Comment 4 for bug 1931719

Revision history for this message
Greg Waines (greg-waines) wrote :

Hey Zhipeng,

Jose did use --cacert and it did not work.

We believe we tracked it down to being an issue with /etc/etcd/etcd-server.crt
It appears to be missing 'Key Encipherment' in it's 'X509v3 extensions / X509v3 Key Usage' values.
Which you can see by doing:
    openssl x509 -in /etc/etcd/etcd-server.crt -noout -text

This seems to be preventing the Certificate from being properly validated.

For comparison you can look at the apiserver certificate
    openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text
It does have 'Key Encipherment' and can be validated fine.

e.g. see an upstream discussion on this https://bugzilla.redhat.com/show_bug.cgi?id=1579384