New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACM certificate x509: certificate is valid for <DOMAIN>, not elb.amazonaws.com #6290
Comments
@Raffo Tagging you here in reference to #5414 (comment) Let me know if you want to know anything else. |
@Raffo Any updates on this? |
Sorry, didn't have the chance to have a look at this, I'll try to take a
look this weekend.
…On Wed, Jan 16, 2019 at 3:34 PM Abhyudit Jain ***@***.***> wrote:
@Raffo <https://github.com/Raffo> Any updates on this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6290 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AApv1C4dJz3ToxWjyJK-PIxLD2LQbuzeks5vDzhqgaJpZM4ZnqcD>
.
--
Raffaele Di Fazio
|
@Raffo Sure. Let me know if I have to make any changes or if you can share your config with me that should work, I would be grateful. |
@Raffo Did you get a chance to look at it? |
Yes, stuck on same |
Sorry, didn't have time to look into this issue :-( Of course everyone can
work on a fix, but I'll try to give it a shot in the next few days.
…On Wed, Feb 6, 2019 at 2:30 PM Harminder Virk ***@***.***> wrote:
Yes, stuck on same
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6290 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AApv1PwXNNqvYOFck9ZWmcTGKCkYGJ2Rks5vKtjugaJpZM4ZnqcD>
.
--
Raffaele Di Fazio
|
Hi @abhyuditjain @thetutlage , I finally had some time to review this issue and try to debug it myself. Given that information I was able to reproduce your issue and demonstrate that with the correct combination of cert it does work. In case you believe that this is not clear (which is probably true), feel free to provide a PR with documentation! Hope this help and you can resume working with kops and real certificates ;-) |
@Raffo @thetutlage I found the issue. It's not with kops. You have to manually update the file located at |
Can you explain specificly with your example , I meet the same issue and do not follow what you mean,thank you. |
@arboat When you create a cluster, an ELB is created whose CNAME is like this
But the ACM certificate is for your domain. Hence the error. So you should make a CNAME record pointing it to ELB and use the new CNAME in the |
For anyone stumbling across this issue, you might still be using private DNS like we were, and this is the block that's causing the mismatch when generating the |
Another option (which I found out the hard way gives the same error) is if you give your kube nodes a hostname naming scheme that's resolvable by a wildcard DNS record but isn't pointed to them (having the node named |
1. What
kops
version are you running? The commandkops version
, will displaythis information.
1.11.0
2. What Kubernetes version are you running?
kubectl version
will print theversion if a cluster is running or provide the Kubernetes version specified as
a
kops
flag.1.13.1
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
5. What happened after the commands executed?
The validate cluster failed. Also, I can't do
rolling-update
.6. What did you expect to happen?
Successful validation.
7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml
to display your cluster manifest.You may want to remove your cluster name and other sensitive information.
8. Please run the commands with most verbose logging by adding the
-v 10
flag.Paste the logs into this report, or in a gist and provide the gist link here.
9. Anything else do we need to know?
The problem I think is that, the certificate I am using is for my domain, but the AWS issues its own domain for ELB that is used to communicate with the master, so there's SSL mismatch.
The text was updated successfully, but these errors were encountered: