K
Q

Question

helm: x509: certificate signed by unknown authority

1/5/2018

I'm using Kubernetes and I recently updated my admin certs used in the kubeconfig. However, after I did that, all the helm commands fail thus:

Error: Get https://cluster.mysite.com/api/v1/namespaces/kube-system/pods?labelSelector=app%3Dhelm%2Cname%3Dtiller: x509: certificate signed by unknown authority

kubectl works as expected:

$ kubectl get nodes
NAME                                           STATUS    ROLES     AGE       VERSION
ip-10-1-0-34.eu-central-1.compute.internal     Ready     master    42d       v1.7.10+coreos.0
ip-10-1-1-51.eu-central-1.compute.internal     Ready     master    42d       v1.7.10+coreos.0
ip-10-1-10-120.eu-central-1.compute.internal   Ready     <none>    42d       v1.7.10+coreos.0
ip-10-1-10-135.eu-central-1.compute.internal   Ready     <none>    27d       v1.7.10+coreos.0
ip-10-1-11-71.eu-central-1.compute.internal    Ready     <none>    42d       v1.7.10+coreos.0
ip-10-1-12-199.eu-central-1.compute.internal   Ready     <none>    8d        v1.7.10+coreos.0
ip-10-1-2-110.eu-central-1.compute.internal    Ready     master    42d       v1.7.10+coreos.0

As far as I've been able to read, helm is supposed to use the same certificates as kubectl, which makes me curious as how how kubectl works, but helm doesn't?

This is a production cluster with internal releases handled through helm charts, so it being solved is imperative.

Any hints would be greatly appreciated.

-- Helge Talvik Söderström

kubernetes

kubernetes-helm

ssl

3 Answers

2/7/2020

Although adding repo with --ca-file did the thing, when it tried to download from that repo with the command posted under, I still got the x509: certificate signed by unknown authority

helm dependency update helm/myStuff
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "myRepo" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 18 charts
Downloading myService from repo https://myCharts.me/
Save error occurred:  could not download https://myCharts.me/stuff.tgz ...
x509: certificate signed by unknown authority
Deleting newly downloaded charts, restoring pre-update state

What I needed to do, apart from adding repo with --ca-file was to download the repository certificate and install it as Current User:

Place all certificates in the following store: Trusted Root Certification Authorities:

After installing the certificate I also needed to restart the computer. After restart, when you open the browser and paste the repo URL it should connect without giving a warning and trusting the site (this way you know you installed the certificate successfully).

You can go ahead and run the command, it should pick the certificate this time.

helm dependency update helm/myStuff
....
Saving 18 charts
Downloading service1 from repo https://myCharts.me/
Downloading service2 from repo https://myCharts.me/
....

-- Tudor

Source: StackOverflow

1/29/2020

In my case the error was caused by an untrusted certificate from the Helm repository. Downloading the certificate and specifying it using the --ca-file option solved the issue (at least in Helm version 3).

helm repo add --ca-file /path/to/certificate.crt repoName https://example/repository

--ca-file string, verify certificates of HTTPS-enabled servers using this CA bundle

-- LazerBass

Source: StackOverflow

1/6/2018

As a workaround you can try to disable certificate verification. Helm uses the kube config file (by default ~/.kube/config). You can add insecure-skip-tls-verify: true for the cluster section:

clusters:
- cluster:
    server: https://cluster.mysite.com
    insecure-skip-tls-verify: true
  name: default

Did you already try to reinstall helm/tiller?

kubectl delete deployment tiller-deploy --namespace kube-system
helm init

Also check if you have configured an invalid certificate in the cluster configuration.

-- Sebastian

Source: StackOverflow

KQ

helm: x509: certificate signed by unknown authority

Similar Questions

3 Answers

K
Q