Pod injected with istio-sidecar are not created - kubernetes

I have installed istio with below command.
istioctl install --set profile=default -y
And I created istio-injection=enabled label to specific namespace.
But, Replicaset of that namespace occur below error.
Warning FailedCreate 12m (x20 over 53m) replicaset-controller Error creating: Internal error occurred: failed calling webhook "namespace.sidecar-injector.istio.io": Post "https://istiod.istio-system.svc:443/inject?timeout=10s": context deadline exceeded
So I used the below command in another container.
Command
curl https://istiod.istio-system.svc:443/inject
Out
Client sent an HTTP request to an HTTPS server.
root#general-component-b477fd4b8-qdfqn:/# curl https://istiod.istio-system.svc:443/inject
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
root#general-component-b477fd4b8-qdfqn:/# curl http://istiod.istio-system.svc:80/inject
curl: (7) Failed to connect to istiod.istio-system.svc port 80: Connection timed out
root#general-component-b477fd4b8-qdfqn:/# curl https://istiod.istio-system.svc:443/inject
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
There seems to be a problem with SSL, but I just did a basic install.
How can i solve this problem?

Related

gcloud unable to get local issuer certificate

Behind a corporate firewall with Symantec WSS agent.
I get this error
ERROR: (gcloud.compute.start-iap-tunnel) There was a problem refreshing your current auth tokens: HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
Please run:
I tried
gcloud config set auth/disable_ssl_validation True
I also pulled the certificate chain with
openssl s_client -showcerts oauth2.googleapis.com:443
and then
gcloud config set core/custom_ca_certs_file c:/temp/certs.pem
No matter what it won't get past the certificate check
I thought that disabling SSL validation would work, but it doesn't

Getting Unable to connect to the server: x509: certificate is valid for ingress.local, not rancher

As part of renewing our cluster certificate we have accidentally deleted our "tls-rancher-ingress secret" from local cluster, after that we are unable to access cluster through kubectl and getting error like "Getting Unable to connect to the server: x509: certificate is valid for ingress.local, not rancher",please guide us if there is any way to add the secret again without using kubectl?

Configuring HTTPS to a Web Service kubernetes dashboard

I just installed the kubernetes dashboard. I would like to access it in HTTPS and not in HTTP. Unfortunately when I enter the URL https://10.109.0.xx:6443
I have an error telling me that the connection is not secure.
And I would just like to avoid this kind of mistake.
Do you have any idea how I can fix this problem?
so when i want to run helm ls --tls i get the error certificate signed by unknown authority as you can see below
I have succeeded to signa URL https://xxx.cloud.net/ to go directly to the kubernetes dashboard .
# helm ls --tls
Error: Get https://10.109.0.xx:6443/api/v1/namespaces/kube-system/pods?labelSelector=app%3Dhelm%2Cname%3Dtiller: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")

Facebook GraphAPI doesn't allow LetsEncrypt?

Is there a reason why Facebook doesn't allow LetsEncrypt signed certificates in their "app development" section?
I keep getting this error:
(For the untrained eye, this is me trying to setup a webhook for new messages notifications)
Blurred out the host, but it's a valid host and using chrome or firefox on Linux and Windows doesn't give any errors.
SSLLabs also says the site is perfectly valid.
Running curl https://... on my own host, sure enough I get the same error,
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
So my question is, why have Facebook (that openly supports LetsEncrypt) decided to use default curl CA bundle to verify the callback-url of an app? If that doesn't allow LetsEncrypt?
It appears to be counterproductive to me.
Is there a way around this?
SSLLabs also says the site is perfectly valid.
It shows a warning in orange, that the certificate chain is incomplete.
Your server should present all necessary intermediate certificates as well, in addition to the certificate issued for your domain. (Which was simply forgotten here by mistake.)

How to display a server's certificate when the cert is signed by an unknown CA?

I have a server that is giving me TLS problems and I would like to view the cert it is presenting in order to help diagnose the issue. Normally, I would use openssl to display the cert like so:
$ openssl s_client -connect facebook.com:443
However, I don't know what CA signed this server's cert. I thought it was our internal CA but testing suggests otherwise. Thus I cannot use openssl's -CAfile or -CApath flags to specify the CA.
One more restriction. The server is not an HTTP server (it's postgres), otherwise I would just use curl --insecure.
I tried using the -verify flag because according to OpenSSL's documentation:
The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure.
It claims to continue after all errors so all problems can be seen. However, all I get is:
1737:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
That is the error message I get with or without -verify.
So how can I view the certificate presented by the server?