X509 Certificate preventing Helm deploys

Mike_Johnson · June 12, 2019, 5:42pm

@Oliver I see that you’re the Cert master from previous posts.
My cluster started throwing this today:

Internal error occurred: failed calling admission webhook "pilot.validation.istio.io": Post https://istio-galley.istio-system.svc:443/admitpilot?timeout=30s: x509: certificate has expired or is not yet valid

Helm is no longer deploying and we’re in a bind. I don’t think the root certificate has expired since it has only been 99 days not 1 yr like previous posts. I’m using Istio 1.0.5. Is there a way to rectify this without downtime?

Tao_Li · June 18, 2019, 6:00pm

Hi Mike,
Can you provide pilot and galley’s cert? The default cert of galley/pilot is 90 days, but we should provide auto cert rotation.

You can do this by running:

$ kubectl get secret -o json istio.istio-galley-service-account -n istio-system | jq -r ‘.data[“cert-chain.pem”]’ | base64 --decode | openssl x509 -noout -text | grep “Not Before” -C 1

$ kubectl get secret -o json istio.istio-pilot-service-account -n istio-system | jq -r ‘.data[“cert-chain.pem”]’ | base64 --decode | openssl x509 -noout -text | grep “Not Before” -C 1

Tao_Li · June 18, 2019, 6:01pm

And btw, 1.0.5 is out of LTS tomorrow, strongly recommend to upgrade to 1.1 or upcoming 1.2.

Mike_Johnson · June 18, 2019, 6:58pm

Thanks @Tao_Li. Since this was one of my production clusters I took it out of prod, deleted Istio and all configmaps then reinstalled it. That seemed to work for us. I have plans to upgrade to 1.1 soon.

Tao_Li · June 18, 2019, 10:14pm

Great, sounds good to me.

Topic		Replies	Views
Expired root certificate Security	6	3362	June 19, 2019
Helm Install errors due to MutatingWebhookConfiguration	0	981	July 19, 2019
Request to extend Istio 1.4 support	4	464	June 20, 2020
Galley throw certificate error Config	1	1156	January 17, 2019
Istio Strict mTLS + Prometheus Security	1	481	July 4, 2022

X509 Certificate preventing Helm deploys

Related Topics