K
Q

How to properly submit certificate for signing in Kubernetes?

9/14/2018

I'm trying to get a certificate signed by the Kubernetes CA (1.11) by submitting the following:

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: openunison.openunison.svc.cluster.local
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBORVcgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCk1JSURCakNDQWU0Q0FRQXdnWkF4Q3pBSkJnTlZCQVlUQW5Wek1SRXdEd1lEVlFRSUV3aDJhWEpuYVc1cFlURVQKTUJFR0ExVUVCeE1LWVd4bGVHRnVaSEpwWVRFWk1CY0dBMVVFQ2hNUWRISmxiVzlzYnlCelpXTjFjbWwwZVRFTQpNQW9HQTFVRUN4TURhemh6TVRBd0xnWURWUVFERXlkdmNHVnVkVzVwYzI5dUxtOXdaVzUxYm1semIyNHVjM1pqCkxtTnNkWE4wWlhJdWJHOWpZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gKRnpBR2tBWlYrZWxxem1aK3RxUW1xTEsxV3kvRFRXU0FZT3N2Mk9SaDFyVEx4eTZ6NVRwVW9kNzBjYmhCQlowbgptMDMzd0VkWW1QODFHRVM1YlYyQkpQa2FiN1EySmltQXFuU1MrcHYvSmVjTnVUcGlUb05xVUlGeHhUcXdlWHo3CkgxUVBPY25LZ251M0piempKUXZBbWZoUXZaNjdHRXRGanl3QXE5MS9TUFBHdVVlUFBOb09kU1J0MHlJdFJSV1cKV0N4THhLRW4zUU5jc1hqZWtJUy9aMXdTdERuVyttQi9LZERWbmlZUzlYRlV1T3BTcEl4ZkhHNmFkdTdZaUNLZgptQWZqSE1jdmlOQlN3M3ZBOGQ4c21yVnZveHhkelpzMGFXRlpZai9mQ0IycVVRb2FXQi85TmU1SStEb3JBbXJXCm42OGtoY1MwbkxsWGFIQmhLZjM1QWdNQkFBR2dNREF1QmdrcWhraUc5dzBCQ1E0eElUQWZNQjBHQTFVZERnUVcKQkJTUExoa2V5eUkrQmttSXEzdmxpalA4MHI1RXVUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFpMndVUjA4RgpjL3VVanovWHVvd29vQ1M3c2tndlpSZDVhVTFxdzU2MzdmOGVJSmM2S0huNGNZZUw3YTZ5M3M0QmJnYVVIOVpVCm5Sb3N1V1R2WEJNTUxxLzJBSEx4VVhsTGNhZW03cE1EbXEzbGkxNEkvWTdQWUlxSFQxNEc2UnlkQUUvc2R6MHUKd1RNL0k3eHJ0bFZNTzliNXpuWnlxVkpTY0xhYnRDTXMwa3dwQlpVM2dTZThhWW8zK3A3d2pVeVpuZmFoNllhNAovcXZVd3kzNGdianZSTWc2NmI3UTl2dERmU0RtUWFyVVh0QVJEd052T1lnNmpIMkpwYmUvNUdqcHhaUTRYYW93CnZodGJyY2NTL2RCbFZwWlQxd0k2Um85WFl2OEliMm1icWhFMjBNWGJuVWUrYS9uUkdPVndMaVRQMGNnSk92eDIKdzRZWmtxSUhVQWZad0E9PQotLS0tLUVORCBORVcgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  usages:
  - digital signature
  - key encipherment
  - server auth

The response complains that its not PEM - The CertificateSigningRequest "openunison.openunison.svc.cluster.local" is invalid: spec.request: Invalid value: []byte{0x2d,...}: PEM block type must be CERTIFICATE REQUEST, however, the CSR is a valid CSR:

echo 'LS0tLS1CRUdJTiBORVcgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCk1JSURCakNDQWU0Q0FRQXdnWkF4Q3pBSkJnTlZCQVlUQW5Wek1SRXdEd1lEVlFRSUV3aDJhWEpuYVc1cFlURVQKTUJFR0ExVUVCeE1LWVd4bGVHRnVaSEpwWVRFWk1CY0dBMVVFQ2hNUWRISmxiVzlzYnlCelpXTjFjbWwwZVRFTQpNQW9HQTFVRUN4TURhemh6TVRBd0xnWURWUVFERXlkdmNHVnVkVzVwYzI5dUxtOXdaVzUxYm1semIyNHVjM1pqCkxtTnNkWE4wWlhJdWJHOWpZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gKRnpBR2tBWlYrZWxxem1aK3RxUW1xTEsxV3kvRFRXU0FZT3N2Mk9SaDFyVEx4eTZ6NVRwVW9kNzBjYmhCQlowbgptMDMzd0VkWW1QODFHRVM1YlYyQkpQa2FiN1EySmltQXFuU1MrcHYvSmVjTnVUcGlUb05xVUlGeHhUcXdlWHo3CkgxUVBPY25LZ251M0piempKUXZBbWZoUXZaNjdHRXRGanl3QXE5MS9TUFBHdVVlUFBOb09kU1J0MHlJdFJSV1cKV0N4THhLRW4zUU5jc1hqZWtJUy9aMXdTdERuVyttQi9LZERWbmlZUzlYRlV1T3BTcEl4ZkhHNmFkdTdZaUNLZgptQWZqSE1jdmlOQlN3M3ZBOGQ4c21yVnZveHhkelpzMGFXRlpZai9mQ0IycVVRb2FXQi85TmU1SStEb3JBbXJXCm42OGtoY1MwbkxsWGFIQmhLZjM1QWdNQkFBR2dNREF1QmdrcWhraUc5dzBCQ1E0eElUQWZNQjBHQTFVZERnUVcKQkJTUExoa2V5eUkrQmttSXEzdmxpalA4MHI1RXVUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFpMndVUjA4RgpjL3VVanovWHVvd29vQ1M3c2tndlpSZDVhVTFxdzU2MzdmOGVJSmM2S0huNGNZZUw3YTZ5M3M0QmJnYVVIOVpVCm5Sb3N1V1R2WEJNTUxxLzJBSEx4VVhsTGNhZW03cE1EbXEzbGkxNEkvWTdQWUlxSFQxNEc2UnlkQUUvc2R6MHUKd1RNL0k3eHJ0bFZNTzliNXpuWnlxVkpTY0xhYnRDTXMwa3dwQlpVM2dTZThhWW8zK3A3d2pVeVpuZmFoNllhNAovcXZVd3kzNGdianZSTWc2NmI3UTl2dERmU0RtUWFyVVh0QVJEd052T1lnNmpIMkpwYmUvNUdqcHhaUTRYYW93CnZodGJyY2NTL2RCbFZwWlQxd0k2Um85WFl2OEliMm1icWhFMjBNWGJuVWUrYS9uUkdPVndMaVRQMGNnSk92eDIKdzRZWmtxSUhVQWZad0E9PQotLS0tLUVORCBORVcgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==' | base64 -d | openssl req -noout -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = us, ST = virginia, L = alexandria, O = tremolo security, OU = k8s, CN = openunison.openunison.svc.cluster.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

What am I missing?

-- mlbiam
certificate
kubernetes
ssl

Similar Questions

Why are my CloudWatch logs not appearing?
Why deletion of a STS application is not deleting OpenEBS Jiva volume pvc's also automatically?
Does OpenEBS support ReadOnlyMany option for Jiva Volumes?
Can I use the same PVC for multiple Pods with OpenEBS?

1 Answer

9/14/2018

You are submitting it correctly, but the Kubernetes certificate manager doesn't like the format of your CSR header:

  • -----BEGIN NEW CERTIFICATE REQUEST----- nor the ending
  • -----END NEW CERTIFICATE REQUEST-----.

However, it does like:

  • -----BEGIN CERTIFICATE REQUEST----- and
  • -----END CERTIFICATE REQUEST-----

you can modify those two lines and it should work (I tried it myself).

Opened this to address the problem.

-- Rico
Source: StackOverflow