tls: failed to find any PEM data in certificate input
zeph opened this issue · comments
tls: failed to find any PEM data in certificate input
this is all I get back... my KUBECONFIG is properly set, I
daily work with it switching between several configurations
seems the kubeletctl is not handling this yaml section properly
clusters:
- cluster:
certificate-authority-data: xyz
Hi, thank you for reporting.
I will try to reproduce it and check.
Meanwhile,
does it work if you run it with the certificate file as arguments? like that:
kubeletctl.exe pods -s <node_ip> --cacert /etc/kubernetes/pki/ca.crt --cert /var/lib/kubelet/pki/kubelet-client-current.pem --key /var/lib/kubelet/pki/kubelet-client-current.pem
Are you using cloud deployment such ask AKE, EKS, etc or something else?
What are the authentication and authorization settings in the kubelet config file (/var/lib/kubelet/config.yaml) inside the target node? I am interesting in these fields (an example):
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
...
authorization:
mode: Webhook
@zeph any update?
getting the same issue
export KUBECONFIG=~/.kube/config
[] Using KUBECONFIG environment variable
[] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2021/02/24 18:30:23 tls: failed to find any PEM data in certificate input
same here
[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2021/10/28 15:13:34 tls: failed to find any PEM data in certificate input
@zeph any update?
I didn't step into this in a long time, sorry... I have nothing to add
(but seems some other folks are stepping into it)
this tool is unable to read certificate-authority-data from Kubeconfig
kubeletctl
[] Using KUBECONFIG environment variable
[] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2022/05/10 03:22:05 tls: failed to find any PEM data in certificate input
Hi everyone,
We did number of tests from two machines and it worked for us.
We noticed that kubeletctl knows to read PEM fields, the problem is caused by a bed PEM inside the config file.
Do you use the following fields?
- certificate-authority-data
- client-certificate-data
- client-key-data
If yes, these fields should be in base64. It also shouldn't have multiple rows, the base64 should be in one row.
Can you please share with us an example of how it appears in your config file?
No need to share private data, you can blue most of it, we just want to understand.
We were able to reproduce it by using a wrong data inside the field client-ceritficate-data.
For example:
client-ceritficate-data: MIIDCjCCAfKg...zraDpdn4jg=
You can get it by running:
cat /root/.minikube/ca.crt
Fix it to be one linear and add it to client-ceritficate-data, inside the config file.
I explained it to someone else in #8 that expirienced a similar issue:
The certificate-authority-data, client-certificate-data and client-key-data should be in base64:
Another way with a misconfigured config file:
root@manager1:/home/cyber# ./kubeletctl_linux_amd64 pods
[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2022/09/12 06:23:01 tls: failed to find any PEM data in certificate input
root@manager1:/home/cyber# cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
extensions:
- extension:
last-update: Mon, 05 Sep 2022 12:55:19 UTC
provider: minikube.sigs.k8s.io
version: v1.26.1
name: cluster_info
server: https://192.168.49.2:8443
name: minikube
contexts:
- context:
cluster: minikube
extensions:
- extension:
last-update: Mon, 05 Sep 2022 12:55:19 UTC
provider: minikube.sigs.k8s.io
version: v1.26.1
name: context_info
namespace: default
user: minikube
name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
root@manager1:/home/cyber#
sorry @g3rzi ...I can't recall how and if I circumvented this... I has a specific use case in which I had to be sure I had only one configuration in there and not several as I normally do, composing the env variable KUBE_CONFIG ... I'll close it, unless someone else can provide you more info (I guess they can reopen it)
thanks for the effort spent looking into it, I feel guilty I can't provide more info
Thanks, sorry for the delay. I will keep watching for someone having the same issue. From our checks from different computers it seems a wrong config file but maybe we are missing something.
Running into same issue, I am on EKS. Structure of ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJTRIMMEDGSUNBVEUtLS0tLQo=
server: https://TRIMMED.eks.amazonaws.com
name: arn:aws:eks:TRIMMED:cluster/TRIMMED-cluster
contexts:
- context:
cluster: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
user: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
current-context: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- TRIMMED
- eks
- get-token
- --cluster-name
- TRIMMED-cluster
command: aws
env:
- name: AWS_PROFILE
value: my-profile
@karthikeayan thanks,
I supposed you removed some of the data because of publishing it here right?
certificate-authority-data: LS0tLS1CRUdJTiBDRVJTRIMMEDGSUNBVEUtLS0tLQo=
If yes, can you make sure it is in one line?
@g3rzi you are right. I removed it to reduce noise. Yes, it is one line. I read your comments above and I don't think I have any issues with certificate-authority-data.
OK, interesting.
We were able to reproduce it on EKS, we are working on it, thank you.
Quick update, the problem is because we are not supporting:
- name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- TRIMMED
- eks
- get-token
- --cluster-name
- TRIMMED-cluster
command: aws
We are working to support the execution of aws to get the token for EKS.
Btw, by using the kubiscan-sa service account it will work:
--cacert ca.crt -s <node_ip> --token eyJhbG... pods
Hi @karthikeayan,
We published release for version 1.9 which supports EKS, you can check it.