New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Helm+Tiller TLS configuration] - Error: remote error: tls: bad certificate #3735
Comments
Ok, I have got my own answer and it is not related to helm. When you submit a CSR to a CA, the certificate returned by the CA specifies the following extension:
If that is False you can not use this certificate to sign others to do so you need a TRUE value here and it is not going to happen because then you will be able to create a fake certificate for any site. Surprisingly, many early SSL implementations in early browsers and even some early versions of OpenSSL did not check the basic constraints field of the certificates in a certificate chain, so this was a vulnerability that could be exploited. You can see extension of your cert by using openssl command against your cert like this I recommend you using Vault (or similar) as Certificate Authority to create self-signed certs for this purpose. |
Awesome writeup @andresguisado. Thanks! Do you think we can close this issue out now or is there some action item still missing here, either in docs or otherwise? |
@bacongobbler, Maybe a note in the |
Sure. Feel like writing that up? |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Closing due to inactivity |
I've got a ca.cert.pem and ca.key.pem signed by a Trusted CA for my hello world domain and I have configured Helm-Tiller TLS following this doc:
https://github.com/kubernetes/helm/blob/master/docs/tiller_ssl.md
Basically what I did was the following:
Tiller is successfully deployed with TLS config and I can see the secret with their certs and ca.cert.pem
By the time helm is trying to communicate to tiller I am getting the following :
I checked all my certificates by OpenSSL command to see the issuer and everything looks ok:
If I created a ca.cert.pem and ca.key.pem self-signed as the official documentation does everything works fine.
Using helm 2.8.1 version.
Any idea on this?
Thank you!
The text was updated successfully, but these errors were encountered: