Still a problem. Works on some machines and doesn’t on the others. Every single one of them have different IP I would like to note.
These commands have been executed before;
sudo apt-get install -y apt-transport-https ca-certificates curl gnupg software-properties-common curl
sudo apt install socat -y
System also allows IPtables to see bridged traffic:
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
sudo modprobe overlay
sudo modprobe br_netfilter
# sysctl params required by setup, params persist across reboots
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
# Apply sysctl params without reboot
sudo sysctl --system
Here is the verbose output of curl:
root@worker-0:~# sudo curl -v -fsSL
https://pkgs.k8s.io/core:/stable:/v1.31/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
File '/etc/apt/keyrings/kubernetes-apt-keyring.gpg' exists. Overwrite? (y/N) * Host pkgs.k8s.io:443 was resolved.
* IPv6: 2600:1901:0:26f3::
* IPv4: 34.107.204.206
* Trying 34.107.204.206:443...
* Connected to pkgs.k8s.io (34.107.204.206) port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [5116 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=k8s.io
* start date: Sep 3 11:47:04 2024 GMT
* expire date: Dec 2 12:22:43 2024 GMT
* subjectAltName: host "pkgs.k8s.io" matched cert's "pkgs.k8s.io"
* issuer: C=US; O=Google Trust Services; CN=WR3
* SSL certificate verify ok.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
} [5 bytes data]
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://pkgs.k8s.io/core:/stable:/v1.31/deb/Release.key
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: pkgs.k8s.io]
* [HTTP/2] [1] [:path: /core:/stable:/v1.31/deb/Release.key]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET /core:/stable:/v1.31/deb/Release.key HTTP/2
> Host: pkgs.k8s.io
> User-Agent: curl/8.5.0
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [284 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [284 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/2 403
< content-type: text/html; charset=UTF-8
< referrer-policy: no-referrer
< content-length: 330
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
* The requested URL returned error: 403
* Connection #0 to host pkgs.k8s.io left intact
curl: (22) The requested URL returned error: 403
The curl is not the problem here, the fetch just fails on the side of pkgs.k8s.io