Minikube: Downloading kubelet: x509: certificate signed by unknown authority

I get the same issue on MacOS but at the end of the url is : EOF

I am seeing the same: E0531 07:13:56.412331 2648 start.go:234] Error updating cluster: starting kubelet:

I got a similar but timeout error while starting the minikube:

root@user-VirtualBox:/home/user# sudo -E minikube start --vm-driver=none --bootstrapper=kubeadm
Starting local Kubernetes v1.10.0 cluster...
Starting VM...
Getting VM IP address...
Moving files into cluster...
Downloading kubeadm v1.10.0
Downloading kubelet v1.10.0
E0616 21:25:55.127459 11758 start.go:252] Error updating cluster: downloading binaries: downloading kubeadm: Error downloading kubeadm v1.10.0: failed to download: failed to download to temp file: download failed: 5 error(s) occurred:

• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: dial tcp [2404:6800:4002:804::2010]:443: connect: network is unreachable
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: dial tcp: lookup storage.googleapis.com on 127.0.1.1:53: read udp 127.0.0.1:55690->127.0.1.1:53: i/o timeout
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: dial tcp [2404:6800:4002:804::2010]:443: connect: network is unreachable
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: dial tcp: lookup storage.googleapis.com on 127.0.1.1:53: read udp 127.0.0.1:49320->127.0.1.1:53: i/o timeout
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: dial tcp: lookup storage.googleapis.com on 127.0.1.1:53: read udp 127.0.0.1:45945->127.0.1.1:53: i/o timeout

Hello, I also had a mistake to know. How should I solve it. Please help me to solve it
this is in the Centos7 System

[root@localhost bin]# minikube start
Starting local Kubernetes v1.10.0 cluster...
Starting VM...
Downloading Minikube ISO
153.08 MB / 153.08 MB [============================================] 100.00% 0s
Getting VM IP address...
Moving files into cluster...
Downloading kubeadm v1.10.0
Downloading kubelet v1.10.0
E0716 22:17:35.806802 1833 start.go:252] Error updating cluster: downloading binaries: downloading kubeadm: Error downloading kubeadm v1.10.0: failed to download: failed to download to temp file: download failed: 5 error(s) occurred:

• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: net/http: TLS handshake timeout
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: net/http: TLS handshake timeout
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: net/http: TLS handshake timeout
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: dial tcp 172.217.25.16:443: i/o timeout
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.10.0/bin/linux/amd64/kubeadm: dial tcp 172.217.25.16:443: i/o timeout
  E0716 22:18:01.036212 1833 util.go:151] Error uploading error message: : Post https://clouderrorreporting.googleapis.com/v1beta1/projects/k8s-minikube/events:report?key=AIzaSyACUwzG0dEPcl-eOgpDKnyKoUFgHdfoFuA: read tcp 192.168.43.100:33806->172.217.24.42:443: read: connection reset by peer

I'm having the same issues as the above.

hello，friends,I also meet this problem:Error updating cluster: downloading binaries: downloading kubeadm: Error downloading kubeadm v1.10.0: failed to download: failed to download to temp file: failed to copy contents: read: operation timed out

I stop minikube and restart minikube,this question does'n appear,you can also try this way.
@Natarajan77 @aadhiyogi @irdara

it's also possible your inernet is not very good,please try many times

@liqiang75 is right. I've tried a few times and finally it works.
You can repeat the following commands over and over again till it's successful. Though, personally, I don't think it's preferable but it works.

$ minikube delete 
$ rm -rf ~/.minikube
$ minikube start

However, I would suggest that the k8s team to put the artifacts onto a server(perhaps mirrors) that's also accessible for some particular countries.

This sounds like a host or network misconfiguration. Do you mind sharing the output of:

 curl -iv  https://storage.googleapis.com

Thanks!

curl -iv https://storage.googleapis.com

• Rebuilt URL to: https://storage.googleapis.com/
• Trying 172.217.11.176...
• Connected to storage.googleapis.com (172.217.11.176) port 443 (#0)
• found 148 certificates in /etc/ssl/certs/ca-certificates.crt
• found 597 certificates in /etc/ssl/certs
• ALPN, offering http/1.1
• SSL connection using TLS1.2 / RSA_AES_256_GCM_SHA384
• server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
• Closing connection 0
  curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
  More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

@RajeshBhojwani - I suspect that either the /etc/ssl/certs files on this system are too old for usage, or that there is a bad proxy which is intercepting and rewriting outgoing SSL certificates. Either way, if curl fails, there is a system misconfiguration that needs to be addressed.

One way to help debug the issue is to use:

echo | openssl s_client -connect storage.googleapis.com:443 \
  | egrep "^subject=|^issuer="

On my machine, I get the following output:

depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.storage.googleapis.com
verify return:1
DONE
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.storage.googleapis.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3

If you see a different list of issuers, something is intercepting your outgoing requests.

If you see the same list of issuers, I suspect you may need to update your locally installed certificates.

We are also facing same issue, is there any work around present for this issue?

[root@minikube ~]# minikube start --vm-driver=none
Starting local Kubernetes v1.13.2 cluster...
Starting VM...
Getting VM IP address...
Moving files into cluster...
Downloading kubeadm v1.13.2
Downloading kubelet v1.13.2
E0122 13:58:12.067076 26586 start.go:302] Error updating cluster: downloading binaries: downloading kubelet: Error downloading kubelet v1.13.2: failed to download: failed to download to temp file: download failed: 5 error(s) occurred:

• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.13.2/bin/linux/amd64/kubelet: proxyconnect tcp: EOF
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.13.2/bin/linux/amd64/kubelet: proxyconnect tcp: EOF
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.13.2/bin/linux/amd64/kubelet: proxyconnect tcp: EOF
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.13.2/bin/linux/amd64/kubelet: proxyconnect tcp: EOF
• Temporary download error: Get https://storage.googleapis.com/kubernetes-release/release/v1.13.2/bin/linux/amd64/kubelet: proxyconnect tcp: EOF

Closing because the issue of SSL interception is outside of our control. Mentioned the need to check for this condition in #3145 - thanks for the report!

Well, it's not totally outside our control. I have the corporate CAs, I just need to know which truststore to append them to.

@RajeshBhojwani - I suspect that either the /etc/ssl/certs files on this system are too old for usage, or that there is a bad proxy which is intercepting and rewriting outgoing SSL certificates. Either way, if curl fails, there is a system misconfiguration that needs to be addressed.

One way to help debug the issue is to use:

echo | openssl s_client -connect storage.googleapis.com:443 \
  | egrep "^subject=|^issuer="

On my machine, I get the following output:

depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.storage.googleapis.com
verify return:1
DONE
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.storage.googleapis.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3

If you see a different list of issuers, something is intercepting your outgoing requests.

If you see the same list of issuers, I suspect you may need to update your locally installed certificates.

I am having the same issue when trying to run

minikube start --vm-driver=none

When I run

echo | openssl s_client -connect storage.googleapis.com:443 \ | egrep "^subject=|^issuer="

I get almost the same output as you mentioned besides CN is now GTS CA 101

depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.storage.googleapis.com
verify return:1
DONE
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.storage.googleapis.com
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1

Been having a lot of trouble trying to get Minikube up and running... tried just about everything I could think of. Any advice much appreciated