Certificate error when running setup_robot.sh - x509

When running setup_robot.sh per the Cloud Robotics documentation, the certificate is not valid. I get the following error:
Failed to update robot CR my-robot: Failed to get robot my-robot: Get https://www.endpoints.robco-skopecki.cloud.goog/apis/core.kubernetes/apis/registry.cloudrobotics.com/v1alpha1/namespaces/default/robots/my-robot: x509: certificate is valid for ingress.local, not www.endpoints.robco-skopecki.cloud.goog

This problem occurs if letsencrypt did not finish creating the certificate for the cloud-cluster. This might happend during a first time install. Here is how you can check:
kubectl get certificates cloud-robotics -o yaml
If the output lacks a status, restart the cert-manager:
kubectl delete pod cert-manager-<tab>
Once it restarted, check the certificate again and once the status is indicating sucess, you should have your certificate stored as a secret called tls:
kubectl get secrets tls
At this point you can rerun setup_robot.sh.

Related

Openshift failed to pull image "x509 certificate signed by unknown authority"

My deployment yaml file has 2 images;
1) redis:alpine it works fine
2) Openshift pulls image from my own harbor registry
My harbor registry has ssl (not self sign) certificate.
I can login to my harbor registry, pull, push images as a container without getting an error.
But openshift has problem to pull my image from my harbor registry.
oc describe pod <mypodname>
prints this error
Failed to pull image <myregistry.net<myrepo><myimage><mytag>> : rpc error: code = Unknown desc = pinging container registry myregistry.net: Get "https://<myregistry>.net/v2/": x509: certificate signed by unknown authority
I have ca.crt under /etc/docker/certs.d/myregistry
I tried https://docs.openshift.com/container-platform/4.7/cicd/builds/setting-up-trusted-ca.html#configmap-adding-ca_setting-up-trusted-ca this solution, did not work for me.
Any help would be appreciated. Thanks in advance
If you followed the above doc, it should work.
$ oc patch proxies.config.openshift.io/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"user-ca-bundle"}}}'
$ oc -n openshift-config create configmap user-ca-bundle --from-file=ca-bundle.crt=xxx/rootCA.pem

Kubernetes certificate always disappear after few hours

I am new to kubernetes. I created a certificate in kubernetes for my validation webhook.
After approving the certificate, and checking if it is still there after few hours, by running
kubectl -n mynamespace get csr
However, it shows no resources found in the namespace. But if the certificate is newly created
and run the same command above it shows the certificate.
Is this an expected behavior? where does the certificate go?
Please help. :(
This is an expected behavior for security reasons. You should download the certificate using below command and keep it safe.
kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' \
| base64 --decode > server.crt
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#download-the-certificate-and-use-it
csr is short for Certificate Signing Requests
It dismiss after validated.
If your want to check certificates:
kubectl get cert -A
-A for --all-namespaces

Approved Kubernetes CSR, but certificate not shown in status

So I've gone through the process of generating an RSA key, creating the YAML for a CSR, using kubectl to create a CSR in Minikube, approved the certificate.
However, when I try to download the certificate using kubectl get csr my-csr -o jsonpath='{.status.certificate}' I'm getting an empty result.
When I do a kubectl get csr my-csr -o yaml to get more information, this is what I see:
status:
conditions:
- lastUpdateTime: "2020-01-17T20:17:20Z"
message: This CSR was approved by kubectl certificate approve.
reason: KubectlApprove
type: Approved
I'm expecting a certificate attribute with a base64 encoded string to which I will decode to obtain the certificate for client certificate validation. Can someone please tell me what I'm doing wrong?
For more context, I'm trying to follow the instructions in this tutorial
I got similar problem. When I check with the following command:
kubectl get svc
It seems that the status of the csr is approved, but not issued. Any idea how to fix it?
[Updated]
I found the problem. It is because the kube-controller-manager missed these options:
--cluster-signing-cert-file and --cluster-signing-key-file
Since CSR is not namespace specific, the command looks fine. I did the same to get the certificate, check you provide the proper csr name properly.
Secondly, if you didn't provide the name, and try to get all csr detail, you need change the key structure with additional .items[*]
kubectl get csr -o jsonpath='{.items[*].status.certificate}'
I have the feeling, you missed the csr name my-csr or the name is not really matched the search (typo?). Double check it.
This error must come. From the docs
Permitted subjects - organizations are exactly ["system:nodes"], common name starts with "system:node:".
So the solution is to add subjects O=system:nodes and appending "system:node:" to your servicename in cert generation.
For ex.
openssl req -new -key server.key -out server.csr -subj "/O=system:nodes/CN=system:node:colortokens-bgl.csp.svc" -config server.conf
Verify your controller manager config, the Controller manager must be provided with --cluster-signing-cert-file and --cluster-signing-key-file config in-order to sigh the csr.
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kube-controller-manager-configuration
ex:
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
controllerManager:
extraArgs:
cluster-signing-cert-file: /etc/kubernetes/pki/ca.crt
cluster-signing-key-file: /etc/kubernetes/pki/ca.key
For my case, I had a typo error
WithTypo: signerName: kubernetes.io/kube-apisever-client
WithoutTypo: signerName: kubernetes.io/kube-apiserver-client
and have the same result. csr was approved and certificate was not issued. It was resolved after I corrected the typo error.

Framework error: code: 60 reason: SSL certificate problem: unable to get local issuer certificate in solaris 11.3

pkg set-publisher: The origin URIs for 'solarisstudio' do not appear to point to a valid pkg repository.
Please verify the repository's location and the client's network configuration.
Additional details:
Unable to contact valid package repository: https://pkg.oracle.com/solarisstudio/release
Encountered the following error(s):
Transport errors encountered when trying to contact repository.
Reported the following errors:
Framework error: code: 60 reason: SSL certificate problem: unable to get local issuer certificate
URL: 'https://pkg.oracle.com/solarisstudio/release'
1.Make sure that ca-certificates service is running on solaris
svcs -xv
if not try starting using the below commands
svcadm disable svc:/system/ca-certificates:default
svcadm enable svc:/system/ca-certificates:default
Make sure that the below permission is set for all the certificates
If the above solution doesnot work
2. Take backup of all the certificates under /etc/certs/CA. Check for the corrupted certificates, by moving the certificates one by one to /etc/certs/CA in the location and starting ca-certificate service. The point when the service doesn't start is the certificate which is corrupted.
Make sure that the certificates in the location have below permissions
sudo chown root:sys /etc/certs/CA/*.pem

Service Fabric not starting service Error: FABRIC_E_CERTIFICATE_NOT_FOUND

I am trying to publish a Service Fabric service to my local cluster, but it never goes out of this state:
There was an error during activation.Failed to configure certificate
permissions. Error: FABRIC_E_CERTIFICATE_NOT_FOUND
Do you know what is this error related to?
How can I fix it?
As the error says, SF is unable to find the required cert in Cert store. You can find the missing cert info from the event error logs in Event Viewer-
%SystemRoot%\System32\Winevt\Logs\Microsoft-ServiceFabric%4Admin.evtx
Check using Certificate Manager if this cert is present and not expired. You can use this script also.
More info regarding the required certs can be found in this file. -
C:\SfDevCluster\Data\_App\_Node_0\{AppNameFromSf}\App.1.0.xml