How to Fix the “certificate signed by unknown authority” error in Kubernetes?

Jan 8, 2024

While I was completing this post, I ran across the SSL problem

Photo by Jerin J on Unsplash

The whole error message is as follows:

Error from server (InternalError): Internal error occurred: failed calling webhook "xxx": failed to call webhook:
Post "https://xxx.default.svc:443/?timeout=5s": tls: failed to verify certificate:
x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error"
while trying to verify candidate authority certificate "xxx.default.svc")

This error will be raised by Kubernetes if your SSL/TLS certificate is created without a subjectAltName.

An example of a wrong command:

openssl req -subj '/CN=abc.default.svc' -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

This is how you should generate your key:

openssl req -subj '/CN=abc.default.svc' -addext "subjectAltName = DNS:abc.default.svc" -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365