k3s: x509: cannot validate certificate for because it doesn't contain any IP SANs

Environmental Info: K3s Version:

k3s version v1.24.4+k3s1 (c3f830e9) go version go1.18.1

Node(s) CPU architecture, OS, and Version:

Linux my.node.fi 4.18.0-372.19.1.el8_6.x86_64 #1 SMP Tue Aug 2 13:42:59 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:

1 server, 3 agents

Describe the bug:

kubectl commands targeted to agents such as "kubectl logs <pod> or kubectl exec … " fail as they are unable to verify agent TLS certificate:

Exact error: Error from server: Get "https://<worker ip>:10250/containerLogs/development/my-pod-name-7cbd66d77c-rl5xz/my-pod-name": x509: cannot validate certificate for <worker ip> because it doesn't contain any IP SANs

Steps To Reproduce:

  • Installed K3s: curl -sfL https://get.k3s.io | K3S_URL=https://<master hostname>:6443 K3S_TOKEN=<token> sh -

Expected behavior:

The command should work without validation error.

Actual behavior:

Additional context / logs:

using openssl s_client the certificate is using the hostname, so either the certificate should include the IP address of worker node in the cert or the master should be using the hostname when connecting to the worker.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 17 (9 by maintainers)

Most upvoted comments

I suspect that what’s happening is that the hetzner cloud-provider is adding additional node addresses, but the Kubelet cert is only valid for the default node address and any addresses that are listed in the node-ip or node-external-ip flags.

+2
brandond on Nov 7, 2022
Read more comments on GitHub
← k3s: wss dial leads to 'too many colons in address' with ipv6
k3s: x509: certificate has expired or is not yet valid →