how to specify trusted certificate to kubernetes master? - amazon-web-services

I am creating a k8s cluster on AWS using http://kubernetes.io/docs/getting-started-guides/aws/
After exporting required environment variables and running ./kubernetes/cluster/kube-up.sh I am able to create k8s cluster.
But I am getting "Certificate Error" in crome on accessing kubernetes-master, can some one help me how to specify trusted certificate which is already available with me to kubernetes-master?
During creation I can see logs as,
Generating certs for alternate-names:

Each cluster is given its own certificate hierarchy, which is not signed by a root CA that is trusted by your web browser. For Chrome to connect without a warning, you will need to add the cluster CA certificate into your root certificate store so that it is trusted by your machine.
See https://github.com/kubernetes/kubernetes/issues/7307#issuecomment-96130676

Related

How to update/renew kube-api server certificate for API server Endpoint of AWS EKS Cluster

We need to update/renew the API server endpoint (https://****************.__7.region-name.eks.amazonaws.com) for our EKS Cluster due to some security reason and not able to see any option to do that. We have created EKS Cluster back in 2021 and observed that SSL certification validity is of 2 years i.e. around 755 days. so, we wanted to update/renew this certificate.
We tried to validate all certificate (csr file) from kubeadm, but csr file looks fine here. tried to create a cluster configuration file with certificate but seems it was not working with EKS. Please let me knwo if anyone can help us out to figure out how we can update the kuber-apiserver certificate for API server endpoint access of our EKS Cluster.

How can i get my rds-ca-2019 pem file from AWS RDS Amazon

I have an RDS I have created with AWS of type postgresql
Under connectivity, i as see it defined a rds-ca-2019
I need that certificate for connection from a Java client application
I tried using global pem, but it seems not to match and failing on SSL connection
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Where can i get this rds-ca-2019 certificate
The download resource i was looking can be found as below in the attacked link
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-download-ssl-certificate-for-managed-database

kubeadm init phase upload-config failing

I am new to kubernetes and want to setup kubernetes HA setup after successfully completing examples with minikube and single master kubernetes cluster. I am using AWS EC2 instances and AWS application load balancer for this purpose. I dont want to use KOPS or any other tool for installation. I want to get hands on with kubeadm.
I followed below steps
Created self signed certificate ca.crt and ca.key to use for
kubernetes
Installed this certificate as Root CA on my ubuntu
instance
Copied this ca.crt and ca.key to /etc/kubernetes/pki
Created new certificate for aws loadbalancer and signed
it with above ca.crt. With this certificate created Aws application
load balancer
I also created Record Set in AWS Route53 for domain name mapping. I also made sure this domain name
mapping is working. (i.e. master.k8sonaws.com is properly resolving to aws load balancer)
Now I am using kubeadm init
kubeadm init --pod-network-cidr=192.168.0.0/20
--service-cidr=192.168.16.0/20 --node-name=10.0.0.13 --control-plane-endpoint "master.k8sonaws.com:443" --upload-certs --v=8 --apiserver-bind-port=443 --apiserver-cert-extra-sans=master.k8sonaws.com,i-0836dd4dc6609a924
This command is succeeding up-to upload-config phase. Health check endpoint is returning success but
after that its failing in upload-config phase
configmaps is forbidden: User "system:anonymous" cannot create resource "configmaps" in API group "" in the namespace
"kube-system"
Here I am not able to understand why kubeadm is passing anonymyous user for api call. How can I resolve this issue
The certificate in the kubeconfig file used to create the ConfigMap does not have right groups. I would say don't generate ca and cert for kubernetes yourself. Just use kubeadm init and kubeadm will handle the ca and cert generation. After your kubernetes cluster is up and running you can use the same ca to generate a cert yourself and use that in aws load balancer.
I found solution to this problem after trying lot of different things
for 2 days. Problem is aws load balancer does not pass client
certificate to backend server when using https listener. And problem is Aws has
not documented this fact or I did not get those document if they are
there.
Way to solve this problem is using plane http listener using same port 443. So SSL termination is carried out by backened server. In my case this is not security threat since both my load balancer and backend servers are internal and not exposed to public ip.

trying to find my ssl certificate I created on AWS Certificates

I setup my ec2 instance and got https working for a bit only to realize I need tls 1.2 on default and in order to do that I had to configure my code to instruct it to read my cert file in the code. Problem is I don't know which it is as there are 269 files in the directory /etc/ssl/certs. I have googled for a couple hours hoping something would tell me where to look to check what file amazon generated for me that it specifically wants. Otherwise im shooting in the dark trying pems one at a time.
secureProtocol: 'TLSv1_2_server_method',
pfx: fs.readFileSync("/etc/ssl/certs/FILENAME.PEM")
}, app).listen(443);
Help is greatly appreciated.
Please refer EC2 instance details in AWS management console.
Steps:
Login to AWS management console and goto EC2 -> Instances.
Select the instance to which we need to connect and scroll the
description which is present in bottom window which will have EC2
instance details.
Check for "Key pair name" , this will be the key pair which needs
to be used to securely connect to respective EC2 instance.
I assume that you got a certificate on Amazon ACM.
ACM Certificates can be used in,
Elastic Load Balancing
Amazon CloudFront
Amazon API Gateway
AWS Elastic Beanstalk
AWS CloudFormation(for email validation only)
The certificate issued by ACM cannot be installed directly on an EC2 instance.
If you want to install an SSL certificate directly on your EC2 instance, you will need to obtain a SSL certificate through a third-party
Therefore, you cannot find any files related to the certificate issued by ACM inside your EC2 instance.
hope this helps.

AWS RDS Certificate Authority update

I recently received an email regarding a required update to my RDS Certificate Authority.
The instructions on the RDS side seems straight forward: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
However on step 4 there was an important message, "When you schedule this operation, make sure that you have updated your client-side trust store beforehand."
I cant seem to find any information about updating my server which connects to RDS for the CA update.
My Setup is EC2 instances on Beanstalk.
Does anyone know how/what I am supposed to do?
Thank you.
similar question: Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk
Basically, the installation of certification is only required when you use the SSL connection from your application to the RDS server. Regardless of the SSL connection, it is recommended to update the certificate of your server but it is not necessary when you did not use the SSL connection to the RDS.
Server-side Usage
When you use the SSL connection, you should change the certificate of the RDS server as soon as possible. Go to the RDS console, then you can find the Certificate update menu from the left menu list. Find your DB cluster, check and update your SSL right now or reserve the update for the next maintenance.
Client-side Usage
The details about the SSL certificate are noted in the documentation. From here, you can download the root CA certificate of rds 2019. The link is below.
https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
This CA certificate is used to connect the rds server, e.g.
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
--ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY
or add it to the Trusted Root CA for the client OS.
For example in Windows, you can run certmgr.msc and right-click the trusted root ca, import this certificate. In Mac, open keychain access and import this certificate. This is an option.
In order to change your CA Certificate on an Elastic Beanstalk environment by Amazon (AWS) do the following:
Log in to your console (https://console.aws.amazon.com/)
Click services and search for "RDS"
Inside RDS (RDS is where the databases from Beanstalk lives even though they are directly attached to the Beanstalk environment) click "Certificate Update" down in the right corner (there will be a very read notification on the link)
If you have any certificates to upgrade, they will show up here.
Click the RDS instance name (the weird aws name of the database server) aka "DB identifier"
(Well inside this you can see some more info about it under configuration), for instance your db username which could help you identify the instance if you have many and forgot to rename them.
Click Actions > Upgrade now (this will reboot your instance now) OR Actions > Upgrade at next window (choose this if you have a lot of traffic and many users, so it will be less disruptive ie not stop in the middle of the day but in the night according to the maintenance schedule of your location/server)
That's it. You do not need to install anything in your Beanstalk environment.
This is how we are managing SSL communication from Elastic Beanstalk to an external RDS PostgreSQL database. We add the following config file to .ebextensions (.ebextensions/rds.config):
commands:
01-create-folder:
command: mkdir -p /home/webapp/.postgresql
02-download-cert:
command: aws s3 cp s3://rds-downloads/rds-ca-2019-root.pem /home/webapp/.postgresql/root.crt
03-change-owner:
command: chown webapp:webapp /home/webapp/.postgresql/root.crt
04-change-mode:
command: chmod 400 /home/webapp/.postgresql/root.crt
The file downloads the certificate from the public S3 folder and places in the .postgresql folder as the root certificate. We are having a Java application and the JDBC driver successfully connects to RDS with SSL enabled.