Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get https://host:5043/v2/: x509: certificate has expired or is not yet valid #279

Closed
sayyes566 opened this issue Aug 7, 2018 · 6 comments
Closed

Get https://host:5043/v2/: x509: certificate has expired or is not yet valid #279

sayyes566 opened this issue Aug 7, 2018 · 6 comments

Comments

@sayyes566
Copy link

sayyes566 commented Aug 7, 2018
edited
Loading

I usually in my private server. I set

config insecure-registries in /etc/docker/daemon.json

and

cp auth/domain.crt /usr/share/ca-certificates/mozilla/
then

systemctl restart docker

the docker push/ pull will work.

But I used credHelpers in configmap and --insecure-skip-tls-verify in the kaniko.yaml as args.
It did not work.

Did someone resolve this question?

My pod logs

time="2018-08-07T10:28:09Z" level=info msg="Unpacking filesystem of scratch..."
time="2018-08-07T10:28:09Z" level=info msg="No base image, nothing to extract"
time="2018-08-07T10:28:09Z" level=info msg="Mounted directories: [/kaniko /var/run /proc /dev /dev/pts /sys /sys/fs/cgroup /sys/fs/cgroup/systemd /sys/fs/cgroup/perf_event /sys/fs/cgroup/net_cls,net_prio /sys/fs/cgroup/hugetlb /sys/fs/cgroup/devices /sys/fs/cgroup/cpu,cpuacct /sys/fs/cgroup/blkio /sys/fs/cgroup/memory /sys/fs/cgroup/pids /sys/fs/cgroup/cpuset /sys/fs/cgroup/freezer /dev/mqueue /tmp /secret /root/.docker /dev/termination-log /etc/resolv.conf /etc/hostname /etc/hosts /dev/shm /var/run/secrets/kubernetes.io/serviceaccount /proc/bus /proc/fs /proc/irq /proc/sys /proc/sysrq-trigger /proc/kcore /proc/timer_list /proc/timer_stats /proc/sched_debug /sys/firmware]"
time="2018-08-07T10:28:09Z" level=info msg="Taking snapshot of full filesystem..."
time="2018-08-07T10:28:13Z" level=info msg="cmd: copy [hello]"
time="2018-08-07T10:28:13Z" level=info msg="dest: /"
time="2018-08-07T10:28:13Z" level=info msg="Copying file /tmp/context/hello to /hello"
time="2018-08-07T10:28:13Z" level=info msg="Taking snapshot of files [/hello]..."
time="2018-08-07T10:28:13Z" level=info msg="cmd: CMD"
time="2018-08-07T10:28:13Z" level=info msg="Replacing CMD in config with [/hello]"
time="2018-08-07T10:28:13Z" level=info msg="No files changed in this command, skipping snapshotting."
time="2018-08-07T10:28:13Z" level=info msg="No files were changed, appending empty layer to config."
time="2018-08-07T10:28:13Z" level=error msg="Get https://host:5043/v2/: x509: certificate has expired or is not yet valid"

My pod yaml

apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
serviceAccountName: default
hostAliases:

  • ip: "10.10.1.100"
    hostnames:

    • "host"
      containers:

  • name: kaniko
    image: gcr.io/kaniko-project/executor:latest
    args: [ "--dockerfile=/tmp/Dockerfile",
    "--context=/tmp/context/",
    "--insecure-skip-tls-verify",
    "--destination=host:5043/hello:v1", "-vinfo"]
    volumeMounts:

    • name: contxt
      mountPath: /tmp
    • name: credhelpers
      mountPath: /root/.docker
      restartPolicy: Always
      imagePullSecrets:
    • name: regcred
      volumes:
    • name: contxt
      hostPath:
      path: /home/ccma/kaniko/depoly/
      type: Directory
    • name: credhelpers
      configMap:
      name: dockerconfig

My ConfigMap

apiVersion: v1
data:
config.json: |
{
"auths": {
"host:5043": {
"auth": "dGVzd........3b3Jk"
}
}
}
kind: ConfigMap
@priyawadhwa
Copy link
Collaborator

Hey @sayyes566 , so unfortunately the --insecure-skip-tls-verify flag needs to be implemented again (after we merged #140 we started using a different library to get our images which didn't support it at the time)

There's an issue open for it (#168) and a PR as well (#169) which you can follow for updates.

@sayyes566
Copy link
Author

sayyes566 commented Aug 8, 2018
edited
Loading

Thanks for your reply.
I used this comment's method , but it returned Get https://host:5043/v2/: x509: failed to load system roots and no roots provided .

I found the error issue was closed.
And try to put certs in /etc/ssl/certs, but still got this error.

Someone used this to resolve, but it's not worked in kaniko.

Someone used this to resolve,
but I don't have an idea to install ca-certificates in busybox.

--

volumeMounts:
....
- name: ca-certificates
mountPath: /kaniko/ssl/certs
- name: ca-certificates-root
mountPath: /etc/ssl/certs

@priyawadhwa
Copy link
Collaborator

I just merged #169, could you try it again and see if you get the same error?

@sayyes566
Copy link
Author

Yes, this error is fixed.
Events:
Type Reason Age From Message

Normal Scheduled 3m default-scheduler Successfully assigned kaniko to kube-node-1
.......

But 5 issues was happened:

  1. logs: No base image, nothing to extract
    time="2018-08-16T03:31:05Z" level=info msg="appending to multi args docker-registry:5043/hello:v1"
    time="2018-08-16T03:31:06Z" level=info msg="No base image, nothing to extract"
    ...
    time="2018-08-16T03:31:58Z" level=info msg="Taking snapshot of full filesystem..."
    time="2018-08-16T03:32:02Z" level=info msg="cmd: copy [hello]"
    time="2018-08-16T03:32:02Z" level=info msg="dest: /"
    time="2018-08-16T03:32:02Z" level=info msg="Copying file /tmp/context/hello to /hello"
    time="2018-08-16T03:32:02Z" level=info msg="Taking snapshot of files [/hello]..."
    time="2018-08-16T03:32:02Z" level=info msg="cmd: CMD"
    time="2018-08-16T03:32:02Z" level=info msg="Replacing CMD in config with [/hello]"
    time="2018-08-16T03:32:02Z" level=info msg="Taking snapshot of full filesystem..."
    time="2018-08-16T03:32:05Z" level=info msg="No files were changed, appending empty layer to config."
    --
    My Dockerfile:
    FROM scratch
    COPY hello /
    CMD ["/hello"]

  2. logs: No matching credentials were found, falling back on anonymous
    time="2018-08-16T03:34:28Z" level=info msg="appending to multi args docker-registry:5043/hello:v1"
    time="2018-08-16T03:34:28Z" level=info msg="Downloading base image python:alpine3.8"
    2018/08/16 03:34:28 No matching credentials were found, falling back on anonymous

  3. debug: dial tcp: i/o timeout

  4. debug: No matching credentials found for index.docker.io, falling back on anonymous

  5. debug: Unpacking filesystem
    2018/08/16 03:03:19 No matching credentials found for index.docker.io, falling back on anonymous
    time="2018-08-16T03:03:49Z" level=error msg="Get https://index.docker.io/v2/: dial tcp: i/o timeout"
    time="2018-08-16T02:59:49Z" level=info msg="Unpacking filesystem of ubuntu:latest..."
    2018/08/16 02:59:49 No matching credentials found for index.docker.io, falling back on anonymous
    time="2018-08-16T02:54:10Z" level=error msg="Get https://docker-registry:5043/v2/: dial tcp: i/o timeout"

@priyawadhwa
Copy link
Collaborator

In response to the logs you pointed out:

  1. This log message is pointing out that there is no file system to extract since you're using an empty image (FROM scratch)

  2. No matching credentials were found, falling back on anonymous kaniko can't find any credentials for a private repo so it falls back on using general credentials, which should be alright since it's pulling a public image (python:alpine3.8). Nevertheless, this might be happening because of an error in our documentation pointed out in 401 when pushing image to ECR - docker config location #290 , which might fix this issue

Are you running kaniko exclusively in Kubernetes?

@bobcatfish
Copy link
Contributor

Please follow up if you run into any more problems @sayyes566

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bobcatfish @sayyes566 @priyawadhwa