This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GKE DNS control plane endpoint failed to verify certificate: x509

Posted on 01-28-2025 06:10 AM
milan-usc
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have configured DNS endpoint for my GKE cluster, DNS endpoint is visible in the google console and it works partially. 
After enabling DNS endpoint I generated new Kubeconfig file. But that file had IP adress in server section. 
I have changed it, put DNS endpoint instead of the IP.
When I tryed to connect to the cluster with kubectl I got this error:

Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority

After that in Kubeconfig I added 

insecure-skip-tls-verify: true

And I was able to connect to the cluster.

 

Is this maybe bug in GKE DNS endpoint feature or I misconfigured something, any idea? 

Solved Solved
0 4 358
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

You actually need to get the credentials for the DNS endpoint if you also have the IP endpoint enabled:

gcloud container clusters get-credentials CLUSTER_NAME \
    --dns-endpoint --location LOCATION

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
mokit
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

Hi, @milan-usc.

When you replace the IP address with the DNS endpoint, the server’s certificate must have a Subject Alternative Name (SAN) entry for the DNS name you're using. If it doesn't, then you'll get the similar types of error.

Rather then replacing the IP address with DNS, regenerate the kubeconfig using gcloud. Run gcloud container clusters get-credentials <cluster-name> --zone <zone> --project <project>.

Regards,
Mokit

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

You actually need to get the credentials for the DNS endpoint if you also have the IP endpoint enabled:

gcloud container clusters get-credentials CLUSTER_NAME \
    --dns-endpoint --location LOCATION
Jump to Solution

Posted on --/--/---- --:-- AM
milan-usc
Bronze 1
Bronze 1
In response to garisingh
Reply posted on --/--/---- --:-- AM

This is exactly what worked in the end.

I had older version of gcloud CLI and that version did not have --dns-endpoint flag.

After updating gcloud I have generated new kubeconfig with --dns-endpoint and everything worked without any need to modify kubeconfig.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
mababio
New Member
Reply posted on --/--/---- --:-- AM

I think I'm experiencing similar issue, but solution in this post didn't resolve things.

this my k8s terraform provider:

provider "kubernetes" {
  host                   = var.k8s_host
  token                  = var.k8s_token
  cluster_ca_certificate = base64decode(var.k8s_cluster_ca_certificate)
}

everything works when using defaulted  k8s control panel public endpoint. I disable that and enable GKE DNS endpoint. I now I'm getting 

Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority

I deleted my .kube/config file to start fresh and ran the get credential command. config was recreated with no certificate-authority-data.  

I'm thinking this DNS endpoint feature is  fairly new and things like this will be fixed for us all. Yes I could probably create a new cluster, but I don't want to at this point.

Jump to Solution
0 Likes
Top Labels in this Space