We believe we tracked it down to being an issue with /etc/etcd/etcd-server.crt
It appears to be missing 'Key Encipherment' in it's 'X509v3 extensions / X509v3 Key Usage' values.
Which you can see by doing:
openssl x509 -in /etc/etcd/etcd-server.crt -noout -text
This seems to be preventing the Certificate from being properly validated.
For comparison you can look at the apiserver certificate
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text
It does have 'Key Encipherment' and can be validated fine.
Hey Zhipeng,
Jose did use --cacert and it did not work.
We believe we tracked it down to being an issue with /etc/etcd/ etcd-server. crt etcd-server. crt -noout -text
It appears to be missing 'Key Encipherment' in it's 'X509v3 extensions / X509v3 Key Usage' values.
Which you can see by doing:
openssl x509 -in /etc/etcd/
This seems to be preventing the Certificate from being properly validated.
For comparison you can look at the apiserver certificate /pki/apiserver. crt -noout -text
openssl x509 -in /etc/kubernetes
It does have 'Key Encipherment' and can be validated fine.
e.g. see an upstream discussion on this https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1579384