minikube: Importing Corporate Root CA is not working as advertised

According to merge https://github.com/kubernetes/minikube/pull/5015 and https://minikube.sigs.k8s.io/docs/tutorials/untrusted_root_certificate/ I should be able to drop my corporate root certificate into my $home\.minikube\certs directory and it would get copied to the minikube vm during startup. I have done this and I see evidence of this in the vm (output below), however it only creates symlinks in the /etc/ssl/certs folder and there are no files there. Attempting to use curl from within the VM returns a problem with the TLS trust.

I have confirmed that if I manually create the file in the /etc/ssl/certs folder it resolves the issue.

Expected Result: Copying my root certificate into $home.minikube\certs folder (as PEM format) and then starting the vm should copy the file to the vm’s /etc/ssl/certs folder which will resolve TLS connection issues protected by our corporate root certificate. After this ssh’ing into the vm ( minikube ssh ) and then calling the service ( curl https://service.domain:0000 ) should succeed.

Actual Results: A symlink is created in the /etc/ssl/certs folder, but not the actual certificate file. After this ssh’ing into the vm ( minikube ssh ) and then calling the service ( curl https://service.domain:0000 ) returns an error:

In the output below, lbrtca01-ca.pem is my corporate root certificate.

PS D:\Projects\LEAF\Kubernetes\Config> dir $home\.minikube\certs

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/29/2020   2:25 PM           1679 ca-key.pem
-a----        1/29/2020   2:25 PM           1046 ca.pem
-a----        1/29/2020   2:25 PM           1086 cert.pem
-a----        1/29/2020   2:25 PM           1675 key.pem
-a----        2/10/2020  11:03 AM           2062 lbrtca01-ca.pem
-a----        2/10/2020  11:04 AM           1984 legacy01-svcert01-ca.pem

PS D:\Projects\LEAF\Kubernetes\Config> minikube ssh
                         _             _
            _         _ ( )           ( )
  ___ ___  (_)  ___  (_)| |/')  _   _ | |_      __
/' _ ` _ `\| |/' _ `\| || , <  ( ) ( )| '_`\  /'__`\
| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )(  ___/
(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)

$
$ ls -l /etc/ssl/certs | grep -i 'lbrt'
lrwxrwxrwx 1 root root     30 Feb 10 17:44 9373d18b.0 -> /etc/ssl/certs/LBRTCA01-CA.pem
$ sudo cat /etc/ssl/certs/LBRTCA01-CA.pem
cat: /etc/ssl/certs/LBRTCA01-CA.pem: No such file or directory
$
$ openssl s_client -connect dnaleafas.legacy01.legacybank.com:10001
CONNECTED(00000003)
depth=1 DC = com, DC = LegacyBank, DC = Legacy01, CN = Legacy01-SVCERT01-CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=DNALEAFAS.Legacy01.LegacyBank.com
   i:/DC=com/DC=LegacyBank/DC=Legacy01/CN=Legacy01-SVCERT01-CA
 1 s:/DC=com/DC=LegacyBank/DC=Legacy01/CN=Legacy01-SVCERT01-CA
   i:/DC=com/DC=LegacyBank/DC=Legacy01/CN=LBRTCA01-CA
---

I am running minikube version v.1.7.1 with the Hyper-V VM driver on Windows 10 Enterprise Version 1809 x64.

Thank You

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 17 (13 by maintainers)

Most upvoted comments

Sent out a fix PR. The underlying issue was a combination of an inverted boolean check and inverting the arguments to ln. Somehow, after 25 years of using UNIX, I can never get ln -s arguments correct.

I’ve added a comprehensive integration test for certificate synchronization so that this feature does not unexpectedly break in the future.

Thank you @CrossBound for the comprehensive bug report.

+1
tstromberg on Mar 4, 2020
Read more comments on GitHub
← minikube: hypervAvailable: panic: runtime error: index out of range [0] with length 0
minikube: Improve error message for nested KVM issue: could not find capabilities for domaintype=kvm →