[英]kubectl exec fails “cannot validate certificate because it doesn't contain any IP SANs”
我正在嘗試使用kubectl exec進入我的一個容器,但我遇到了這個錯誤。
$ kubectl exec -it ubuntu -- bash
error: Unable to upgrade connection: {
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "x509: cannot validate certificate for <worker_node_ip> because it doesn't contain any IP SANs",
"code": 500
}
我已根據本指南https://coreos.com/kubernetes/docs/1.0.6/configure-kubectl.html為我的CA證書和管理密鑰等配置了kubectl
我還在API服務器的日志中發現了同樣的錯誤
E1125 17:33:16.308389 1 errors.go:62] apiserver received an error that is not an unversioned.Status: x509: cannot validate certificate for <worker_node_ip> because it doesn't contain any IP SANs
這是否意味着我在我的worker / master節點或本地機器上的kubectl上錯誤地配置了證書?
如果您使用此命令創建證書:
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem
然后通過執行以下操作可以解決您的問題,因為'client'證書使用-extfile extfile.cnf:
echo subjectAltName = IP:worker_node_ip > extfile.cnf
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
-out server-cert.pem -extfile extfile.cnf
您可以指定任意數量的IP地址,例如IP:127.0.0.1,IP:127.0.1.1(非localhost)。
如果您將Kubernetes與Google容器群集一起使用,這可能會解決問題,因為它對我有用:
gcloud container clusters get-credentials <cluster-name> \
--project <project-name> --zone <zone>
該消息來自主設備嘗試連接到節點(流量是kubectl -> master API -> kubelet -> container )。 啟動主服務器時,您是否設置了--kubelet_certificate_authority ? 如果是這樣,主服務器希望能夠驗證kubelet的服務證書,這意味着它需要對主服務器用於連接它的主機名/ IP地址有效。
無法驗證ip的證書,因為它不包含任何IP SAN
[英]Cannot validate certificate for ip because it doesn't contain any IP SANs
Docker上的Vault TLS - 無法驗證127.0.0.1的證書,因為它不包含任何IP SAN
[英]Vault TLS on Docker - cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
Vault On GKE - x509:無法驗證 127.0.0.1 的證書,因為它不包含任何 IP SAN
[英]Vault On GKE - x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
x509:無法驗證 <<HOST IP> > 因為它不包含任何 IP SAN - Hyperledger Fabric-CA
[英]x509: cannot validate certificate for <<HOST IP>> because it doesn't contain any IP SANs - Hyperledger Fabric-CA
mongodump 錯誤:x509:無法驗證證書<server-IP>因為它不包含任何 IP SAN
[英]mongodump error: x509: cannot validate certificate for <server-IP> because it doesn't contain any IP SANs
Filebeat無法連接到Logstash,因為證書不包含任何IP SAN
[英]Filebeat cannot connect to Logstash because certificate does not contain any IP SANs
MinIO + Docker - 不能使用新版本的 SSL 證書(x509 不包含任何 IP sans)
[英]MinIO + Docker - cannot use SSL certificate with new version (x509 doesn't contain any IP sans)
證書主題不包含通用名稱且沒有替代名稱
[英]Certificate subject for doesn't contain a common name and does not have alternative names
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.