serving-kube-apiserver.crt missing fqdn

[swiedernix]

I did a clean k3s install (k3s version v1.28.4+k3s2 (6ba6c1b), but "kubectl get nodes" fails with TLS verify.

This is correct, because serving-kube-apiserver.crt does not include the FQDN of my host.
this is strange, I did not have that problem on other host installations.

I checked /etc/hosts /etc/resolv.conf hostname hostname -f , everythink looks good to me.
I fail to understand why the FQDN is not added as an alternative name in the serving-kube-apiserver certificate

maybe I missed some K3S environment vars ... any pointers are appreciated

[brandond]

Are you sure that you're not using an old kubeconfig to access the host? Did you perhaps modify the kubeconfig to point at a FQDN, while the node's configured hostname is not a FQDN?

The serving-kube-apiserver.crt file is not used by the exposed apiserver listener; the exposed listener uses a dynamic certificate that is stored in a Kubernetes secret, and is automatically valid for all control-plane node IPs and hostnames.

If for some reason you want to add additional hostnames or IPs that the cert is valid for, you can use the --tls-san option to add your own.

[swiedernix]

thanks brandond, adding --tls-san did the trick and my problem is solved

[rmoreas]

I've the same issue, I think.

For all my other K3s deployments deployed before (pre v1.28) the FQDN of my master nodes where automatically added to the certificate (without using --tls-san), but now with a new v1.28.9+k3s1 single-node deployment the FQDN of the host is missing. Only the short hostname is added.

The error I get when using the FQDN (e.g. kube-node1.my-domain.org to access the API:

Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, kube-node1, not kube-node1.my-domain.org

I've tested fresh install with v1.25.14+k3s1 and then the FQDN is added. Did something change between v1.25.x and v1.28.x?

[brandond]

• Add FilterCN function to prevent SAN Stuffing #8085

[rmoreas]

Is this filter removing FQDN's from the SAN list? Is this by intention, or is it a bug? I would expect that FQDN of the master nodes are included.

It stil works in v1.26.15+k3s1, but in v1.27.14+k3s1 it's "broken".

[brandond]

The node hostnames are included in the cert. If the node's hostname not a FQDN, then it's not included; if you want something that's not the hostname added, you'll need to add it to the SAN list.

The previous behavior of adding anything and everything to the certificate was insecure, as described in the issue linked from that PR.