go 1.15 cert failed: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with

[wenerme]

Bug Report

What is the issue?

golang/go#39568

API fail

E0905 23:15:57.982034   12600 controller.go:114] loading OpenAPI spec for "v1alpha1.tap.linkerd.io" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: Error trying to reach service: 'x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0', Header: map[Content-Type:[text/plain; charset=utf-8] X-Content-Type-Options:[nosniff]]

Proxy injector failed

k api-resources

failed with

error: unable to retrieve the complete list of server APIs: tap.linkerd.io/v1alpha1: the server is currently unable to handle the request

linkerd -n linkerd tap deploy/linkerd-web

failed with

Error: HTTP error, status Code [503] (unexpected API response: Error trying to reach service: 'x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0')

How can it be reproduced?

use k3s or k8s compiled with go 1.15

Logs, error output, etc

above

linkerd check output

kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ controller pod is running
√ can initialize the client
√ can query the control plane API

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ control plane PodSecurityPolicies exist

linkerd-identity
----------------
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
‼ issuer cert is valid for at least 60 days
    issuer certificate will expire on 2020-09-06T13:20:35Z
    see https://linkerd.io/checks/#l5d-identity-issuer-cert-not-expiring-soon for hints
√ issuer cert is issued by the trust anchor

linkerd-api
-----------
√ control plane pods are ready
√ control plane self-check
√ [kubernetes] control plane can talk to Kubernetes
√ [prometheus] control plane can talk to Prometheus
√ tap api service is running

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

control-plane-version
---------------------
√ control plane is up-to-date
√ control plane and cli versions match

linkerd-addons
--------------
√ 'linkerd-config-addons' config map exists

linkerd-grafana
---------------
√ grafana add-on service account exists
√ grafana add-on config map exists
√ grafana pod is running

Status check results are √

Environment

• Kubernetes Version:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-21T14:51:23Z", GoVersion:"go1.14.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.8-k3s1", GitCommit:"b86d0e4a07fd882c2f9718f4e82b06dfd4b55195", GitTreeState:"clean", BuildDate:"2020-08-13T18:53:34Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

• Cluster Environment: k3s
• Host OS: alpine
• Linkerd version: 2.8.1

Possible solution

update cert guide

Additional context

[Pothulapati]

@wenerme Okay. Just to confirm, This error occured because the docs mentioned generating certs without the alternate DNS name fields, which were used with k3s that was compiled with go 1.15 (not meaning the official k3s switched over to 1.15). Does that sound correct?

[wenerme]

@Pothulapati yes, but I use alpine edge branch k3s, which is compiled by go 1.15.

[Pothulapati]

@wenerme My expectation with K8s is that this go 1.15 change will not be propagated into the k8s 1.17, 1.18 changes as its a breaking change but will be from 1.19 (I could be wrong here) and was expecting the same with k3s.

However, I will raise a PR to update the docs to make generation of certs have the alternate dns name field.

[wenerme]

@Pothulapati Thanks, 1.19 will release soon, using k3s can get 1.19 very quick.

[Pothulapati]

@wenerme I tried replicating this issue on the latest edge with Kubernetes 1.19 but I could not replicate this, as the certs generated during Helm installation do not reach the Kubernetes server, and is used only in Linkerd components which are not 1.15 yet, and hence work fine. (Once we move Linkerd to go 1.15, we will have to update the docs as the linkerd components would fail then as there are no fields.)

You seem to have run into this error because you are using the stable version of Linkerd which did not get the fix. Try using the latest edge and I don't think this error will occur.

[wenerme]

I'll try next stable as soon as released.

[Pothulapati]

@wenerme Closing this issue, but feel free to re-open it if you run into the same!