"x509: certificate signed by unknown authority" when using Ingress

Question

"x509: certificate signed by unknown authority" when using Ingress

robertgates55 opened this issue 4 years ago · 3 comments

I've set up kube-oidc-proxy and enabled ingress with cert-manager generating letsencrypt certs for the endpoint. I used the helm chart to deploy.

However, when I try & connect with my generated kubeconfig, the CA obviously doesn't match up - I'm providing the root CA from my EKS cluster (sourced from /var/run/secrets...etc) to an endpoint that's got letsencrypt certs:

>>> kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority

What's the correct way to set this up? Is it actually possible to use ingress with ACME certs or is that my issue?

Answer 1 · 2020-04-03T16:39:19.000Z

Hi @robertgates55,

I guess this it's a question of where TLS is getting terminated. Are you serving your kube-oidc-proxy without TLS and having it terminated at your ingress controller?

It looks like you'll want to set the certificate authority in your kubeconfig to that of Let's Encrypt's CA.

Answer 2 · 2020-04-04T08:40:51.000Z

Thanks Josh - dug a little further & now have it working with a service of type:LB & certs generated with cert-manager (then using the letsencrypt CA to log in as you suggested)

Answer 3 · 2020-04-04T08:41:27.000Z

Suggests maybe the docs could do with a little more detail - but happy to close in the meantime.