Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error loading custom CA bundle #3524

Closed
philipmodig opened this issue Oct 13, 2023 · 3 comments
Closed

Error loading custom CA bundle #3524

philipmodig opened this issue Oct 13, 2023 · 3 comments
Labels
area/settings Issues related to our settings handling status/in-progress This issue is currently being worked on type/support User support related issues.

Comments

@philipmodig
Copy link

philipmodig commented Oct 13, 2023
edited
Loading

Image I'm using:
bottlerocket-aws-k8s-1.27-x86_64-v1.15.1-264e294c
ami-05adb28df38a22464

What I expected to happen:
I want to load a CA bundle so I can connect to a registry that runs with self signed certs.

What actually happened:
The node doesn't join the cluster and I get this error in the system log.

with "----BEGIN...." header footer:

Starting Bottlerocket userdata configuration system...
[    4.167983] early-boot-config[953]: Error PATCHing '/settings?tx=bottlerocket-launch': Status 400 when PATCHing /settings?tx=bottlerocket-launch: Json deserialize error: Unable to deserialize into PemCertificateString: Invalid base64 input: Invalid byte 45, offset 0. at line 1 column 3361
[FAILED] Failed to start Bottlerocket userdata configuration system.

without "----BEGIN..." header footer:

Starting Bottlerocket userdata configuration system...
[    3.251956] early-boot-config[953]: Error PATCHing '/settings?tx=bottlerocket-launch': Status 400 when PATCHing /settings?tx=bottlerocket-launch: Json deserialize error: Unable to deserialize into PemCertificateString: Invalid PEM object: IO error: stream did not contain valid UTF-8 at line 1 column 3309
[FAILED] Failed to start Bottlerocket userdata configuration system.

How to reproduce the problem:
I have added github.com CA bundle below just as an example and got the error above. (but same thing happens with our internal CA bundle) I have tried with and without ----BEGIN(END) CERTIFICATE-----.

with "----BEGIN...." header footer:

userData: |
  [settings.pki.mytrustedbundle]
  data="-----BEGIN CERTIFICATE-----MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBIeWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJqLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8vc6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsYkDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hosVq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEhxRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA==-----END CERTIFICATE-----"
  trusted=true

without "----BEGIN..." header footer:

  userData: |
    [settings.pki.mytrustedbundle]
    data="MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBIeWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJqLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8vc6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAENjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsYkDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hosVq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEhxRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA=="
    trusted=true
@philipmodig philipmodig added status/needs-triage Pending triage or re-evaluation type/bug Something isn't working labels Oct 13, 2023
@stmcginnis
Copy link
Contributor

Hi @philipmodig - one easy to overlook detail from the settings is:

Base64-encoded PEM-formatted certificates bundle

So from your example above, it looks like you are not base64-encoding the certificate data when adding it to the user data.

You will need to do something like:

$ cat mytrustedbundle | base64

Then use the output from that as the data value in the user data.

@stmcginnis stmcginnis added status/in-progress This issue is currently being worked on type/support User support related issues. area/settings Issues related to our settings handling and removed type/bug Something isn't working status/needs-triage Pending triage or re-evaluation labels Oct 13, 2023
@philipmodig
Copy link
Author

philipmodig commented Oct 13, 2023
edited
Loading

Hi @philipmodig - one easy to overlook detail from the settings is:

Base64-encoded PEM-formatted certificates bundle

So from your example above, it looks like you are not base64-encoding the certificate data when adding it to the user data.

You will need to do something like:

$ cat mytrustedbundle | base64

Then use the output from that as the data value in the user data.

This worked for me, many thanks. The node starts now and I'm able to pull from our private container registry!

One small note, to help others with the same issue, I had to pipe to tr to remove the line breaks.
cat mytrustedbundle |base64 | tr -d '\n\r'

Thank you again

@stmcginnis
Copy link
Contributor

Great! Glad you got it working.

Sorry, a better command than what I gave above that would be an alternative to using tr would be:

$ cat mytrustedbundle | base64 -w0

Basically the same thing, but that tells the base64 encoding to not include any line breaks in the output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/settings Issues related to our settings handling status/in-progress This issue is currently being worked on type/support User support related issues.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stmcginnis @philipmodig