kubebox: Error "Unable to verify first certificate" on connection
I cannot log-in into a cluster if my cluster ca is in the form of certificate-authority-data
(from .kube/config …)
- cluster:
certificate-authority-data: asdfasdfasdfasdfasfdasdfasdfasdf
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 6
- Comments: 27 (13 by maintainers)
One possible cause could be the difference between root CA sourced from Node compared to Golang.
Golang sources from: https://golang.org/src/crypto/x509/root_linux.go While Node sources from: https://github.com/nodejs/node/blob/v11.x/src/node_root_certs.h
The
NODE_EXTRA_CA_CERTS
environment variable is used by Node as a way to add extra CA certificates, as documented in https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file. It must be a file containing certificates in PEM format.From the Node documentation, neither the well known nor extra certificates are used when the
ca
options property is explicitly specified for a TLS or HTTPS client, which is what Kubebox is doing when thecertificate-authority-data
field is present in the kubeconfig file. So that may explain why the error occurs whencertificate-authority-data
is present.It’d be awesome if someone facing the issue could try setting the
NODE_EXTRA_CA_CERTS
, with a file containing certificates from https://golang.org/src/crypto/x509/root_linux.go.For the error occurring with
certificate-authority-data
present in kubeconfig file, it may be that intermediate certificates have to be bundled in the field, e.g.:If someone facing the issue for that case could be doing the test, that’d be awesome as well.
Otherwise, it’d be great if someone facing the issue could confirm the above, by providing the server certificate full chain, and the non-redacted
certificate-authority-data
value if present.@cscetbon let me re-open #21 then.