User authentication failing

kjenney · January 1, 2021, 7:55pm

I’ve followed every step under Certificate Signing Requests | Kubernetes but I’m getting the following error when attempting to authenticate:

Unable to connect to the server: tls: failed to find any PEM data in certificate input

I’ve verified that the certificate value at status.certificate in the approved/issued csr is the same value that’s in client-certificate-data.

$ kubectl get csr ken
NAME   AGE   SIGNERNAME                            REQUESTOR          CONDITION
ken    38m   kubernetes.io/kube-apiserver-client   kubernetes-admin   Approved,Issued

What am I missing here?

Cluster information:

Kubernetes version: 1.19.2
Cloud being used: Virtualbox
Installation method: kubeadm
Host OS: Ubuntu 20.04
CNI and version: calico v3.17.1

kjenney · January 1, 2021, 8:36pm

I ended up fixing this by manually editing my kube config and replacing the value in client-certificate-data with the string in status.certificate. I’m thinking the crt file the I created with the contents of the certificate needed to be in PEM format and wasn’t.

kjenney · January 2, 2021, 1:27am

For posterity:

Creating a new user on a pure Kubernetes 1.19.2 cluster:

Step 1 Create private key

openssl genrsa -out ken.key 2048

Step 2 Create CSR

openssl req -new -key ken.key -out ken.csr -subj "/CN=ken"

Step 3 Create Kubernetes certificate

Get the csr request in base64 and replace it in /vagrant/ubuntu/user/csr.yaml.orig
with a new file /vagrant/ubuntu/user/csr.yaml.generated

Then run kubectl apply -f /vagrant/ubuntu/user/csr.yaml.generated

Step 4 Approve CSR

kubectl certificate approve ken

Step 5 Create Namespace

kubectl create ns ken

Step 5 Create Role

kubectl create -f /vagrant/ubuntu/user/role.yaml

Step 6 Create Role Binding

kubectl create -f /vagrant/ubuntu/user/rolebinding.yaml

Step 7 Download Certificate

kubectl get csr/ken -o jsonpath="{.status.certificate}"

to /vagrant/ubuntu/user/ken.crt

Step 8 Create User

kubectl config set-credentials ken --client-key=/vagrant/ubuntu/user/ken.key --client-certificate=/vagrant/ubuntu/user/ken.crt --embed-certs=true

Replace the contents of client-certificate-data in ~/.kube/config with the string from Step 7

Step 8 Create Context

kubectl config set-context ken --cluster=kubernetes --user=ken

Step 9 Text Context

kubectl config use-context ken

Topic		Replies	Views
Signing CSR with v1.CertificateSigningRequest General Discussions	1	3848	March 1, 2022
Kube-apiserver https Unauthorized General Discussions	0	924	July 10, 2018
Error: failed to create secret Post "https://192.168.1.2:6443/api/v1/namespaces/default/secrets?fieldManager=kubectl-create&fieldValidation=Strict": tls: failed to verify certificate: x509: certificate signed by unknown authority General Discussions development	1	3327	February 4, 2024
Certificate Signing Request Approved but Certificate not issued General Discussions	7	6041	November 1, 2023
Need assitance with this 509 certificate error General Discussions	0	614	August 1, 2023