Hi Nathan, Thanks for the hint.
The result of the command is: Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No So, when I compare this to the certificate that my minicube installation uses, the SSL Client part is missing and should be set to yes probably. I cannot compare it to the certificate automatically added to my kubectl config file when creating the cluster because I have no idea how to make a valid certificate ascii file from the stuff in the kubectl config. So the question was, how can I create a certificate / certificate request / key? It turned out to be cat <<EOF | kubectl create -f - apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: $CERTIFICATE_NAME spec: groups: - system:authenticated request: $(cat $CSR_FILE | base64 | tr -d '\n') usages: - digital signature - key encipherment - client auth EOF Where the last line "client auth" used to be "server auth" before. With client auth it works now! Thanks for the hint. Henning On Thursday, September 28, 2017 at 5:51:24 PM UTC+2, Nathan Taylor wrote: > > It's interesting that the logs are stating that it is a keyusage error. > Can you get the keyusage for your generated cert and the ca.crt you used to > generate it? The command to do so is: > > openssl x509 -in <certificate to check> -purpose -noout -text > > Nathan > > > > On Wednesday, September 27, 2017 at 6:39:54 AM UTC-6, Henning Sprang wrote: >> >> Hi, >> >> After setting up a small cluster I want to enable other users (and a >> jenkins server runing outside the cluster) to access the Cluster and manage >> deployments, preferredly with an own namespace for each application >> consisting of multiple services. >> >> So taking the information from >> https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access >> >> and https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ I >> figured out I have to create a user with this script: >> >> https://gist.github.com/henning/2dda0b704426c66e78e355703a8dc177 >> >> The problem is, when I try to run a command with this user/certificate, I >> keep getting errors - on the command line: >> >> "error: You must be logged in to the server (the server has asked for the >> client to provide credentials)" >> >> and even if this sounds like the client didn't even send a certificate, >> in the log of the api server it says: >> >> "E0926 22:00:34.165133 5 authentication.go:58] Unable to >> authenticate the request due to an error: x509: certificate specifies an >> incompatible key usage" >> >> so actually it seems like the client sends a certificate, but it's >> somehow not correct/sufficient. >> >> I searched the web to find out what to do about it and tried multiple >> things(for example adding an Usage extension to the CSR, switched between >> creating the key and certificate request with the openssl client as well as >> cfssl, and with different versions of openssl on MacOS and Linux) - all >> with the same result. >> >> So, my questions: >> >> * any further thing I can check for to solve this? >> * is the way I try to do it generally right, or would it be better/easier >> to create a password file like described here? >> https://kubernetes.io/docs/admin/authentication/#static-password-file >> >> Thanks in advance, and please let me know if there is any more >> information needed that I might have forgotten. >> >> Henning >> > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.