Hello Experts, I don’t understand the solution to the last question (13) about Labs - View Certificates, could you please describe it in detail?
Thanks in advance!
The issue here is that etcd has its own, independent Certificate Authority. The cert for this is at /etc/kubernetes/pki/etcd.ca.crt. Which is not what you see in kube-apiserver.yaml.
You can tell this, as the problem suggests, by looking at the kube-apiserver log using crictl logs. I see this in the lab:
Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
So, there’s a TLS connection, but the connection won’t verify as valid. Classic CA cert problem.
Thank you for your reply. if I understood correctly, I need to add this “/etc/kubernetes/pki/etcd.ca.crt” to the kube-apiserver.yaml file, right? if yes, what will be the full syntax?
Ah, I had a typo there. it’s /etc/kubernetes/pki/etcd/ca.crt. This is an argument to kube-apiserver:
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
1 Like
thank you so much 