Hello,
thanks for the great work this community is doing.
I’ve successfully generated my first let’s encrypt, configured https on haproxy and all good.
i’m using “kubectl” on macOS 10.15 communicating with the haproxy https interface, this gives an error of Unable to connect to the server: x509: certificate signed by unknown authority
curl and chrome seem to work ok.
i am doubting this has something to do with Catalina and golang
My domain is: hclcnlabs.com (privately hosted so not reachable over the internet)
I ran this command:
It produced this output:
My web server is (include version):
haproxy 2.0 on ubuntu 18.04
I can login to a root shell on my machine (yes or no, or I don’t know):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
1.1.0 on macOS (generated the certificate manul using dns)
case CSSMERR_TP_INVALID_ANCHOR_CERT:
case CSSMERR_TP_NOT_TRUSTED:
case CSSMERR_TP_INVALID_CERT_AUTHORITY:
return CERT_STATUS_AUTHORITY_INVALID;
case CSSMERR_TP_CERT_EXPIRED:
case CSSMERR_TP_CERT_NOT_VALID_YET:
// "Expired" and "not yet valid" collapse into a single status.
return CERT_STATUS_DATE_INVALID;
case CSSMERR_TP_CERT_REVOKED:
case CSSMERR_TP_CERT_SUSPENDED:
return CERT_STATUS_REVOKED;
So if your server isn't able to connect Letsencrypt, it's not possible to check the revocation status of the certificate.
Is it possible to use the same code to connect https://letsencrypt.org/ to see if that works?
It seems like your Kubernate attempts to use a self-signed certificate (with their own CA).
Your Let’s Encrypt certificate is chained up to valid CA root.
The first error message stated that the certificate is signed by unknown authority, which means the CA (Let's Encrypt) is unknown to the trust store this software used.
When I ask you to run the above command, I can see that the certificate is a leaf certificate, not the pre-certificate (@JuergenAuer's concern). (From the output of certificate code)
While your OpenSSL successfully connects to your website (with s_client), it means your system's CA store contains the root CA.
Then I looked up the certificate issue with Kubernetes, and it seems like if you use a CA other than the CA your software-generated (self-sign), there's this issue. (It's in the other GitHub thread)
I’d presume that the kubernetes issue is not relevant, as i’ve setup the loadbalancer to offload TLS. I’m not expecting the TLS handshake to take place with the backend of the loadbalancer.
Does this make sense? i guess the only point that i’ve not acted at all now is the pre-certificate. any guidance on what i need to achieve there?
When i asked for the OpenSSL output, it showed that the certificate you used is not a pre-certificate. (As you can see after decode, their CT field is different)
However, my knowledge stopped at this point... so i'm not sure what would be the issues here.
Based on the other information (error):
I'm getting confused by this since Let's Encrypt's certificate showed a correct EKU, which shouldn't have this error.
When you are running kubectl, what would happen if you append command below: --kubelet-certificate-authority=path-to-a-copy-of-root-ca (Let's Encrypt CA Chain) --kubelet-client-certificate=path-to-your-let's-encrypt-certificate --kubelet-client-key=path-to-your-let's-encrypt-certificate-key
those flags are not for kubectl, they are flags for the kubernetes api-server that would run on a kubernetes server.
in this case kubectl is just a client on a workstation (the macos one) sending requests to haproxy which is expected to offload TLS traffic then establish another one.
Apologize but that’s all I know about Kubernetes (or anything related to that). I still believe it’s a validation issue between your kubectl client and the server, as you said there’s no issue for curl or other programs to access the same port.
I would suggest you seek help from Kubernetes forums (as I don’t know who in this forum knows Kubernetes, maybe there are hidden gems ) or GitHub.
My last attempt (highly dangerous):
According to this answer: https://stackoverflow.com/a/57701551 and GitHub issue, you can try to connect to your cluster (or proxy) with --insecure-skip-tls-verify=true, which would at least allow you to bypass the CA certificate issue and investigate on what happened (or why it’s saying certificate signed by unknown authority).
(From my basic knowledge, I assume that if you can reach your intended target after bypass the certificate validation, then there’s some issue with the CA cert validation for your client machine.)
Apologize again, but that’s all I know (or can look up from Google).