etcd-01 Unhealthy Get https://10.240.0.11:2379/health: remote error: tls: bad certificate

[kapanak]

I followed this tutorial, but I get an error
etcd-1 Unhealthy Get https://10.240.0.11:2379/health: remote error: tls: bad certificate
And all the other etcd nodes when trying to do

kubectl get componentstatuses

in step 5. What this can be related to?

[maltekrupa]

I hit the same problem and concluded that it might have something to do with kubernetes/kubernetes#29330 which should be resolved by kubernetes/kubernetes#39716

But this is only a wild guess.

[saward]

Testing with the following reports that it's healthy, so it does indeed seem to be a problem with Kubernetes:

sudo etcdctl --debug --endpoints https://10.240.0.10:2379 --ca-file /var/lib/kubernetes/ca.pem --key-file /var/lib/kubernetes/kubernetes-key.pem --cert-file /var/lib/kubernetes/kubernetes.pem cluster-health

[saward]

Seems that this is just an error with the report on health (which the issues that @Temal are also claiming). I finished the remaining steps, and everything worked.

[domix]

Using kubernetes v1.7.0-alpha.3 it works very well, the PR kubernetes/kubernetes#39716 is merged in https://github.com/kubernetes/kubernetes/releases/tag/v1.7.0-alpha.3

[timc3]

Just a note to say that I am getting the same, but I haven't tried with a v1.7 version yet...

[patrickshan]

yeah, I got the same error here. After upgrading to latest "v1.7.0-alpha.3", problem solved.

[Bo0mer]

Same here, upgrading to latest "v1.7.0-alpha.3" solves the issue.

[MichaelMcClanahan]

@Bo0mer - Could you share the steps to upgrade to "v1.7.0-alpha.3"? I am not finding the actual binary.

[Bo0mer]

Just replace v1.6.1 in the urls with v1.7.0-alpha.3, e.g. https://storage.googleapis.com/kubernetes-release/release/v1.7.0-alpha.3/bin/linux/amd64/kube-apiserver.

And there is alpha.4 already, so I guess you could try it also.

[crmejia]

Maybe an issue with compatibility? When I check etcd health i get the following:

controller0:~$ sudo etcdctl --ca-file=/etc/etcd/ca.pem --cert-file=/etc/etcd/kubernetes.pem --key-file=/etc/etcd/kubernetes-key.pem cluster-health

2017-06-05 12:18:22.330990 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated 2017-06-05 12:18:22.331993 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated member 3a57933972cb5131 is healthy: got healthy result from https://10.240.0.12:2379 member f98dc20bce6225a0 is healthy: got healthy result from https://10.240.0.10:2379 member ffed16798470cab5 is healthy: got healthy result from https://10.240.0.11:2379 cluster is healthy

My guess is that kubectl is marking the issue as a failure instead of a deprecation warning?

[clairethebear]

I got the same error - trying the steps twice incase I made a mistake and openssl working fine over TLS: openssl s_client -connect 10.240.10:2379 -CApath ~/

[kelseyhightower]

I've updated all the docs. This should be fixed now.