Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.4k views
in Technique[技术] by (71.8m points)

kubernetes - kubectl trying to create CertificateSigningRequest error :Error from server (BadRequest): error when creating "tcsr.yaml":CertificateSigningRequest

i try to create CertificateSigningRequest

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: vault-csr
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRklEQ0NBd2dDQVFBd0lERWVNQdHQTFVRUF3d1ZkbUYxYkhRdWRtRjFiSFF0Y0dWeWMyOHVjM1pqTUlJQwpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NS0NBZ0VBdFJubkFQR2R4bG1xdjhMOW1Gc29YOXJuCk9JcTVGTJMZmRDelZCVEVUEV6TDgzSWFsT1cya2lrNWFRM282d2NSTmx1S3NzeUl1c0ZUSTFqR2djWjN0eXkKSDFqMlROMmNHMHp4MGVaYTJqK3JMVkkwSmVTdXFHNkdmY01rRzRudUhZSGJraDZUYmgyalc5S0RTUTVRekNzdwo0Rlg4bDZXVEVILzdSemgwNCt0RkdFamxVVktkakJYcVqMhBc0NqemJ2Sy9GaEhLRjJwRVpza1pSNWtCbC80Cm1KLxxxxJQ0FURSBSRVFVRVNULS0tLS0K
  usages:
  - digital signature
  - key encipherment
  - server auth

but im getting :

Error from server (BadRequest): error when creating "tmp/csr.yaml": CertificateSigningRequest in version "v1beta1" cannot be handled as a CertificateSigningRequest: v1beta1.CertificateSigningRequest.Spec: v1beta1.CertificateSigningRequestSpec.Usages: []v1beta1.KeyUsage: Request: decode base64: illegal base64 data at input byte 2432, error found in #10 byte of ...|ULS0tLS0K","usages":|..., bigger context ...|pPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K","usages":["digital signature","key encipherment",|...

what does it mean?

question from:https://stackoverflow.com/questions/65846911/kubectl-trying-to-create-certificatesigningrequest-error-error-from-server-bad

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Something is definitely wrong with your request line. Your error goes from(most probably, am not sure!!, seems) from the wrong encoded data copy pasted data.

You can find really a lot of similar examples, like Kubernetes doesnt create certificates

reproduced your minor example, seems everything work. To reproduce I used Create CertificateSigningRequest official documentation page

Small remark: There is a v1 apiversion in official doc - I wasnt able to create CertificateSigningRequest with it, so I had to back to apiVersion: certificates.k8s.io/v1beta1 one.

The error I received using apiVersion: certificates.k8s.io/v1 was

error: unable to recognize "sr.yaml": no matches for kind "CertificateSigningRequest" in version "certificates.k8s.io/v1"

So, basically,

$ openssl genrsa -out vit.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................................................................................+++++
........+++++
e is 65537 (0x010001)

$ openssl req -new -key vit.key -out vit.csr
...
$ cat vit.csr | base64 | tr -d "
"                                                                                                              
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tLS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tUzRMZAo1UEtoNmVxMmdvMWJkNDRzQmpwaFk4encwK1UyQXdZMElPbitCcm9weWdGMVlCWWFkcHYzSnBXQVpqb2g2NFBuCmY0WThFNmptd0lnYlpTcXhlcTdDaUEwSDNHZDg1L0s4em5hWlFuYWZ2Q3E2Umc4SitsS2Z0RnN3QWdpL1BjSlgKWExYekRCdSs4OERacENJT0Rjek9MejZIYmhBMk1GK2tXN0RFTlJIZ29EenJZNHdNNGxGdVNpWGlPSVE2L01GVApuSmU5b1dNbFpNMjErNFpsQUN5RElZUnhwQmZQNlBBKzhoWEJJaGk4R09OK2ZiY0NBd0VBQWFBQU1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUNlM1JyaEdoSWV4dWR5b2ljNjA0c0dGOTdNcExqV0Y0RVUwK0dOWGY5WWIzRHIKb2NsRG91OFVZQjhVTlpaTW1lc21xZUozdEVKQ3I2cE1mMWI4U09vOHhzYXdiR3NHZHlRdzJ5RWJvemdtWDR1bwphKy9aVjkyNUkwYVkwNGFGOW52QmVYSDBLbnh0RG9FdG8rOVVnVFoxLzV6ZVZOWGIrNnl0K1R6bVowOCtQbm4vCkhmUVMvdmtrVTdtNnRxNjQxbTJKUGlCK0Y4MnZyenM4NithS2gvYUk0ODJ2VXdjUzFrUnlLTEs0ZUVkOGNUUEQKWHdEVk9selhQcTVuMFh5ZUorcnlHY0dRYVpKb291TytVdUpXVnlCN0dYZnd5RENnUjhGZm8wZUtSQWZBQ1dIawplZ3h6UGN2ZEhtTTBjclM2VkU0SWNDVytycU5KUmxyQWhnY2JKM3daCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

I manually copypasted key and put into the yaml using VI...

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: vit
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tUzRMZAo1UEtoNmVxMmdvMWJkNDRzQmpwaFk4encwK1UyQXdZMElPbitCcm9weWdGMVlCWWFkcHYzSnBXQVpqb2g2NFBuCmY0WThFNmptd0lnYlpTcXhlcTdDaUEwSDNHZDg1L0s4em5hWlFuYWZ2Q3E2Umc4SitsS2Z0RnN3QWdpL1BjSlgKWExYekRCdSs4OERacENJT0Rjek9MejZIYmhBMk1GK2tXN0RFTlJIZ29EenJZNHdNNGxGdVNpWGlPSVE2L01GVApuSmU5b1dNbFpNMjErNFpsQUN5RElZUnhwQmZQNlBBKzhoWEJJaGk4R09OK2ZiY0NBd0VBQWFBQU1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUNlM1JyaEdoSWV4dWR5b2ljNjA0c0dGOTdNcExqV0Y0RVUwK0dOWGY5WWIzRHIKb2NsRG91OFVZQjhVTlpaTW1lc21xZUozdEVKQ3I2cE1mMWI4U09vOHhzYXdiR3NHZHlRdzJ5RWJvemdtWDR1bwphKy9aVjkyNUkwYVkwNGFGOW52QmVYSDBLbnh0RG9FdG8rOVVnVFoxLzV6ZVZOWGIrNnl0K1R6bVowOCtQbm4vCkhmUVMvdmtrVTdtNnRxNjQxbTJKUGlCK0Y4MnZyenM4NithS2gvYUk0ODJ2VXdjUzFrUnlLTEs0ZUVkOGNUUEQKWHdEVk9selhQcTVuMFh5ZUorcnlHY0dRYVpKb291TytVdUpXVnlCN0dYZnd5RENnUjhGZm8wZUtSQWZBQ1dIawplZ3h6UGN2ZEhtTTBjclM2VkU0SWNDVytycU5KUmxyQWhnY2JKM3daCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  usages:
  - client auth

result is:

$ kubectl apply -f sr.yaml
certificatesigningrequest.certificates.k8s.io/vit created

request is the base64 encoded value of the CSR file content. You can get the content using this command: cat john.csr | base64 | tr -d " "

You can also use request: $(cat server.csr | base64 | tr -d ' ') instead of copy-pasting plain text.. Just read info below plz..its important

csr generation not working as per doc

Similar problem had been vexing me as well. After some troubleshooting, it was observed the base64 and tr solution doesn't work well in an MacOS environment. Using the gbase64 utilities from GNU has a '-w ' option that will not line wrap. Once I installed gnu coreutils and used gbase64, the scripts worked as expected. The problem is related to 'tr' and line-wrapping using the original combination. Hope it helps future users who stumble into similar environment related issues.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...