K
Q

when i use the exec RestApi, i got the error message "x509: certificate is valid for 127.0.0.1, not xx.xx.xx.xx"

7/9/2018

first i test with https but get 400:upgrade response

then i test with websocket, and get "Can't connect to console: x509: certificate is valid for 127.0.0.1, not xx.xx.xx.xx" when i use NewClient() or Dialer.Dial(url,req.Header) to create the client conn

is it sth related to the Bearer token?

i put it in the request's header

wsurl := "wss://xx.xx.xx.xx:8080/r/projects/1a92/kubernetes:6443/api/v1/namespaces/NM/pods/testPod-546cdd8d79-7h8nv/exec?command=ls&container=testPod&stderr=true&stdin=true&stdout=true&tty=false"

u, err := neturl.Parse(wsurl)

rawConn, err := net.Dial("tcp", u.Host)

wsHeaders := http.Header{
        "Authorization":                   {"Bearer "+env_bearer_token},
        "Origin":                   {"https://xx.xx.xx.xx:8080/r/projects/1a92/kubernetes:6443"},
        "Sec-WebSocket-Extensions": {"permessage-deflate; client_max_window_bits, x-webkit-deflate-frame"},

    }

wsConn, resp, err := websocket.NewClient(rawConn, u, wsHeaders, 1024, 1024)

anything wrong?

-- ling
kubernetes

Similar Questions

Deploy traefik as DaemonSet with NET_BIND_SERVICE capability
No ingress address on minikube Kubernetes cluster with nginx ingress controller
How to implement rolling updates and a relational database?
Performance Postgresql on Local Volume K8s

1 Answer

7/10/2018

is it sth related to the Bearer token?

No, is related to exactly what the error says: the X.509 certificate does not have an SAN entry for whatever IP is xx-ed out. There are a few paths forward out of that situation:

  • update away from using an IP address toward a hostname that is covered by the cert
  • reissue the cert to include that IP in its SAN list
  • update your Dialer to provide a tls.Config with InsecureSkipVerify: true and take your chances
-- mdaniel
Source: StackOverflow