No subject alternative DNS name matching kubernetes.default.svc found

Ordinarily a Kubernetes API server certificate has the following lines:

        X509v3 Subject Alternative Name: 
            DNS:minikubeCA, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:192.168.9

Certs created by Rancher for the API server don’t. Instead they have:

        X509v3 Subject Alternative Name: 
            DNS:localhost, IP Address:

Here’s the rub… Containers that call the API server using a ServiceAccount fail with the following error:

Could not connect to cluster API: No subject alternative DNS name matching kubernetes.default.svc found.

Why? And, how can we work around this issue with Rancher?

From the Kubernetes forum/issues pages:

"There are a couple of SANs (alternative names) that should be added to your api server certificate to help make services that run on your cluster portable & the api server address validate successfully. These are:


"You will need to regenerate your api server certificates with these SANs. IIRC you can use oadm ca a bit like this:

oadm ca create-server-cert --cert=master.server.crt --key=master.server.key --hostnames=kubernetes.default.svc,kubernetes.default.svc.cluster.local,localhost,openshift.default.svc.cluster.local,

But your certs don’t seem to have these. Is there a step / procedure to resolve this?

Is this related?

Or this?