Docker for Mac/Kubernetes, x509: certificate is not valid for any names

Question

Docker for Mac/Kubernetes, x509: certificate is not valid for any names

ckbridge opened this issue 4 years ago · comments

I tried this on Docker for Mac 3.0.4 with Kubernetes and when it attempts to create a test Pod it gives,
kubectl apply -f test-pods/test1.yaml --dry-run=server Error from server (InternalError): error when creating "test-pods/test1.yaml": Internal error occurred: failed calling webhook "warden.validation.svc": Post "https://warden.validation.svc:443/validate?timeout=10s": x509: certificate is not valid for any names, but wanted to match warden.validation.svc

any ideas? thanks.

Lokesh · Answer 1 · Tue Jun 01 2021 22:39:05 GMT+0800 (China Standard Time)

I think the latest changes to ./certgen.sh fixes that but I see the below error message in the warden pod logs. Looks like there is some problem with the ./certgen.sh script. If I generate the certificate and image in one system and deploy the app in another system will that leads to this error?

$ kubectl logs warden -n validation
 * Running on https://0.0.0.0:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 245-261-226
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/threading.py", line 805, in __bootstrap_inner
    self.run()
  File "/usr/lib64/python2.7/threading.py", line 758, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 965, in inner
    fd=fd,
  File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 823, in make_server
    host, port, app, request_handler, passthrough_errors, ssl_context, fd=fd
  File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 726, in __init__
    self.socket = ssl_context.wrap_socket(sock, server_side=True)
  File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 614, in wrap_socket
    **kwargs
  File "/usr/lib64/python2.7/ssl.py", line 931, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 542, in __init__
    self._context.load_cert_chain(certfile, keyfile)
SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:2834)

Pavel Mores · Answer 2 · Wed Jun 02 2021 01:12:22 GMT+0800 (China Standard Time)

@lokeshwaran100 I'm struggling with the same problem - please post if you manage to get any progress!

Pavel Mores · Answer 3 · Thu Jun 03 2021 00:52:03 GMT+0800 (China Standard Time)

@lokeshwaran100 I managed to make it work. I believe the mismatch is caused by the fact that when warden.crt is generated in the second to last command in certgen.sh, ca.key is used. This doesn't seem to be right, we're creating a self-signed certificate there so the matching signkey is warden.key.

Apart from that, the pipe in the last command looks dubious. I removed that and made the cp and openssl rsa just two independent commands

Lokesh · Answer 4 · Thu Jun 03 2021 12:33:12 GMT+0800 (China Standard Time)

@pmores: I've created by own certgen.sh script and server.conf. With this I'm able to get it to work

certgen.sh

keydir="certs"
cd "$keydir"

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca"
openssl genrsa -out warden.key 2048
openssl req -new -key warden.key -out warden.csr -subj "/CN=warden.validation.svc" -config ../server.conf
openssl x509 -req -in warden.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out warden.crt -days 100000 -extensions v3_req -extfile ../server.conf

cp warden.crt wardencrt.pem
cp warden.key wardenkey.pem

server.conf

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1   = warden.validation.svc