Hi @toshovski

Chrome blocks self signed certificates. This might help you: https://github.com/ubuntu/microk8s/issues/945#issuecomment-593843714

Not all of them. the dashboard is signing a bad certificates. Is there a way to pass my own certificate by using micrk8s.enable dashboard?

This is how it looks like:

The certificate:

The page:

When I add a CN to the certificate, Google Chrome still allows me to proceed.

The certificate:

The page:

I could disable the certificate check as a workaround for now, but this is not a solution

Same here (microk8s 1.18), dashboard (v2.0.0-rc5) certificate is invalid even if I curl to the service locally. How did you manage to fill the common name and generate a new certificate?

$ kubectl -n kube-system describe service kubernetes-dashboard|grep Endpoints
Endpoints:         10.1.88.29:8443

curl https://10.1.88.29:8443
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

$ curl -kv https://10.1.88.29:8443                                                                         
* Rebuilt URL to: https://10.1.88.29:8443/
*   Trying 10.1.88.29...
* Connected to 10.1.88.29 (10.1.88.29) port 8443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 603 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
* error fetching CN from cert:The requested data were not available.
*        common name:  (does not match '10.1.88.29')
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: EC
*        certificate version: #3
*        subject: 
*        start date: Tue, 21 Apr 2020 11:11:09 GMT
*        expire date: Wed, 21 Apr 2021 11:11:09 GMT
*        issuer: 
*        compression: NULL

The problem is that the self-signed certificate does not use the subjectAltName. Following the advices in https://stackoverflow.com/a/43666288/329263 I was able to generate a certificate with all the needed hostnames/IPs (cluster ip, localhost, LAN IP/name), replace the secret kubernetes-dashboard-certs and specify it into the kubernetes-dashboard configuration as advised in https://github.com/kubernetes/dashboard/blob/master/docs/user/certificate-management.md#self-signed-certificate. Finally I'm able to access the dashboard via the kube proxy.

```
./create_root_cert_and_key.sh
./create_certificate_for_domain.sh localhost 127.0.0.1
mv .crt dashboard.crt

kubectl -n kube-system delete secret kubernetes-dashboard-certs
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=dashboard.crt --from-file=device.key
kubectl -n kube-system edit deploy kubernetes-dashboard -o yaml

add:

• args:
  
  
  
  • --tls-cert-file=/dashboard.crt
  
  
  • --tls-key-file=/device.key
  
  

openssl s_client -showcerts -connect :443

kubectl port-forward -n kube-system service/kubernetes-dashboard 10443:443 --address 0.0.0.0

desktop$ open https://

I am having this same problem. I had to use an old version of firefox to access the dashboard. I even added the cert to my macos keychain access and said trust, and chrome still didn't like it.

I tried running the scripts in comment https://github.com/ubuntu/microk8s/issues/1046#issuecomment-617190819, but it didn't generate a dashboard.crt, so I got stuck.

I installed microk8s yesterday, latest/edge channel, and I got the same certification error.
Changing Chrome to accept self-signed certificates doesn't help. Based on what I read in the #945 and in the PR #970 I still need to adjust certificates on the machine kubernetes is running.
For me, who doesn't like to deal with certificates it is a bad user experience facing with this especially with the promise of Zero-ops kubernetes.

https://github.com/kubernetes/dashboard/issues/2995#issuecomment-551309479
This worked
namespace may be different (kube-system)

This is blocking me as well

This might be related: https://www.techprowd.com/automatic-ssl-certificates-for-home-microk8s-setup-using-letsencrypt/

Also you may want to read the comments at https://news.ycombinator.com/item?id=24361930

Chrome Quick-Fix:
Go to chrome://flags/#allow-insecure-localhost
And enable "Allow invalid certificates for resources loaded from localhost."

Just installed microk8s dashboard on the latest snap --classic microk8s channel. Have the same problem. The dashboard cert is invalid and can't get any browser to use it. This needs to get fixed.

Same problem here. Installed microk8s from the edge-channel. Started the dashboard and cannot access it via Chrome. Even the Workaround with Allow invalid certificates for resources loaded from localhost. is not allowing me to access the dashboard.

Here is a quick dump of the presented certificate made with the openssl s_client:

openssl s_client -connect 10.152.183.176:443
CONNECTED(00000005)
depth=0 
verify error:num=18:self signed certificate
verify return:1
depth=0 
verify return:1
---
Certificate chain
 0 s:
   i:
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBADCBpqADAgECAhAXt3NvfFYj0jLAsyyR1Mf5MAoGCCqGSM49BAMCMAAwHhcN
MjAxMTI3MjEyMjU2WhcNMjExMTI3MjEyMjU2WjAAMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE+8efMOScjbJJdhofFE5JMcS8DWutAgaA/+OP1wbdt9WtlKH1ovYu
LjnYgM8KD4kuN1HbZ9avnYkiA2QvPmNpZaMCMAAwCgYIKoZIzj0EAwIDSQAwRgIh
ANyrJrxlOX3S/7cigOwCwCEj1cxFgvP+F5KD/MuXVYyKAiEA7Zr17umwbvfCmhtp
2M76xSHvI7FuSkWp+VDao41JwF4=
-----END CERTIFICATE-----
subject=

issuer=

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 615 bytes and written 380 bytes
Verification error: self signed certificate

So beside that the Cert is self signed, it is virtually empty? No subject, no issuer. At least it is valid for one year. :D

My microk8s was installed using --classic and here's what works for me:

mkdir certs
openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=*"
openssl x509 -req -sha256 -days 3650 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt

kubectl -n kube-system delete secret kubernetes-dashboard-certs
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=dashboard.crt --from-file=dashboard.key
kubectl -n kube-system edit deploy kubernetes-dashboard -o yaml

# modify section args as follows
          args:
            - --tls-cert-file=/dashboard.crt
            - --tls-key-file=/dashboard.key
            #- --auto-generate-certificates