cannot validate certificate for 10.1.201.4 because it doesn't contain any IP SANs

[germebl]

Hey everyone,

i'm actually getting my first steps with Kubernetes (K3S) at all and wanted to setup a 3 Server/3 Worker Agents/3 Storage Agents Cluster with MySQL as Datastore (instead of etcd) and Longhorn for Storage which will take SSD Volumes of the 3 Storage Agents for Storage.

When trying to install with the following command:

curl -sfL https://get.k3s.io | sh -s - server \
	--cluster-init \
    --disable-cloud-controller \
    --disable local-storage \
    --node-name="$(hostname -f)" \
    --flannel-iface=enp7s0 \
	--kubelet-arg="cloud-provider=external" \
    --secrets-encryption \
    --disable=traefik \
    --datastore-endpoint="mysql://k3sdata:supersecure@tcp(pmysql.domain.tld:3306)/k3sdata" \
    --datastore-cafile="/etc/ssl/certs/k3s-mysql-ca.pem" \
    --datastore-certfile="/etc/ssl/certs/k3s-mysql-cert.pem" \
    --datastore-keyfile="/etc/ssl/certs/k3s-mysql-key.pem" \
    --token=supersecret

I'm getting the following error:

Nov 11 10:51:59 k3s-master-1 k3s[6417]: time="2024-11-11T10:51:59Z" level=fatal msg="starting kubernetes: preparing server: creating storage endpoint: building kine: tls: failed to verify certificate: x509: cannot validate certificate for 10.1.201.4 because it doesn't contain any IP SANs"
Nov 11 10:51:59 k3s-master-1 k3s[6417]: time="2024-11-11T10:51:59Z" level=warning msg="failed to check existence of database k3sdata, going to attempt create: tls: failed to verify certificate: x509: cannot validate certificate for 10.1.201.4 because it doesn't contain any IP SANs"

I know of the known issue:
#1093

So i created my client certificate with these commands:

openssl genrsa -out /tmp/client-key.pem 2048

openssl req -new -key /tmp/client-key.pem -out /tmp/client-req.pem -config /tmp/client.cnf

openssl x509 -req -in /tmp/client-req.pem -CA /var/lib/mysql/ca.pem -CAkey /var/lib/mysql/ca-key.pem -CAcreateserial -out /tmp/client-cert.pem -days 3650 -sha256 -extfile /tmp/client.cnf -extensions v3_req

while the config file looks like:

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = Client

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names

[ alt_names ]
IP.1 = 10.1.201.4

I've checked the certificate with:

openssl x509 -in /tmp/client-cert.pem -noout -text | grep -A1 "Subject Alternative Name"

which results in:

            X509v3 Subject Alternative Name: 
                IP Address:10.1.201.4

So the IP is definitely in the SAN.

Can someone give me a hint what i'm doing wrong or if anything is missing?

My sources are:
https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/k3s-for-rancher
https://longhorn.io/docs/1.7.2/deploy/install/install-with-helm/
https://ellie.wtf/notes/hetzner-k3s

[brandond]

The server cert is missing the SAN. It needs a SAN for the host name or IP the client is connecting to it at. The client cert doesn't usually need any particular attributes, generally it just needs to be issued by a CA trusted by the server.

[brandond]

Also, don't use both cluster-init and datastore-endpoint. Cluster-init enables embedded etcd, which is not what you want if you're trying to connect to MySQL. You also have a bunch of other unnecessary flags. Why did you decide to use all those? Are you planning on deploying a different cloud provider?

[germebl]

Oh, got it... Actually it's a ProxySQL which leads to a 3 Node xtraDB Cluster - cause it's just a dev sys so acutally doesnt contain anything other than defaults cause its at dev site. I used the CA & Server Cert on all 4 Nodes and just created Client Certs from the CA.

I'm planning to create a k3s cluster with 3 servers, 3 worker agents, 3 storage agents within Hetzner Cloud. The datastore is at a Percona xtraDB Cluster Loadbalanced by a ProxySQL Server, as mentioned the CA file comes from the pxc-node-1. the node-2&-3 and proxysql server all using same server cert from the same ca. The client certificates are also created by the ca, but there every client gets its own. The storage agents are for Longhorn which using mounted Hetzner SSD Volumes. I'm about to disable default Traefik because i want to use Hetzner Loadbalancers - like for example described here: https://ellie.wtf/notes/hetzner-k3s

But generally i'm trying to follow the default Rancher k3s Documentation with a bit help of the k3s own Documentation:
https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/k3s-for-rancher
https://docs.k3s.io/quick-start

So my conclusion is, that i will deploy to each pxc node and the proxysql each its own server cert from the ca and the proxysql server cert needs to be created with the above mentioned IP SAN. (I had tried to save myself the time as it is only a dev site :D)

[germebl]

So, i have now changed the CA and all the server and client certs. I've checked the server certificate with openssl x509 -in ca_certs/mysql-ssl/server-pmysql_server_cert.pem -noout -text and its shown as follows:

        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                IP Address:10.1.201.4, DNS:pmysql.domain.tld

But it still reports, that the IP isn't within the SAN.