helm: x509: certificate signed by unknown authority

Helge Talvik Söderström picture Helge Talvik Söderström · Jan 5, 2018 · Viewed 17.1k times · Source

I'm using Kubernetes and I recently updated my admin certs used in the kubeconfig. However, after I did that, all the helm commands fail thus:

Error: Get https://cluster.mysite.com/api/v1/namespaces/kube-system/pods?labelSelector=app%3Dhelm%2Cname%3Dtiller: x509: certificate signed by unknown authority

kubectl works as expected:

$ kubectl get nodes
NAME                                           STATUS    ROLES     AGE       VERSION
ip-10-1-0-34.eu-central-1.compute.internal     Ready     master    42d       v1.7.10+coreos.0
ip-10-1-1-51.eu-central-1.compute.internal     Ready     master    42d       v1.7.10+coreos.0
ip-10-1-10-120.eu-central-1.compute.internal   Ready     <none>    42d       v1.7.10+coreos.0
ip-10-1-10-135.eu-central-1.compute.internal   Ready     <none>    27d       v1.7.10+coreos.0
ip-10-1-11-71.eu-central-1.compute.internal    Ready     <none>    42d       v1.7.10+coreos.0
ip-10-1-12-199.eu-central-1.compute.internal   Ready     <none>    8d        v1.7.10+coreos.0
ip-10-1-2-110.eu-central-1.compute.internal    Ready     master    42d       v1.7.10+coreos.0

As far as I've been able to read, helm is supposed to use the same certificates as kubectl, which makes me curious as how how kubectl works, but helm doesn't?

This is a production cluster with internal releases handled through helm charts, so it being solved is imperative.

Any hints would be greatly appreciated.

Answer

Sebastian picture Sebastian · Jan 6, 2018

As a workaround you can try to disable certificate verification. Helm uses the kube config file (by default ~/.kube/config). You can add insecure-skip-tls-verify: true for the cluster section:

clusters:
- cluster:
    server: https://cluster.mysite.com
    insecure-skip-tls-verify: true
  name: default

Did you already try to reinstall helm/tiller?

kubectl delete deployment tiller-deploy --namespace kube-system
helm init

Also check if you have configured an invalid certificate in the cluster configuration.