K
Q

Kubernetes doesnt create certificates

12/4/2018

I've created my certificate cfssl but when I generate my Kubernetes certificates with the file generated by cfssl, my Kubernetes returns the following error:

Error from server (BadRequest): error when creating "certificado.yml": CertificateSigningRequest in version "v1beta1" cannot be handled as a CertificateSigningRequest: v1beta1.CertificateSigningRequest.Spec: v1beta1.CertificateSigningRequestSpec.Usages: []v1beta1.KeyUsage: Request: decode base64: illegal base64 data at input byte 3, error found in #10 byte of ...| -d '\\n'","usages":|..., bigger context ...|,"request":"cat server.csr | base64 | tr -d '\\n'","usages":["digital signature","key encipherment",|...

I've tried without $() in the request field but it returned the same error.

my certificate.yml:

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: rasa-service.default
spec:
  groups:
  - system:authenticated
  request: $(cat server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
-- Daniel Pereira
kubernetes
ssl-certificate

Similar Questions

Kubernetes deployment not exposed
Kubernetes docker private registry with TLS and without username
How to set keep alive in ingress rule for nginx inress controller
Deploying round-robin to Kubernetes

2 Answers

6/23/2019

The problem is the following line:

request: $(cat server.csr | base64 | tr -d '\n')

This line contains a Bash command substitution that shouldn't be there since kubectl cannot interpret bash code.

I suspect instead of executing the command of the example you followed, you copied the contents into a file.

Delete that file, run the cat command from the example and you will be fine, because the command will execute the substitution and fill the correct value in the request field.

The result should look something like this:

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: rasa-service.default
spec:
  groups:
  - system:authenticated
  request: authUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0KUlRGTQpSVEZNClJURk0=
  usages:
  - digital signature
  - key encipherment
  - server
-- malte
Source: StackOverflow
12/4/2018

You can do it following way:

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: rasa-service.default
spec:
  groups:
  - system:authenticated
  request: $(cat server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

This way it will not break or you need to place hardcoded output of cat server.csr | base64 | tr -d '\n' into yaml file.

EDIT:

I believe the csr you generated has some issues. You can run following three commands to check if you are able to create CSR

openssl genrsa -out admin.key 2048 
openssl req -new -key admin.key -out admin.csr -subj "/O=system:masters/CN=kubernetes-admin"


cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: admin_csr
spec:
  groups:
  - system:authenticated
  - system:masters
  request: $(cat admin.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

Then check if admin_csr gets generated or not

EDIT2:

I used the same guide you mentioned in comment and I am able to generate CSR:

[root@ip-10-**-**-** cerificates]# cat <<EOF | cfssl genkey - | cfssljson -bare server
> {
>   "hosts": [
>     "ba***ta.default.svc.cluster.local",
>     "ba***ta-57f6c65474-8rdhz.default.pod.cluster.local",
>     "10.**.86.73",
>     "192.**.13.10"
>   ],
>   "CN": "ba***ta-57f6c65474-8rdhz.default.pod.cluster.local",
>   "key": {
>     "algo": "ecdsa",
>     "size": 256
>   }
> }
> EOF
2018/12/05 12:00:11 [INFO] generate received request
2018/12/05 12:00:11 [INFO] received CSR
2018/12/05 12:00:11 [INFO] generating key: ecdsa-256
2018/12/05 12:00:12 [INFO] encoded CSR
[root@ip-10-**-**-** cerificates]# ls
server.csr  server-key.pem
[root@ip-10-0-1-99 cerificates]# cat <<EOF | kubectl create -f -
> apiVersion: certificates.k8s.io/v1beta1
> kind: CertificateSigningRequest
> metadata:
>   name: ba***ta.default
> spec:
>   groups:
>   - system:authenticated
>   request: $(cat server.csr | base64 | tr -d '\n')
>   usages:
>   - digital signature
>   - key encipherment
>   - server auth
> EOF
certificatesigningrequest.certificates.k8s.io "ba***ta.default" created
[root@ip-10-**-**-** cerificates]# kubectl get csr
NAME              AGE       REQUESTOR                               CONDITION
ba***ta.default   6s        kubernetes-admin                        Pending
csr-9dcz6         59m       system:node:ip-10-**-**-**.ec2.internal   Approved,Issued
[root@ip-10-0-1-99 cerificates]#
-- Prafull Ladha
Source: StackOverflow