RKE2 api-server throws x509 validation error complaining it doesn't contain any IP SANs #3270
Comments
|
You haven't included the actual error message that you're seeing; can you include the error logs in question? Working only from your description this sounds like a problem with the certificate on your keycloak server, as opposed to anything wrong with RKE2. Ensure that the certificate has all the correct SANs on it. |
|
Figured it out. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environmental Info:
RKE2 Version:
rke2 version v1.23.4+rke2r1 (ea0e129)
go version go1.17.5b7
Node(s) CPU architecture, OS, and Version:
Linux mw-rg24-gc 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Cluster Configuration:
1 node setup
Describe the bug:
I am trying to integrated keycloak as an OIDC provider with rke2 kube-apiserver. Kube-apiserver is throwing x509 errors while trying to connect to the issuer url.
Steps To Reproduce:
Installed rke2 with: curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.23.4+rke2r1 sh -
and config:
[root ~]# cat /etc/rancher/rke2/config.yaml
tls-san:
Expected behavior:
At least the communication should start when with the OIDC issuer when the certs are signed by the common CA.
Actual behavior:
The api-server is failing to validate the cert.
The text was updated successfully, but these errors were encountered: