K3S - Installation issue

[kumarbka]

Hi,

I am running the installation like below in CentOS Linux (CentOS Linux release 7.8.2003 (Core)).

curl -sfL https://get.k3s.io | sh -

But it got failed with the following error message.

failure: repodata/repomd.xml from rancher-k3s-common-stable: [Errno 256] No more mirrors to try.
https://rpm.rancher.io/k3s/stable/common/centos/7/noarch/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: certificate has expired"

Could you help with this issue?

[brandond]

Looks OK to me. It is a LetsEncrypt cert so it is automatically renewed on a regular basis. Are you sure that the time is set correctly on your node?

brandond@dev01:~$ echo QUIT | openssl s_client -connect rpm.rancher.io:443 | openssl x509 -noout -text | head -n 11
depth=3 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E1
verify return:1
depth=0 CN = rancher.io
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:ed:a8:10:29:42:08:58:a6:f0:a7:83:e7:98:b6:22:a6:f7
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = US, O = Let's Encrypt, CN = E1
        Validity
            Not Before: May  6 04:59:43 2023 GMT
            Not After : Aug  4 04:59:42 2023 GMT
        Subject: CN = rancher.io

[kumarbka]

Looks OK to me. It is a LetsEncrypt cert so it is automatically renewed on a regular basis. Are you sure that the time is set correctly on your node?

brandond@dev01:~$ echo QUIT | openssl s_client -connect rpm.rancher.io:443 | openssl x509 -noout -text | head -n 11
depth=3 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E1
verify return:1
depth=0 CN = rancher.io
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:ed:a8:10:29:42:08:58:a6:f0:a7:83:e7:98:b6:22:a6:f7
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = US, O = Let's Encrypt, CN = E1
        Validity
            Not Before: May  6 04:59:43 2023 GMT
            Not After : Aug  4 04:59:42 2023 GMT
        Subject: CN = rancher.io

Kindly let me know which OS Version and OpenSSL version you had tested and got this output?

[kumarbka]

[root@myserver~]# echo QUIT | openssl s_client -connect rpm.rancher.io:443 | openssl x509 -noout -text | head -n 11
140520581330832:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
unable to load certificate
140275695851408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
[root@myserver~]# date
Fri May 19 02:17:50 GMT 2023

getting output like the above.

FYI: System has the following OpenSSL version: openssl-1.0.2k-22.el7_9.x86_64

May I know here which certificateit's trying to load?

[kumarbka]

I have upgraded the OpenSSL, but still unable to install k3s, getting the same error during the yum installation.

[root@ myserver ~]# echo QUIT | openssl s_client -connect rpm.rancher.io:443 | openssl x509 -noout -text | head -n 11
depth=3 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E1
verify return:1
depth=0 CN = rancher.io
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:ed:a8:10:29:42:08:58:a6:f0:a7:83:e7:98:b6:22:a6:f7
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = US, O = Let's Encrypt, CN = E1
        Validity
            Not Before: May  6 04:59:43 2023 GMT
            Not After : Aug  4 04:59:42 2023 GMT
        Subject: CN = rancher.io
[root@ myserver ~]# openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)

Error:

failure: repodata/repomd.xml from rancher-k3s-common-stable: [Errno 256] No more mirrors to try.
https://rpm.rancher.io/k3s/stable/common/centos/7/noarch/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: certificate has expired"

[brandond]

Have you tried updating the ca-certificates package on your host? I can confirm that neither the leaf cert, nor any of the certs in the CA chain, are currently expired. It sounds like the CA bundle on your host is very out of date.

[kumarbka]

yes, I am able to setup the K3S after installing ca-certificates-2021.2.50-72.el7_9.noarch.rpm.

http://mirror.centos.org/centos/7/updates/x86_64/Packages/ca-certificates-2021.2.50-72.el7_9.noarch.rpm

thanks for your help.