kubebox: Error "Unable to verify first certificate" on connection

I cannot log-in into a cluster if my cluster ca is in the form of certificate-authority-data

(from .kube/config …)

- cluster:
    certificate-authority-data: asdfasdfasdfasdfasfdasdfasdfasdf

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 6
  • Comments: 27 (13 by maintainers)

Most upvoted comments

One possible cause could be the difference between root CA sourced from Node compared to Golang.

Golang sources from: https://golang.org/src/crypto/x509/root_linux.go While Node sources from: https://github.com/nodejs/node/blob/v11.x/src/node_root_certs.h

The NODE_EXTRA_CA_CERTS environment variable is used by Node as a way to add extra CA certificates, as documented in https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file. It must be a file containing certificates in PEM format.

From the Node documentation, neither the well known nor extra certificates are used when the ca options property is explicitly specified for a TLS or HTTPS client, which is what Kubebox is doing when the certificate-authority-data field is present in the kubeconfig file. So that may explain why the error occurs when certificate-authority-data is present.

It’d be awesome if someone facing the issue could try setting the NODE_EXTRA_CA_CERTS, with a file containing certificates from https://golang.org/src/crypto/x509/root_linux.go.

For the error occurring with certificate-authority-data present in kubeconfig file, it may be that intermediate certificates have to be bundled in the field, e.g.:

$ cat \
 cert.pem \
 intermediate-cert.pem \
 ...
 > fullchain.pem

If someone facing the issue for that case could be doing the test, that’d be awesome as well.

Otherwise, it’d be great if someone facing the issue could confirm the above, by providing the server certificate full chain, and the non-redacted certificate-authority-data value if present.

@cscetbon let me re-open #21 then.