"Error: unable to get issuer certificate" when certificate-authority-data contains a self signed certificate #327
Comments
|
Odd. In theory this should work. (and it does work for other providers) I will try loading up this config in a dev. environment and see if I can reproduce the problem. |
|
One other thing you might try is exporting the CA cert to a file, and then using: ...
certificate-authority: /path/to/file.cert
...Rather than the inline version. If that works then it's especially weird. |
|
Just tested, no this does not work, same error. (The property is recognized though, file not found error will appear if I set a wrong path) |
|
Can you decode the CA certificate? My bet is that there are multiple intermediary certificates and we don't currently support that in this library... |
|
I tried https://certificatechain.io/ which can be used to regenerate the certificate chain, and the result shows that the certificate is root in itself. (For your knowledge, the base64 certificate above is the original one from Aliyun) |
|
Ok, I will try to test this out further in my environment... |
|
I tried this on my machine and I get: { Error: CA certificate key too weak
at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
at TLSSocket.emit (events.js:198:13)
at TLSSocket._finishInit (_tls_wrap.js:636:8) code: 'CA certificate key too weak' }I suspect that this is because nodejs wraps libssl while Go (afaik) has their own implementation. I'm not sure this is fixable without a great deal of effort. I'm not sure I will take this any farther (for now) but I'll leave this issue open if people hit the same problem. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Any update on this? |
|
No updates. I'm really not sure this is fixable without a great deal of effort, I believe this error is coming from libssl, and I don't want to hack around libssl. I think the key strength of the self-signed certificate needs to be increased. /lifecycle frozen |
k8s-ci-robot
added
the
lifecycle/frozen
|
The root cause is that the cluster CA is an intermediate CA certificate which are not trusted by Nodejs nodejs/node#36453 |
I am using Aliyun's serverless kubernetes service, and it provides an YAML to connect to the cluster and perform administration. The config file works with kubectl CLI. However, if I use it with this library, the "Error: unable to get issuer certificate" message appears. I was able to circumvent the issue by adding
insecure-skip-tls-verify: truebut clearly that is not good. This issue occurs on both Windows 10 and Ubuntu 16.04 as I have tested.A redacted version of Aliyun's YAML:
Where the
certificate-authority-datacontains the self-signed certificated generated by Aliyun.The text was updated successfully, but these errors were encountered: