Account kubeconfig fails with certificate error #955
Description
- Create an account in quickstart PM
- Download a kubeconfig from porta
- try use it:
E0123 10:02:09.129087 16047 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://kcp.api.portal.localhost:8443/clusters/root:orgs:bob:quickstart/api?timeout=32s\": getting credentials: exec: executable kubectl failed with exit code 1"
error: get-token: authentication error: oidc error: oidc discovery error: Get "https://portal.localhost:8443/keycloak/realms/bob/.well-known/openid-configuration": tls: failed to verify certificate: x509: “localhost” certificate is not trusted
E0123 10:02:09.170722 16047 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://kcp.api.portal.localhost:8443/clusters/root:orgs:bob:quickstart/api?timeout=32s\": getting credentials: exec: executable kubectl failed with exit code 1"
Unable to connect to the server: getting credentials: exec: executable kubectl failed with exit code 1
cert in kubeconfig:
pbpaste | base64 -d | openssl x509 -text -noout - 10:04:17
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
15:69:8f:02:81:78:16:23:cf:24:5d:47:e5:4c:25:97:61:4d:8a:ce
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN=root-ca
Validity
Not Before: Jan 23 07:35:22 2026 GMT
Not After : Jan 21 07:35:22 2036 GMT
Subject: CN=root-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:da:c4:44:09:1b:41:0b:4c:4b:3e:08:44:8a:ff:
92:4d:38:fd:4c:1b:52:58:28:16:c4:fb:59:38:85:
1a:02:1e:b8:25:f4:8b:b9:c8:17:a9:04:62:a5:6c:
78:a8:c5:b0:f9:67:35:0c:5c:58:1f:e9:3b:a7:cd:
bf:ed:3a:69:a3:dd:8e:61:94:86:d9:6c:28:67:2f:
37:f8:33:26:49:38:f1:07:88:40:09:85:a0:26:9c:
bb:6e:c0:48:1c:cc:19:d4:65:3d:70:9c:52:9e:b3:
c6:a3:11:9f:79:61:6e:b9:ed:db:10:a4:80:f6:3d:
c6:fe:26:27:a0:36:5c:8c:11:f3:a8:0b:0b:3f:8d:
43:79:51:55:9c:db:ad:aa:f4:1c:fa:6e:d5:d0:64:
f2:66:03:84:da:e8:05:14:bc:4f:e8:f5:e3:b2:09:
0c:2e:29:cf:b8:f3:f9:b4:36:c5:45:8f:f1:8e:7a:
6e:0c:92:ad:27:fb:e0:f0:5b:27:95:00:79:34:90:
66:63:31:cb:6b:94:af:ea:62:c4:96:d3:10:2e:9b:
f3:f2:d7:ca:58:62:f4:81:27:6a:38:fb:88:69:13:
fe:ac:38:e8:c5:4c:76:08:5d:09:6b:07:c7:23:e0:
5b:67:84:cb:30:db:de:5b:59:45:c5:4f:f1:a7:29:
50:af:b3:8e:df:87:86:3d:49:1e:84:81:95:2c:35:
2a:da:f7:c2:36:62:a2:72:90:4f:6a:52:3f:ea:67:
03:a6:e3:bc:9e:ed:4a:c4:4b:31:40:05:dd:f6:18:
92:f3:77:dd:52:81:16:cf:8d:83:fc:9c:5d:3c:a6:
8a:f3:52:2a:f9:c8:d1:ef:b4:23:89:fd:df:b1:e4:
17:c4:9a:85:01:27:75:44:ba:26:2f:6f:3d:cf:ad:
3a:7b:17:ae:3b:ff:79:ec:4b:65:01:3a:98:74:b5:
fe:f2:32:a9:31:8a:6b:2a:ae:21:f5:80:5c:0a:74:
03:14:10:8c:c4:eb:92:eb:ad:b4:ac:72:62:cc:b5:
f9:42:6a:75:3d:5e:49:28:54:ab:4b:d8:0a:fc:46:
ef:2f:3c:cf:bd:47:dc:9b:7e:7b:08:8d:25:27:23:
00:11:45:c7:5f:f7:6a:6f:13:6a:ee:96:93:60:88:
9e:70:bf:23:4a:af:78:d6:53:9c:6f:2b:e2:ad:3f:
63:d2:80:ed:27:8b:15:48:e6:26:91:e5:9c:ba:00:
c8:fc:ea:49:f7:0f:88:e0:5e:cb:00:30:bc:4c:f8:
3f:21:8e:66:1e:3f:6a:28:c2:ec:76:43:ae:19:f2:
70:4f:3e:ae:2e:13:38:d8:fc:9d:2c:9d:52:1d:fc:
01:f8:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
0A:C5:6B:64:D6:4D:3A:9D:DA:5E:4D:C1:42:08:1D:9E:54:31:1B:FA
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
87:88:80:b6:53:00:93:e7:a8:9f:1a:78:f3:6d:53:12:02:f4:
ff:55:2b:e1:1b:50:c6:9d:1a:a7:3f:4b:a1:ca:8b:ca:29:51:
fa:22:e5:90:d3:1c:04:40:1b:a7:3f:71:be:7c:e6:51:4c:c7:
67:b7:9c:7a:46:40:17:c0:54:21:77:a4:c1:ca:a9:1e:05:fb:
c9:34:80:0a:a5:34:11:7f:ba:07:7c:0a:24:87:5c:d1:d3:47:
c4:01:d2:5c:25:d1:78:4e:95:e3:04:79:41:37:1d:c3:09:ef:
bb:80:3b:d2:10:9b:19:be:31:98:31:5e:ec:58:d0:5a:d4:c9:
2e:d1:53:5d:04:97:b5:91:bc:d2:c8:ea:bd:d8:73:c9:c6:3c:
89:f3:27:39:15:8b:fe:52:23:50:2f:bc:f0:02:32:23:64:2f:
8c:ee:69:9f:2b:c2:c0:42:25:bc:d4:54:6e:06:86:7b:52:43:
f0:8f:cd:d7:e5:1e:5c:0e:08:98:f3:b1:4c:eb:9c:3b:3c:0a:
ec:08:dd:f4:ea:a9:0d:2a:ad:19:d7:55:97:68:27:e2:32:19:
ac:74:f5:30:3b:9a:dd:eb:81:4a:8e:10:0c:26:3e:c9:70:8e:
6e:57:c9:15:87:35:29:24:11:a7:18:f4:21:9a:ea:ef:ba:fd:
0d:04:1f:f4:47:7b:a1:ba:91:88:7c:85:03:67:fd:f4:67:7c:
a8:93:a4:b8:d8:85:d0:19:94:e7:a9:a9:a5:f8:17:12:33:74:
c8:19:6f:16:7d:df:66:ff:c9:6d:88:24:ab:d8:32:95:ae:3e:
54:9d:df:2f:c1:79:42:4c:85:62:e3:05:9d:e6:96:47:e8:d7:
74:a9:e5:e3:4f:ba:72:02:f9:cd:13:76:a9:47:25:43:09:10:
36:c6:9b:15:f6:4c:07:c9:4c:dd:5c:99:ec:ee:ed:72:c6:06:
aa:fc:23:4b:5f:9b:c3:42:57:d9:3c:86:f2:e8:ed:eb:71:41:
a1:07:53:86:85:28:ea:30:8c:a2:fe:0b:51:e8:f8:f3:6b:78:
04:9d:52:9b:45:f5:76:a5:0b:fb:74:01:40:49:08:03:22:88:
5c:44:a5:f8:08:cd:ce:80:54:98:d5:8c:3b:b7:72:b0:c2:22:
b2:ff:bd:d9:fa:ec:ab:5b:0d:ac:e1:0d:c7:8c:2e:0a:a6:e1:
5a:53:b0:19:97:50:25:f0:20:5c:b3:d2:2c:39:c0:42:64:6d:
99:ba:87:b1:03:24:25:67:d6:ed:2a:f9:a7:0b:ea:a9:0b:b5:
65:a6:e8:9d:f9:81:61:86:81:53:c0:10:62:03:80:e9:6c:5d:
33:6e:d6:f6:fd:a3:21:d6
kubectl oidc-login get-token --oidc-issuer-url=https://portal.localhost:8443/keycloak/realms/bob --oidc-client-id=kubectl --oidc-extra-scope=email
error: get-token: authentication error: oidc error: oidc discovery error: Get "https://portal.localhost:8443/keycloak/realms/bob/.well-known/openid-configuration": tls: failed to verify certificate: x509: “localhost” certificate is not trusted
We either need to add insecure or provide certs:
kubectl oidc-login get-token --oidc-issuer-url=https://portal.localhost:8443/keycloak/realms/bob --oidc-client-id=kubectl --oidc-extra-scope=email --insecure-skip-tls-verify
or:
kubectl oidc-login get-token --oidc-issuer-url=https://portal.localhost:8443/keycloak/realms/bob --oidc-client-id=kubectl --oidc-extra-scope=email --certificate-authority=/path/to/ca.crt