Kubespray: Using etcdctl member list , but get bad tls certificate

Created on 12 Oct 2018 · 1Comment · Source: kubernetes-sigs/kubespray

Not sure is issures or not , after i build up K8S-HA Cluster , just want to list etcd member to get etcd instance id , so i issue
{ etcdctl --endpoint https://x.x.x.x:2379 member list }
but get the response
" client: etcd cluster is unavailable or misconfigured; error #0: remote error: tls: bad certificate . "

after i google , some said need to specific the CA like this :

{ etcdctl --endpoint https://x.x.x.x :2379 --ca-file=ca.pem --cert-file=admin-k8s-m1.pem --key-file=admin-k8s-m1-key.pem member list }

but i still get the wrong message

"client: etcd cluster is unavailable or misconfigured; error #0: x509: certificate signed by unknown authority "

Sorry , i don't know how to fixed it , appreciated ~

Source

foxyo0916

Most helpful comment

i found the cause , because i specific to the wrong CA path , here is how i did to solve this :
1: cat cat /etc/etcd.env then i can know what CA , CERT, KEY path ,

TLS settings

ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ssl/ca.pem
ETCD_CERT_FILE=/etc/ssl/etcd/ssl/member-k8s-m1.pem
ETCD_KEY_FILE=/etc/ssl/etcd/ssl/member-k8s-m1-key.pem
ETCD_CLIENT_CERT_AUTH=true

then i run command again :
etcdctl --endpoints https://x.x.x.x:2379 --ca-file=/etc/ssl/etcd/ssl/ca.pem --cert-file=/etc/ssl/etcd/ssl/member-k8s-m1.pem --key-file=/etc/ssl/etcd/ssl/member-k8s-m1-key.pem member list ,
then result can help to get member id ~

foxyo0916 on 12 Oct 2018

👍4

>All comments

i found the cause , because i specific to the wrong CA path , here is how i did to solve this :
1: cat cat /etc/etcd.env then i can know what CA , CERT, KEY path ,

TLS settings

ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ssl/ca.pem
ETCD_CERT_FILE=/etc/ssl/etcd/ssl/member-k8s-m1.pem
ETCD_KEY_FILE=/etc/ssl/etcd/ssl/member-k8s-m1-key.pem
ETCD_CLIENT_CERT_AUTH=true

foxyo0916 on 12 Oct 2018

👍4

Was this page helpful?

0 / 5 - 0 ratings