Unable to create admin client cert and private key #457
Comments
|
edit: fixed this by running the command in the same directory as my ca.pem and ca-key.pem ( I was running the command in a different directory before realizing that this command referenced the other files |
|
Thank you for the feedback. Strange that I can't reproduce as I'm running the command from my home directory which contains both ca.pem and ca-key.pem. Seems the error is being generated from cfssl as I removed the pipe in order to isolate where the problem is coming from. I'll take a step back and regenerate the ca.pem and ca-key.pem files just to see what I see and will report back after attempting to generate the admin bits... Same error
|
|
Closing this as I just discovered I'm using cfssl 1.2 as that's the latest package. I'll upgrade manually. |
|
Reopening after being able to reproduce the same error using cfsssl 1.3.3 |
|
same error with cfssl 1.2 |
|
For me ca-config.json file wasn't well formed. I formatted the json and it worked! |
|
Missing profile -profile=kubernetes in cfssl? Fall back to default does not contain any key usage configuration hence "no key usage available"? |
|
This issues seems resolved. |
I have also encountered this problem! The solution is: In CA- config.json Define the corresponding kubernetes configuration item, For example: "profiles": { "kubernetes": { "expiry": "876000h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } When generating the certificate, we need to pay attention to the parameter - profile = kubernetes, whether it is consistent here! I also looked up for a long time also did not find, finally in reading ca- config.json The file process found that the configuration item name is inconsistent! Good luck with coding! A programmer from China |
|
I know this issue is closed but just wanted to mention that whoever is following the tutorial should pay close attention to the "profile" field while generating the certs. Whatever the name of the profile in this section of code ("kubernetes" in below instance) should be maintained throughout
|
maybe your share well formatted json? |
|
#457 (comment) saved me. Correcting a typo from |
Both ca.pem and ca-key.pem exist (previous step worked as expected).
admin-csr.json
{ "CN": "admin", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "US", "L": "Portland", "O": "system:masters", "OU": "Kubernetes The Hard Way", "ST": "Oregon" } ] }Try to generate...
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2019/04/02 14:12:37 [INFO] generate received request 2019/04/02 14:12:37 [INFO] received CSR 2019/04/02 14:12:37 [INFO] generating key: rsa-2048 2019/04/02 14:12:37 [INFO] encoded CSR {"code":5100,"message":"Invalid policy: no key usage available"} Failed to parse input: unexpected end of JSON inputThe text was updated successfully, but these errors were encountered: