https://rancher.com/ logo
Powered by
Title
c

cuddly-jordan-17092

09/22/2022, 6:17 AM
Hi All Pen test reported that weak & invalid ssl communication is in use by one k3s server. Literally, i am a very new to this k3's. Could some one point me on how to fix the below issue 
openssl s_client -connect kube1001:6443 2>&1 | grep issuer
verify error:num=20:unable to get local issuer certificate
issuer=/CN=k3s-server-ca@1649270763

openssl s_client -connect kube1001:443 2>&1 | grep issuer
verify error:num=20:unable to get local issuer certificate
issuer=/CN=k3s-server-ca@1649270763

openssl s_client -connect kube1001:80 2>&1 | grep issuer
verify error:num=20:unable to get local issuer certificate
issuer=/CN=k3s-server-ca@1649270763
b

bland-account-99790

09/22/2022, 10:10 AM
Can you show us the output of: 
echo -n | openssl s_client -showcerts -connect kube101:6443 | openssl x509 -text
?
kube1001
sorry, I missed one 0
c

cuddly-jordan-17092

09/22/2022, 10:20 AM
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4295464294510142947 (0x3b9c8e047ba6a5e3)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=k3s-server-ca@1649270763
        Validity
            Not Before: Apr  6 18:46:03 2022 GMT
            Not After : Sep 21 12:43:29 2023 GMT
        Subject: O=k3s, CN=k3s
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:35:aa:da:94:7e:83:d6:dd:96:a9:42:59:ee:6c:
                    aa:69:f1:ff:8e:12:cd:bd:63:36:ea:67:71:20:9b:
                    34:17:77:11:ea:dc:43:1c:af:c1:c9:c2:c3:6f:87:
                    e7:c8:bf:e7:6a:cc:95:f3:f3:cc:41:04:d5:ba:58:
                    7b:df:3e:3c:a1
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                keyid:E6:00:78:C6:81:34:4C:0D:D2:3A:A3:EC:29:EC:A2:07:C0:C7:6B:81

            X509v3 Subject Alternative Name:
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:netkubedal1001, DNS:netkubedal1001.softlayer.local, IP Address:10.43.0.1, IP Address:127.0.0.1, IP Address:172.17.192.108
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:e3:ed:7d:08:d3:ef:fc:dc:6b:e1:e2:01:87:
         7f:db:3d:3b:8d:cd:05:c3:c9:fa:b3:cd:75:36:d4:46:b3:2e:
         18:02:21:00:de:e4:0f:e4:7e:3f:26:11:e1:ec:ae:2d:b9:59:
         b8:d9:48:ca:56:89:3e:50:56:59:d2:ab:01:33:4e:11:8d:18
-----BEGIN CERTIFICATE-----
MIICOjCCAd+gAwIBAgIIO5yOBHumpeMwCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwY
azNzLXNlcnZlci1jYUAxNjQ5MjcwNzYzMB4XDTIyMDQwNjE4NDYwM1oXDTIzMDky
MTEyNDMyOVowHDEMMAoGA1UEChMDazNzMQwwCgYDVQQDEwNrM3MwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQ1qtqUfoPW3ZapQlnubKpp8f+OEs29YzbqZ3EgmzQX
dxHq3EMcr8HJwsNvh+fIv+dqzJXz88xBBNW6WHvfPjyho4IBAjCB/zAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0jBBgwFoAU5gB4xoE0
TA3SOqPsKeyiB8DHa4EwgbYGA1UdEQSBrjCBq4IKa3ViZXJuZXRlc4ISa3ViZXJu
ZXRlcy5kZWZhdWx0ghZrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjgiRrdWJlcm5ldGVz
LmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCCWxvY2FsaG9zdIIObmV0a3ViZWRh
bDEwMDGCHm5ldGt1YmVkYWwxMDAxLnNvZnRsYXllci5sb2NhbIcECisAAYcEfwAA
AYcErBHAbDAKBggqhkjOPQQDAgNJADBGAiEA4+19CNPv/Nxr4eIBh3/bPTuNzQXD
yfqzzXU21EazLhgCIQDe5A/kfj8mEeHsri25WbjZSMpWiT5QVlnSqwEzThGNGA==
-----END CERTIFICATE-----
b

bland-account-99790

09/22/2022, 10:22 AM
That looks good. Why would you say that it is weak an invalid?
c

cuddly-jordan-17092

09/22/2022, 10:23 AM
Actually another team which did pen testing reported that, As per them, this shouldn't be there in their o/p 
verify error:num=20:unable to get local issuer certificate
b

bland-account-99790

09/22/2022, 10:27 AM
can you run this command: 
echo -n | openssl s_client -showcerts -connect kube1001:443 | openssl x509 -text
c

cuddly-jordan-17092

09/22/2022, 10:32 AM
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            17:06:19:c8:3c:d1:9b:91:77:de:c9:e5:03:25:58:b9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=TRAEFIK DEFAULT CERT
        Validity
            Not Before: Sep 22 07:11:32 2022 GMT
            Not After : Sep 22 07:11:32 2023 GMT
        Subject: CN=TRAEFIK DEFAULT CERT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bb:be:95:b0:a2:09:35:35:52:83:9c:34:39:68:
                    d8:5c:b9:7a:ef:e3:23:3e:58:4e:d3:09:d7:75:c8:
                    c7:b8:48:e8:5e:ef:d9:9e:62:c0:1c:43:54:a6:fe:
                    eb:fd:93:60:f7:12:f7:bf:82:55:b3:7e:7e:4a:1d:
                    8a:a1:80:ef:fe:d6:82:32:bc:eb:84:51:6f:2f:20:
                    89:1c:01:9f:f2:a7:4e:84:a5:90:40:96:95:da:ad:
                    c6:50:e8:c4:28:b2:cd:d8:3c:23:50:68:ee:93:a1:
                    5b:7a:2e:3c:92:b1:ef:3c:7d:df:ba:2a:4a:88:c3:
                    b5:e6:e8:cb:30:eb:bb:f2:ff:1c:2f:a2:62:4c:dd:
                    34:0d:9e:26:9f:64:39:32:c5:11:d3:60:86:7b:02:
                    d1:81:d8:16:aa:e9:bd:fe:01:ae:db:38:24:91:ac:
                    d7:e9:72:da:65:49:7a:e6:6d:7e:07:2d:13:09:52:
                    e9:95:ce:fb:d7:11:db:bc:97:f4:44:87:b5:26:74:
                    10:a7:aa:2e:fa:f8:33:ea:45:73:06:94:54:fe:ac:
                    b5:8d:25:37:e3:a6:3c:96:db:75:43:4a:3b:6a:a3:
                    3f:41:08:1a:e7:04:52:90:ad:49:4d:cc:67:02:3c:
                    fd:c6:8b:98:13:67:bf:bf:c4:b9:03:f3:b1:a8:ec:
                    82:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:abdedbc805ca531538573d423147342c.50f1ed025ba73e62421a807c64d521b5.traefik.default
    Signature Algorithm: sha256WithRSAEncryption
         61:e6:03:8c:ea:03:fb:79:4c:89:20:cf:62:15:71:07:a1:e3:
         dd:f7:90:02:91:f0:e9:62:3c:4a:ea:90:7e:13:6b:75:ce:0c:
         30:64:da:db:46:27:8f:ce:0f:be:b2:4a:38:b7:da:b3:8f:48:
         9b:88:e9:4e:82:1a:62:77:65:6d:3a:93:aa:c3:b2:b0:51:f3:
         69:11:5a:8c:44:e2:99:aa:1f:80:b7:16:a9:69:59:4f:2a:c0:
         f4:a1:92:2c:c1:69:ec:d5:f5:1e:35:68:c4:54:9d:06:fe:11:
         cb:c4:b6:96:bf:0b:0b:0c:f7:dd:98:62:e7:91:4e:18:6f:eb:
         b2:d5:c3:96:2e:2d:57:87:cb:7b:1b:08:f2:90:2a:46:e4:3b:
         3d:d6:32:7c:8c:d0:f8:65:da:a1:8e:c0:36:4b:10:01:ec:db:
         44:ec:71:08:79:9d:4f:cc:32:41:79:01:0d:05:6c:f4:38:39:
         96:07:b4:c8:85:a3:0b:8a:19:09:c7:8a:4c:7d:ac:0c:d1:72:
         fc:bb:48:e5:dc:f7:1b:00:55:94:93:83:c5:71:e3:7d:59:a6:
         b7:43:b9:fe:ad:12:fe:45:6a:f3:5b:7d:26:64:bd:de:9b:0f:
         bc:aa:41:bc:1f:75:0f:57:d6:7d:72:34:24:e8:64:18:0f:40:
         91:10:ca:5c
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIQFwYZyDzRm5F33snlAyVYuTANBgkqhkiG9w0BAQsFADAf
MR0wGwYDVQQDExRUUkFFRklLIERFRkFVTFQgQ0VSVDAeFw0yMjA5MjIwNzExMzJa
Fw0yMzA5MjIwNzExMzJaMB8xHTAbBgNVBAMTFFRSQUVGSUsgREVGQVVMVCBDRVJU
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu76VsKIJNTVSg5w0OWjY
XLl67+MjPlhO0wnXdcjHuEjoXu/ZnmLAHENUpv7r/ZNg9xL3v4JVs35+Sh2KoYDv
/taCMrzrhFFvLyCJHAGf8qdOhKWQQJaV2q3GUOjEKLLN2DwjUGjuk6Fbei48krHv
PH3fuipKiMO15ujLMOu78v8cL6JiTN00DZ4mn2Q5MsUR02CGewLRgdgWqum9/gGu
2zgkkazX6XLaZUl65m1+By0TCVLplc771xHbvJf0RIe1JnQQp6ou+vgz6kVzBpRU
/qy1jSU346Y8ltt1Q0o7aqM/QQga5wRSkK1JTcxnAjz9xouYE2e/v8S5A/OxqOyC
awIDAQABo4GUMIGRMA4GA1UdDwEB/wQEAwIDuDATBgNVHSUEDDAKBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMFwGA1UdEQRVMFOCUWFiZGVkYmM4MDVjYTUzMTUzODU3
M2Q0MjMxNDczNDJjLjUwZjFlZDAyNWJhNzNlNjI0MjFhODA3YzY0ZDUyMWI1LnRy
YWVmaWsuZGVmYXVsdDANBgkqhkiG9w0BAQsFAAOCAQEAYeYDjOoD+3lMiSDPYhVx
B6Hj3feQApHw6WI8SuqQfhNrdc4MMGTa20Ynj84PvrJKOLfas49Im4jpToIaYndl
bTqTqsOysFHzaRFajETimaofgLcWqWlZTyrA9KGSLMFp7NX1HjVoxFSdBv4Ry8S2
lr8LCwz33Zhi55FOGG/rstXDli4tV4fLexsI8pAqRuQ7PdYyfIzQ+GXaoY7ANksQ
AezbROxxCHmdT8wyQXkBDQVs9Dg5lge0yIWjC4oZCceKTH2sDNFy/LtI5dz3GwBV
lJODxXHjfVmmt0O5/q0S/kVq81t9JmS93psPvKpBvB91D1fWfXI0JOhkGA9AkRDK
XA==
-----END CERTIFICATE-----
b

bland-account-99790

09/22/2022, 10:33 AM
ok
Could you run again: 
openssl s_client -connect kube1001:6443 2>&1 | grep issuer
?, I'm very surprised you get: 
verify error:num=20:unable to get local issuer certificate
c

cuddly-jordan-17092

09/22/2022, 10:34 AM
openssl s_client -connect netkubedal1001:6443 2>&1 | grep issuer
verify error:num=20:unable to get local issuer certificate
issuer=/CN=k3s-server-ca@1649270763
b

bland-account-99790

09/22/2022, 10:40 AM
To give you some context, behind 
6443
you have kube-api directly and as you can see on the certificate, the Issuer is: 
CN=k3s-server-ca@1649270763
. Normally and by default, that uses a self-signed certificate and that is why it is weird that it can't find the local issuer certificate, Can you show me the config that it was used to deploy k3s?
c

cuddly-jordan-17092

09/22/2022, 10:42 AM
sudo cat /etc/rancher/k3s/k3s.yaml 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUyTkRreU56QTNOak13SGhjTk1qSXdOREEyTVRnME5qQXpXaGNOTXpJd05EQXpNVGcwTmpBegpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUyTkRreU56QTNOak13V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTRXNsUXg2TGtHRHZvWDhMNlhmWmlocXAzelVLUlFmS29lcFBkaG56YUsKYXpUMkFXajhqRVcxMExEUTJXU1RzOHM4TlpjYmpZYzdDd0dwZXlFbytTU3FvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTVnQjR4b0UwVEEzU09xUHNLZXlpCkI4REhhNEV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnZm1ua1d3YmY1V214U3V5djJuVFA0eVNrWjF6a0xkNksKanIvYW5pdmhoZU1DSUF5dmtqLzFCb0cwUUNaUzMxbktxNFl2MERPek5xSnQzZTFCY0NMb0NUSDgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: <https://127.0.0.1:6443>
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJVmNJS0xEellydGt3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOalE1TWpjd056WXpNQjRYRFRJeU1EUXdOakU0TkRZd00xb1hEVEl6TURRdwpOakU0TkRZd00xb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJBMDl0VXJhYTd1RHViTlQKcS9Ub00wcktjWnBURW84WDhCY21xVk55UEVQK09kS1g1QmJKV1B2UkRlYzhNTjhrKy9kVXlkNXVpNnJyVkNvaQpuUS9PK3FhalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUzBYK09IaWI3RXRSQlllVXhhTmNRbHh1M1VRVEFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlCWVRObUN1TGNNRUU1bEpjM0JPTUZkV3RPNFRJRGNNVHEvQlNRYWwxNUpFQUloQU5Sc1lSWC9VVVhiRUhxMApmdEJodDVsZ3h6cnlwUkViMzNwV2FLTGlZRm5ECi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUyTkRreU56QTNOak13SGhjTk1qSXdOREEyTVRnME5qQXpXaGNOTXpJd05EQXpNVGcwTmpBegpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUyTkRreU56QTNOak13V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFSSS94ekptdWRNY0owVDRJc0c1bEZIMXkvNFBTNkJxdktLN09CelJKb0oKcUpmZVhIT3AzWWJxSmZYQWlaMXhJRU11YVBxMnNCVTFGMFdTb0I2U2MrYzNvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXRGL2poNG0reExVUVdIbE1XalhFCkpjYnQxRUV3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnTnRpU3A4OU5tUXJ0d0xMcnhBTU1EWjhFcEhZUjlsaWMKSkl1Q0RHd0R4bVFDSVFEV1liSFRaYytraS9jR1BGbkVxSDVSU0hIb2J1ZUxXM3FDS0pOT2RqRzVLZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURJcnZYb0V3VTlFVkFZM1Fxc3B3YUwzVFE2TWY0a2g3bzZNQ3FQU2xHTXBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFRFQyMVN0cHJ1NE81czFPcjlPZ3pTc3B4bWxNU2p4ZndGeWFwVTNJOFEvNDUwcGZrRnNsWQorOUVONXp3dzN5VDc5MVRKM202THF1dFVLaUtkRDg3NnBnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
b

bland-account-99790

09/22/2022, 10:44 AM
Behind 
443
and 
80
, you have the ingress controller (you can check by running 
kubectl get services -A
). By default in k3s, you get traefik as the ingress controller. I am not sure how does traefik get the certificate by default but it is probably using one itself which of course is not part of the local issuer certificate by default. I need to ask about this but I guess, users are expected to configure Traefik TLS instead of using the default, if they want to avoid that error
c

cuddly-jordan-17092

09/22/2022, 10:47 AM
sudo kubectl get services -A
NAMESPACE          NAME                          TYPE           CLUSTER-IP      EXTERNAL-IP                                    PORT(S)                              AGE
default            kubernetes                    ClusterIP      10.43.0.1       <none>                                         443/TCP                              168d
kube-system        kube-dns                      ClusterIP      10.43.0.10      <none>                                         53/UDP,53/TCP,9153/TCP               168d
kube-system        metrics-server                ClusterIP      10.43.66.79     <none>                                         443/TCP                              168d
kube-system        traefik                       LoadBalancer   10.43.95.73     172.17.192.108,172.21.192.186,172.21.192.188   80:30132/TCP,443:32654/TCP           168d
tekton-pipelines   tekton-pipelines-controller   ClusterIP      10.43.42.255    <none>                                         9090/TCP,8008/TCP,8080/TCP           168d
tekton-pipelines   tekton-pipelines-webhook      ClusterIP      10.43.139.212   <none>                                         9090/TCP,8008/TCP,443/TCP,8080/TCP   168d
sorry, i am not yet full equipped with this technologiy, but i have this created in server 
apiVersion: <http://traefik.containo.us/v1alpha1|traefik.containo.us/v1alpha1>
kind: TLSOption
metadata:
  name: default
  namespace: default

spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
b

bland-account-99790

09/22/2022, 10:58 AM
Can you share 
cat /etc/rancher/k3s/config.yaml
? That's where the config is
c

cuddly-jordan-17092

09/22/2022, 10:59 AM
I don't have config.yaml , but have one with k3s.yaml 
[gmadaka@netkubedal1001 ~]$ sudo cat /etc/rancher/k3s/k3s.yaml 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUyTkRreU56QTNOak13SGhjTk1qSXdOREEyTVRnME5qQXpXaGNOTXpJd05EQXpNVGcwTmpBegpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUyTkRreU56QTNOak13V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTRXNsUXg2TGtHRHZvWDhMNlhmWmlocXAzelVLUlFmS29lcFBkaG56YUsKYXpUMkFXajhqRVcxMExEUTJXU1RzOHM4TlpjYmpZYzdDd0dwZXlFbytTU3FvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTVnQjR4b0UwVEEzU09xUHNLZXlpCkI4REhhNEV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnZm1ua1d3YmY1V214U3V5djJuVFA0eVNrWjF6a0xkNksKanIvYW5pdmhoZU1DSUF5dmtqLzFCb0cwUUNaUzMxbktxNFl2MERPek5xSnQzZTFCY0NMb0NUSDgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: <https://127.0.0.1:6443>
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJVmNJS0xEellydGt3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOalE1TWpjd056WXpNQjRYRFRJeU1EUXdOakU0TkRZd00xb1hEVEl6TURRdwpOakU0TkRZd00xb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJBMDl0VXJhYTd1RHViTlQKcS9Ub00wcktjWnBURW84WDhCY21xVk55UEVQK09kS1g1QmJKV1B2UkRlYzhNTjhrKy9kVXlkNXVpNnJyVkNvaQpuUS9PK3FhalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUzBYK09IaWI3RXRSQlllVXhhTmNRbHh1M1VRVEFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlCWVRObUN1TGNNRUU1bEpjM0JPTUZkV3RPNFRJRGNNVHEvQlNRYWwxNUpFQUloQU5Sc1lSWC9VVVhiRUhxMApmdEJodDVsZ3h6cnlwUkViMzNwV2FLTGlZRm5ECi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUyTkRreU56QTNOak13SGhjTk1qSXdOREEyTVRnME5qQXpXaGNOTXpJd05EQXpNVGcwTmpBegpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUyTkRreU56QTNOak13V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFSSS94ekptdWRNY0owVDRJc0c1bEZIMXkvNFBTNkJxdktLN09CelJKb0oKcUpmZVhIT3AzWWJxSmZYQWlaMXhJRU11YVBxMnNCVTFGMFdTb0I2U2MrYzNvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXRGL2poNG0reExVUVdIbE1XalhFCkpjYnQxRUV3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnTnRpU3A4OU5tUXJ0d0xMcnhBTU1EWjhFcEhZUjlsaWMKSkl1Q0RHd0R4bVFDSVFEV1liSFRaYytraS9jR1BGbkVxSDVSU0hIb2J1ZUxXM3FDS0pOT2RqRzVLZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURJcnZYb0V3VTlFVkFZM1Fxc3B3YUwzVFE2TWY0a2g3bzZNQ3FQU2xHTXBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFRFQyMVN0cHJ1NE81czFPcjlPZ3pTc3B4bWxNU2p4ZndGeWFwVTNJOFEvNDUwcGZrRnNsWQorOUVONXp3dzN5VDc5MVRKM202THF1dFVLaUtkRDg3NnBnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
b

bland-account-99790

09/22/2022, 11:13 AM
ah ok, can you show me: 
kubectl get nodes -o yaml | grep <http://k3s.io/|k3s.io/>
BTW, what OS are you using?
c

cuddly-jordan-17092

09/22/2022, 11:15 AM
sudo kubectl get nodes -o yaml | grep <http://k3s.io/|k3s.io/>
[sudo] password for gmadaka: 
      <http://k3s.io/hostname|k3s.io/hostname>: netkubedal1001.softlayer.local
      <http://k3s.io/internal-ip|k3s.io/internal-ip>: 172.17.192.108
      <http://k3s.io/node-args|k3s.io/node-args>: '["server"]'
      <http://k3s.io/node-config-hash|k3s.io/node-config-hash>: 5QFVFOUYVVEYZTAKZ47ZLFVH7TT264YJQLFANKIZQLCB7OIFGNYA====
      <http://k3s.io/node-env|k3s.io/node-env>: '{"K3S_DATA_DIR":"/var/lib/rancher/k3s/data/31ff0fd447a47323a7c863dbb0a3cd452e12b45f1ec67dc55efa575503c2c3ac"}'
      <http://k3s.io/hostname|k3s.io/hostname>: netkubedal1202.softlayer.local
      <http://k3s.io/internal-ip|k3s.io/internal-ip>: 172.21.192.188
      <http://k3s.io/node-args|k3s.io/node-args>: '["agent"]'
      <http://k3s.io/node-config-hash|k3s.io/node-config-hash>: PFN4PEGGH7BZDZUSCEHC2DRANHNYDEGGMBH575I6YFOUZOS3PR5Q====
      <http://k3s.io/node-env|k3s.io/node-env>: '{"K3S_DATA_DIR":"/var/lib/rancher/k3s/data/31ff0fd447a47323a7c863dbb0a3cd452e12b45f1ec67dc55efa575503c2c3ac","K3S_TOKEN":"********","K3S_URL":"<https://netkubedal1001.softlayer.local:6443>"}'
      <http://k3s.io/hostname|k3s.io/hostname>: netkubedal1201.softlayer.local
      <http://k3s.io/internal-ip|k3s.io/internal-ip>: 172.21.192.186
      <http://k3s.io/node-args|k3s.io/node-args>: '["agent"]'
      <http://k3s.io/node-config-hash|k3s.io/node-config-hash>: PFN4PEGGH7BZDZUSCEHC2DRANHNYDEGGMBH575I6YFOUZOS3PR5Q====
      <http://k3s.io/node-env|k3s.io/node-env>: '{"K3S_DATA_DIR":"/var/lib/rancher/k3s/data/31ff0fd447a47323a7c863dbb0a3cd452e12b45f1ec67dc55efa575503c2c3ac","K3S_TOKEN":"********","K3S_URL":"<https://netkubedal1001.softlayer.local:6443>"}'
cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)
b

bland-account-99790

09/22/2022, 12:58 PM
This might be helpful for you https://github.com/k3s-io/k3s/issues/1868
After some time looking into this, I believe the problem you are seeing is pretty normal. k3s is generating self-signed certificates, i.e. it creates a private key and that same private key is signing the certificate. That is pretty normal to do in projects. However, if you don't want to see that error, you should pass your own certificates signed by official authorities. Your OS contains a list of official authorities certificates and will check if the certificate is signed by any of these. Since you are signing your own certificate, you are the "official authority" and the OS does not know you, that's why it is complaining. There are also ways to make the OS include your certificate as part of the "official authorities" and that should also remove the error: https://support.kaspersky.com/ScanEngine/1.0/en-US/182984.htm
2 Views
#k3sJoin Slack
Powered by