Hi Nathan, 

Thanks for the hint.

The result of the command is:

Certificate purposes:

SSL client : No

SSL client CA : No

SSL server : Yes

SSL server CA : No

Netscape SSL server : Yes

Netscape SSL server CA : No

S/MIME signing : No

S/MIME signing CA : No

S/MIME encryption : No

S/MIME encryption CA : No

CRL signing : No

CRL signing CA : No

Any Purpose : Yes

Any Purpose CA : Yes

OCSP helper : Yes

OCSP helper CA : No



So, when I compare this to the certificate that my minicube installation 
uses, the SSL Client part is missing and should be set to yes probably. 


I cannot compare it to the certificate automatically added to my kubectl 
config file when creating the cluster because I have no idea how to make a 
valid certificate ascii file from the stuff in the kubectl config.


So the question was, how can I create a certificate / certificate request / 
key?


It turned out to be 


cat <<EOF | kubectl create -f -

apiVersion: certificates.k8s.io/v1beta1

kind: CertificateSigningRequest

metadata:

  name: $CERTIFICATE_NAME 

spec:

  groups:

  - system:authenticated

  request: $(cat $CSR_FILE | base64 | tr -d '\n')

  usages:

  - digital signature

  - key encipherment

  - client auth

EOF


Where the last line "client auth" used to be "server auth" before.

With client auth it works now! Thanks for the hint.


Henning




On Thursday, September 28, 2017 at 5:51:24 PM UTC+2, Nathan Taylor wrote:
>
> It's interesting that the logs are stating that it is a keyusage error. 
> Can you get the keyusage for your generated cert and the ca.crt you used to 
> generate it? The command to do so is:
>
> openssl x509 -in <certificate to check> -purpose -noout -text
>
> Nathan
>
>
>
> On Wednesday, September 27, 2017 at 6:39:54 AM UTC-6, Henning Sprang wrote:
>>
>> Hi,
>>
>> After setting up a small cluster I want to enable other users (and a 
>> jenkins server runing outside the cluster) to access the Cluster and manage 
>> deployments, preferredly with an own namespace for each application 
>> consisting of multiple services.
>>
>> So taking the information from 
>> https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access
>>  
>> and https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ I 
>> figured out I have to create a user with this script: 
>>
>> https://gist.github.com/henning/2dda0b704426c66e78e355703a8dc177
>>
>> The problem is, when I try to run a command with this user/certificate, I 
>> keep getting errors - on the command line:
>>
>> "error: You must be logged in to the server (the server has asked for the 
>> client to provide credentials)"
>>
>> and even if this sounds like the client didn't even send a certificate, 
>> in the log of the api server it says:
>>
>> "E0926 22:00:34.165133       5 authentication.go:58] Unable to 
>> authenticate the request due to an error: x509: certificate specifies an 
>> incompatible key usage"
>>
>> so actually it seems like the client sends a certificate, but it's 
>> somehow not correct/sufficient.
>>
>> I searched the web to find out what to do about it and tried multiple 
>> things(for example adding an Usage extension to the CSR, switched between 
>> creating the key and certificate request with the openssl client as well as 
>> cfssl, and with different versions of openssl on MacOS and Linux) - all 
>> with the same result.
>>
>> So, my questions:
>>
>> * any further thing I can check for to solve this?
>> * is the way I try to do it generally right, or would it be better/easier 
>> to create a password file like described here? 
>> https://kubernetes.io/docs/admin/authentication/#static-password-file
>>
>> Thanks in advance, and please let me know if there is any more 
>> information needed that I might have forgotten.
>>
>> Henning
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to