Search code examples
sslssl-certificatekubernetesclient-certificateskubernetes-security

Error generating CA certificate and private key using cfssl and kubernetes

I am using cfssl to generate CSR.

I have below json format

{
"CN": "ambika",
"key": {
  "algo": "ecdsa",
  "size": 256
},
"names": [
   {
       "O": "system:masters"
   }
 ]
}

root@vagrant-xenial64:~/bin# cat csr.json | cfssl genkey - | cfssljson  -bare server
2017/10/25 08:28:07 [INFO] generate received request
2017/10/25 08:28:07 [INFO] received CSR
2017/10/25 08:28:07 [INFO] generating key: ecdsa-256
2017/10/25 08:28:07 [INFO] encoded CSR

In the next step Generate a CSR yaml blob and send it to the apiserver by running the following command:

root@vagrant-xenial64:~/bin# cat csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
 name: ambika
spec:
  groups:
    - system:masters
    request: $(cat server.csr | base64 | tr -d "\n")
usages:
 - digital signature
- key encipherment
- client auth

root@vagrant-xenial64:~/bin# kubectl create -f csr.yaml
Error from server (BadRequest): error when creating "STDIN": CertificateSigningRequest in version "v1beta1" cannot be handled as a CertificateSigningRequest: [pos 684]: json: error decoding base64 binary 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIbE1JR01BZ0VBTUNveEZ6QVZCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVE4d0RRWURWUVFERXdaaApiV0pwYTJFd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTdXVIbWF4bpaDU1TkpHZHh1cmN1ClQ1OU9YU0hEWUQ0d1J2S055NjlMOEkwL3RxTjF3WmRMckpYdSsxSDN5ZGp2N0FMaUJoSUh6aHRMMHd6QUN4b3AKb0FBd0NWUlLb1pJemowRUF3SURTQUF3UlFJaEFOTk9xaXFDa1lSYWgxQUFoUDQ1bWNzb09QM2p4RjIvdTB6ZgpHZW9BamhEQkFpQU55MEZkSU9vREhlZDFGd3UvTWFBditmWGJxN3V6RUdCQm9zUUFSUWFYcEE9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K': illegal base64 data at input byte 512

I am following this link Manage TLS Certificates in a Cluster

Solution

  • since your running this in yaml file, you need to include based64 encoded value int he yaml file. $(cat server.csr | base64 | tr -d "\n")

    in the example page they are running it in the shell directly.

    cat server.csr | base64 | tr -d '\n' > o encode like this and include the value in the yaml file it will work.

    apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ambika
spec:
  groups:
  - system:masters
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIbU1JR01BZ0VBTUNveEZ6QVZCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVE4d0RRWURWUVFERXdaaApiV0pwYTJFd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTVWVLYmdpKzZHVHlhQlhDdk40S29SClRqMmFmRlUvVVZXV1Z5WHhJSnlMczhraE5pZDlRQnp0bzZHcDZESnYwTDdST1JuZnNXR2M2N0VVeXUzdU5LZ00Kb0FBd0NnWUlLb1pJemowRUF3SURTUUF3UmdJaEFJekkxOWxuR3ZueG1la1JyM28vSDI1ZWYyVklOWURlMkJZRQpaZUJiaHN1c0FpRUEyRXNWUE0xV2huZUMyMVFEL3ZIbXNnVFZqWWdVcHRPU3dSQ2lHSWZQekhjPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
  usages:
  - digital signature
  - key encipherment
  - server auth