I have deployed a Kubernetes cluster on Ubuntu VMs using Docker.

Without TLS, it work fine (on port 8080).

I use Let's Encrypt for secure API Server (port 6443), it's work ! My problem appear when my Kubelet want auth to the master using https.

This is how I launch Kubelet Api Server :

    /hyperkube apiserver 
--service-cluster-ip-range=10.0.0.1/24 
--insecure-bind-address=127.0.0.1 
--etcd-servers=http://127.0.0.1:4001 
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota 
--client-ca-file=/srv/kubernetes/ca.crt 
--basic-auth-file=/srv/kubernetes/basic_auth.csv 
--min-request-timeout=300 
--tls-cert-file=/srv/kubernetes/server.cert 
--tls-private-key-file=/srv/kubernetes/server.key 
--token-auth-file=/srv/kubernetes/known_tokens.csv 
--allow-privileged=true --v=4

And this is how I launch Kubelet :

  /hyperkube kubelet \
        --allow-privileged=true \
        --api-servers=https://k8:6443 \
        --kubeconfig=/srv/kubernetes/config.yaml \
        --v=2 \
        --address=0.0.0.0 \
        --enable-server \
        --containerized \
        --cluster-dns=10.0.0.10 \
        --cluster-domain=k8.local

Here is the config.yaml file :

apiVersion: v1
kind: Config
clusters:
- name: k8.local
  cluster:
    insecure-skip-tls-verify: true
    server: https://k8:6443
contexts:
- context:
    cluster: "k8.local"
    user: "node1"
  name: development
current-context: development
users:
- name: node1
  user:
    client-certificate: /var/run/kubernetes/kubelet.crt
    client-key: /var/run/kubernetes/kubelet.key

When I launch my Kubelet, logs says : the server has asked for the client to provide credentials.

I think I'm wrong with Kubelet's certs but I don't understand why.

Can you help me ?

10xx.