-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote kubectl x509: certificate is valid for 127.0.0.1 #1381
Comments
Did you note the
|
Thanks, |
By default it seems to add a bunch of SANs, including one for the eth0 address. Did you pass it any odd arguments that might have changed that?
If you want to change it, I think you need to reinstall from scratch since it only generates the certificate on initial startup or when it's about to expire. |
Thanks, it's working now: To give a little more context, the server is Scaleway cloud instance. But what I don't understand is that I have an older cloud instance, where I installed k3s few months ago, and did'nt had to do that. Anyway. Thanks again. |
Thanks a lot for the snippet! That helped a lot! |
It would be good to have the option to change the SANs without reinstalling the cluster |
I'd love this as well |
hey @brandond Is there any way to just add a new IP using flag |
FYI, I've solved my issue without re-installing my cluster by edit the secret:
You will see something like this:
If you want to add IP
Hope it helps! |
@MichaelBui How did you recreate the secret with that annotation applied? After adding that annotation, I restarted k3s and checked the secret contents by base64 decoding it and then running it through |
@gesarki I edit the secret directly. Even after I started (embedded k3s inside FreeNAS SCALE), the annotation is still there & I can connect using my Lens as normal |
Can I add multiple SANs using this option? |
@MichaelBui Hi, i did like u wrote, but it didn't help. I added my external IP in secrets, i restarted k3s, but i can't connect to k3s with kubectl from local station, the same error. |
我尝试了各种办法(在不重新安装k3s的情况下),最终都没有成功。最终我在k3s中禁用调metrics-server,然后手动使用 metrics-server-components.yaml 文件安装成功,需要注意的是,需要在.spec.template.spec.containers.args 中添加--kubelet-insecure-tls 参数 |
FYI, I've solved my issue without re-installing my cluster by edit
and
k3s verson
you can try it |
after changing the
and the new certificate was right. source |
On Rancher Desktop 1.7.0 on a Mac, can confirm this workaround with the modification of editing |
Also don't forget to copy the secrets/k3s-serving tls.crt base64 data into your local kubeconfig clusters->cluster->certificate-authority-data after the secret has been regenerated. ( it took me one hour to understand why it was still failing ) |
I just want to add this here for some that my run into similar issue as me. In my situation, there was already an annotation for the problematic ip address. I discovered this when I tried to add the annotation for it as suggested by @MichaelBui. So what what worked for me was to simply restart the server using |
Error message: ``` Get "https://192.168.60.160:6443/version": tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.121.102, ::1, not 192.168.60.160 ``` See k3s-io/k3s#1381 for more context.
Version:
k3s version v1.17.2+k3s1 (cdab19b)
kubectl v1.17.2
Describe the bug
I just did a fresh k3s install, and it's working fine locally.
And I'm trying to connect the server remotely.
I did a copy of the k3s.yaml locally, updated the server ip.
But when I run kubectl get all I get the following error:
Unable to connect to the server: x509: certificate is valid for 10.43.0.1, 127.0.0.1, not [remote ip]
Thanks for your help.
The text was updated successfully, but these errors were encountered: