Ready 3d v1.7.5 localhost.localdomain Ready 3d v1.7.5I hope this helps those who stumbled upon this scenario.
Solution 7 - Ssl
I my case I resolved this issue copying the kubelet configuration to my home kube config
cat /etc/kubernetes/kubelet.conf > ~/.kube/config
Solution 8 - Ssl
This was happening because my company's network does not allow self signing certificates through their network. Try switching to a different network
Solution 9 - Ssl
For those of you that were late to the thread like I was and none of these answers worked for you I may have the solution:
When I copied over my .kube/config file to my windows 10 machine (with kubectl installed) I didn't change the IP address from 127.0.0.1:6443 to the master's IP address which was 192.168.x.x. (running windows 10 machine connecting to raspberry pi cluster on the same network). Make sure that you do this and it may fix your problem like it did mine.
Solution 10 - Ssl
On GCP
check: gcloud version
-- localMacOS# gcloud version
Run: --- localMacOS# gcloud container clusters get-credentials 'clusterName' \ --zone=us-'zoneName'
Get clusterName and zoneName from your console -- here: https://console.cloud.google.com/kubernetes/list?
ref: .x509 @market place deployments on GCP #Kubernetes
Solution 11 - Ssl
In case of the error you should export all the kubecfg which contains the certs. kops export kubecfg "your cluster-name and export KOPS_STATE_STORE=s3://"paste your S3 store" .
Now you should be able to access and see the resources of your cluster.
Solution 12 - Ssl
This is an old question but in case that also helps someone else here is another possible reason.
Let's assume that you have deployed Kubernetes with user x. If the .kube dir is under the /home/x user and you connect to the node with root or y user it will give you this error.
You need to switch to the user profile so kubernetes can load the configuration from the .kube dir.
Update: When copying the ~/.kube/config file content on a local pc from a master node make sure to replace the hostname of the loadbalancer with a valid IP. In my case the problem was related to the dns lookup.
Hope this helps.
Solution 13 - Ssl
I got this because I was not connected to the office's VPN