rbuck
February 21, 2018, 7:26pm
1
Ordinarily a Kubernetes API server certificate has the following lines:
X509v3 Subject Alternative Name:
DNS:minikubeCA, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:192.168.9
Certs created by Rancher for the API server don’t. Instead they have:
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:54.236.11.222
Here’s the rub… Containers that call the API server using a ServiceAccount fail with the following error:
Could not connect to cluster API: java.security.cert.CertificateException: No subject alternative DNS name matching kubernetes.default.svc found.
Why? And, how can we work around this issue with Rancher?
rbuck
February 21, 2018, 7:42pm
2
From the Kubernetes forum/issues pages:
"There are a couple of SANs (alternative names) that should be added to your api server certificate to help make services that run on your cluster portable & the api server address validate successfully. These are:
kubernetes.default.svc
"You will need to regenerate your api server certificates with these SANs. IIRC you can use oadm ca a bit like this:
oadm ca create-server-cert --cert=master.server.crt --key=master.server.key --hostnames=kubernetes.default.svc,kubernetes.default.svc.cluster.local,localhost,openshift.default.svc.cluster.local,127.0.0.1
But your certs don’t seem to have these. Is there a step / procedure to resolve this?
rbuck
February 21, 2018, 8:15pm
3