DEV Community

Cover image for Fix Cert-Manager Conflict with EKS
AWS Community Builders profile image Mohamed Radwan
Mohamed Radwan for AWS Community Builders

Posted on • Updated on

Fix Cert-Manager Conflict with EKS

#aws #eks #kubernetes #openssl

I was facing issue with multiple managed worker nodes running on EKS clusters.

The issue was appearing randomly in different nodes, I cannot access the pods or get the logs by kubectl.

x509: cannot validate certificate for 10.0.83.153 because it doesn’t contain any IP SANs
Enter fullscreen mode Exit fullscreen mode

Kube API in the CloudWatch showing the following errors:

E0327 08:54:17.406029 11 status.go:71] apiserver received an error that is not an metav1.Status: &errors.errorString{s:"error dialing backend: x509: cannot validate certificate for 10.0.83.153 because it doesn't contain any IP SANs"}: error dialing backend: x509: cannot validate certificate for 10.0.83.153 because it doesn't contain any IP SANs
Enter fullscreen mode Exit fullscreen mode

After investigating the issue with the AWS EKS support team, we found that cert-manager-webhook is causing the issue.
Kubelet certificate chain is being used from cert-manager-webhook-ca.

Run the following command on the non-working node:

openssl s_client -connect localhost:10250
Enter fullscreen mode Exit fullscreen mode 
CONNECTED(00000003)
---
Certificate chain
 0 s:
   i:/CN=cert-manager-webhook-ca
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=
issuer=/CN=cert-manager-webhook-ca
---
Enter fullscreen mode Exit fullscreen mode

Run the following command on the working healthy node:

openssl s_client -connect localhost:10250
Enter fullscreen mode Exit fullscreen mode 
CONNECTED(00000003)
---
Certificate chain
 0 s:/O=system:nodes/CN=system:node:ip-10-0-31-151.eu-west-1.compute.internal
   i:/CN=kubernetes
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/O=system:nodes/CN=system:node:ip-10-0-31-151.eu-west-1.compute.internal
issuer=/CN=kubernetes
---
Enter fullscreen mode Exit fullscreen mode

The cert-manager-webhook deployment uses port 10250 which is also used for kubelet.

The solution is change the port of cert-manager-webhook to 10260.

By setting webhook.securePort to 10260

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.10.0 \
  --set webhook.securePort=10260
Enter fullscreen mode Exit fullscreen mode

Sources:

https://cert-manager.io/docs/concepts/webhook/
https://cert-manager.io/docs/installation/compatibility/#aws-eks

Top comments (0)

Read next

karadza profile image

What is Platform Engineering?

Juraj -

notharshhaa profile image

100 AWS DevOps Interview Questions and Answers

H A R S H H A A -

lovestaco profile image

Why We Chose NGINX + HashiStack Over Kubernetes for Our Service Discovery Needs

Athreya aka Maneshwar -

manthan_parmar profile image

Encrypting Your Etcd Credentials: A Critical Step for Kubernetes Security

manthan parmar -