K
Q

Kubernetes tls certificate issier not issuing

7/3/2018

I've got a problem with our Kubernetes not issuing certificates for kubelet.

The kubelet is submitting CSR and this seems to get approved and at this point certificate should be issues but this step never seems to take place.

I searched far and wide but nothing...

$ kubectl get csr
NAME        AGE       REQUESTOR   CONDITION
csr-52xv4   11m       kubelet     Approved
csr-97rrv   43m       kubelet     Approved
csr-9p8gz   28m       kubelet     Approved
csr-n578g   53m       kubelet     Approved
csr-s76sv   44m       kubelet     Approved
csr-z2xhg   45m       kubelet     Approved

In result all new nodes/kubelets don't get certificate issued at all.

This seems to started with no particular change to the environment and I can't find any single log that would indicate problem with issuing certs.

Has anyone ever seen this?

Kind regards

-- mironq
certificate
kubelet
kubernetes
ssl

Similar Questions

k8s Operator SDK - how to get actual CRD state
AKS traffic issues after Istio install
JHipster Elasticsearch Fails to Start on Kubernetes
Path based routing issues Traefik as Ingress Controller
Slow performance for Kubernetes Ingress HTTPS load balancer on GCP
How do I "freeze" an nfs mount in kubernetes to snapshot it if fsfreeze sends operation not permitted?

1 Answer

7/11/2018

Just to let you know what was the original cause of the problem: somehow, and we still don't know how, the content of file holding the certificate on one of the master nodes (/srv/kubernetes/ca.crt) had its content duplicated. Strange... During troubleshooting we tested that certificate using openssl which read that without any issues and that mislead us assuming it has to be OK...

Fixing the content by hand immediately fixed this problem.

-- mironq
Source: StackOverflow