Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.29] - Failure to read certificates and key files during k3s certificate rotate-ca #10743

Closed
brandond opened this issue Aug 22, 2024 · 1 comment
Closed

[Release-1.29] - Failure to read certificates and key files during k3s certificate rotate-ca #10743

brandond opened this issue Aug 22, 2024 · 1 comment
Assignees
@brandond @VestigeJ
Milestone
v1.29.9+k3s1

Comments

@brandond
Copy link
Member

Backport fix for Failure to read certificates and key files during k3s certificate rotate-ca
@brandond brandond self-assigned this Aug 22, 2024
@brandond brandond added this to the v1.29.9+k3s1 milestone Sep 5, 2024
@brandond brandond mentioned this issue Sep 5, 2024
Merged
@brandond brandond moved this from New to To Test in K3s Development Sep 6, 2024
@VestigeJ
Copy link

##Environment Details
Reproduced using VERSION=v1.29.8+k3s1
Validated using COMMIT=0dfad66a35860c252c9547a682c37ec4dd293433

Infrastructure

  • Cloud

Node(s) CPU architecture, OS, and version:

Linux 6.4.0-150600.23.17-default x86_64 GNU/Linux
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"

Cluster Configuration:

NAME             STATUS   ROLES                       AGE     VERSION
ip-1-1-3-2       Ready    control-plane,etcd,master   4h11m   v1.29.8+k3s-0dfad66a

Config.yaml:

node-external-ip: 1.1.3.2
token: YOUR_TOKEN_HERE
write-kubeconfig-mode: 644
debug: true
cluster-init: true

Reproduction

$ curl https://get.k3s.io --output install-"k3s".sh
$ sudo chmod +x install-"k3s".sh
$ sudo groupadd --system etcd && sudo useradd -s /sbin/nologin --system -g etcd etcd
$ sudo modprobe ip_vs_rr
$ sudo modprobe ip_vs_wrr
$ sudo modprobe ip_vs_sh
$ sudo printf "on_oovm.panic_on_oom=0 \nvm.overcommit_memory=1 \nkernel.panic=10 \nkernel.panic_ps=1 \nkernel.panic_on_oops=1 \n" > ~/60-rke2-cis.conf ~/90-kubelet.conf
$ sudo cp 90-kubelet.conf /etc/sysctl.d/
$ sudo systemctl restart systemd-sysctl
$ VERSION=v1.29.8+k3s1
$ sudo INSTALL_K3S_VERSION=$VERSION INSTALL_K3S_EXEC=server ./install-k3s.sh
$ sudo ls -lah /var/lib/rancher/k3s/server/tls/
$ sudo mkdir -p /opt/k3s/server/tls
$ openssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional
$ sudo openssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048
$ sudo cat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key
$ sudo ls /opt/k3s/server/tls/
$ sudo /usr/local/bin/k3s certificate rotate-ca --path=/opt/k3s/server
$ sudo journalctl -u k3s | grep -i 'certificate error'
$ sudo /usr/local/bin/k3s certificate rotate-ca --path=/opt/k3s/server --force
$ COMMIT=0dfad66a35860c252c9547a682c37ec4dd293433
$ sudo INSTALL_K3S_COMMIT=$COMMIT INSTALL_K3S_EXEC=server ./install-k3s.sh
$ sudo /usr/local/bin/k3s certificate rotate-ca --path=/opt/k3s/server

Results:

$ sudo /usr/local/bin/k3s certificate rotate-ca --path=/opt/k3s/server

WARN[0000] failed to read /opt/k3s/server/tls/server-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/client-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/request-header-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/client-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/request-header-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/etcd/peer-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/server-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/etcd/server-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/etcd/server-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/etcd/peer-ca.crt
FATA[0000] see server log for details: Internal error occurred: certificate error ID 15326

$ sudo journalctl -u k3s | grep -i 'certificate error'

Sep 12 18:11:59 k3s[16973]: time="2024-09-12T18:11:59Z" level=error msg="certificate error ID 15326: failed to validate new CA certificates and keys: ETCDServerCA: new CA is self-signed, ETCDServerCAKey: new CA cert and key cannot be loaded as X590KeyPair: open /tmp/cacerts937781426/tls/etcd/server-ca.key: no such file or directory, ETCDPeerCA: new CA is self-signed, ETCDPeerCAKey: new CA cert and key cannot be loaded as X590KeyPair: open /tmp/cacerts937781426/tls/etcd/peer-ca.key: no such file or directory, ServerCA: new CA is self-signed, ServerCAKey: new CA cert and key cannot be loaded as X590KeyPair: open /tmp/cacerts937781426/tls/server-ca.key: no such file or directory, ClientCA: new CA is self-signed, ClientCAKey: new CA cert and key cannot be loaded as X590KeyPair: open /tmp/cacerts937781426/tls/client-ca.key: no such file or directory, RequestHeaderCA: new CA is self-signed, RequestHeaderCAKey: new CA cert and key cannot be loaded as X590KeyPair: open /tmp/cacerts937781426/tls/request-header-ca.key: no such file or directory"
Sep 12 18:11:59 k3s[16973]: time="2024-09-12T18:11:59Z" level=error msg="Sending HTTP 500 response to 127.0.0.1:44526: certificate error ID 15326"

--force does seem to workaround this issue
$ sudo /usr/local/bin/k3s certificate rotate-ca --path=/opt/k3s/server --force

WARN[0000] failed to read /opt/k3s/server/tls/etcd/peer-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/server-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/client-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/request-header-ca.key
WARN[0000] failed to read /opt/k3s/server/tls/etcd/peer-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/server-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/etcd/server-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/client-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/request-header-ca.crt
WARN[0000] failed to read /opt/k3s/server/tls/etcd/server-ca.key
certificates saved to datastore

$ COMMIT=0dfad66a35860c252c9547a682c37ec4dd293433
$ sudo INSTALL_K3S_COMMIT=$COMMIT INSTALL_K3S_EXEC=server ./install-k3s.sh

[INFO]  Using commit 0dfad66a35860c252c9547a682c37ec4dd293433 as release
[INFO]  Downloading hash https://k3s-ci-builds.s3.amazonaws.com/k3s-0dfad66a35860c252c9547a682c37ec4dd293433.sha256sum
[INFO]  Downloading binary https://k3s-ci-builds.s3.amazonaws.com/k3s-0dfad66a35860c252c9547a682c37ec4dd293433
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Skipping installation of SELinux RPM
[INFO]  Skipping /usr/local/bin/kubectl symlink to k3s, already exists
[INFO]  Skipping /usr/local/bin/crictl symlink to k3s, already exists
[INFO]  Skipping /usr/local/bin/ctr symlink to k3s, already exists
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s

$ sudo /usr/local/bin/k3s certificate rotate-ca --path=/opt/k3s/server

WARN[0000] failed to stat ETCDPeerCAKey: stat /opt/k3s/server/tls/etcd/peer-ca.key: no such file or directory
WARN[0000] failed to stat ClientCA: stat /opt/k3s/server/tls/client-ca.crt: no such file or directory
WARN[0000] failed to stat RequestHeaderCAKey: stat /opt/k3s/server/tls/request-header-ca.key: no such file or directory
WARN[0000] failed to stat ETCDPeerCA: stat /opt/k3s/server/tls/etcd/peer-ca.crt: no such file or directory
WARN[0000] failed to stat ServerCAKey: stat /opt/k3s/server/tls/server-ca.key: no such file or directory
WARN[0000] failed to stat ClientCAKey: stat /opt/k3s/server/tls/client-ca.key: no such file or directory
WARN[0000] failed to stat RequestHeaderCA: stat /opt/k3s/server/tls/request-header-ca.crt: no such file or directory
WARN[0000] failed to stat ETCDServerCAKey: stat /opt/k3s/server/tls/etcd/server-ca.key: no such file or directory
WARN[0000] failed to stat ETCDServerCA: stat /opt/k3s/server/tls/etcd/server-ca.crt: no such file or directory
WARN[0000] failed to stat ServerCA: stat /opt/k3s/server/tls/server-ca.crt: no such file or directory
certificates saved to datastore

@github-project-automation github-project-automation bot moved this from To Test to Done Issue in K3s Development Sep 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@VestigeJ VestigeJ

Labels
None yet
Projects
K3s Development
Status: Done Issue
Milestone
v1.29.9+k3s1
Development

No branches or pull requests
2 participants
@brandond @VestigeJ