When attempting to access the Veeam Kasten for Kubernetes dashboard the following error occurs despite using the `cacertconfigmap.name` helm value:
401 - Unauthorized
This issue may also manifest as errors related to x509 in the gateway pod or auth-svc pod logs:
x509: certificate signed by unknown authority
You can download the latest version of the debug tool (k10tools) from the KastenHQ GitHub page.
To debug certificate auth issues use the following command:
Dex: OIDC Provider URL: https://onkar-1.dev.do.kasten.io Release name: k10 Dex well known URL:https://onkar-1.dev.do.kasten.io/k10/dex/.well-known/openid-configuration Trying to connect to Dex without TLS (insecureSkipVerify=false) Connection succeeded - OK
Dex: OIDC Provider URL: https://example.com/k10/dex Release name: k10 Dex well known URL:https://example.com/k10/dex/.well-known/openid-configuration Trying to connect to Dex without TLS (insecureSkipVerify=false) Connection failed, testing other options Trying to connect to Dex with TLS but verification disabled (insecureSkipVerify=true) Connection succeeded Trying to connect to Dex with TLS verification enabled and using a CA certificate Connection failed ({"message":"HTTP Get for Dex's well known endpoint failed","function":"kasten.io/k10/kio/tools/k10primer/k10debugger.(*oidcOperate).testDexConnectivity","linenumber":29,"fields":[{"name":"statusCode","value":null}],"cause":{"Op":"Get","URL":"https://example.com/k10/dex/.well-known/openid-configuration","Err":{"Cert":{"Raw":") - ErrorIn this example, the debugging tool was able to connect to Veeam Kasten for Kubernetes with SSL verification disabled. But when it tried to connect with SSL verification enabled, the verification failed. This indicates that the certificate installed with Veeam Kasten for Kubernetes may not be the right one for accessing the Veeam Kasten for Kubernetes dashboard.
Use the following command to debug the CA certificate:
Example output:
CA Certificate Checker: Fetching configmap which contains CA Certificate information : custom-ca-bundle-store Certificate exists in configmap - OK Found container : aggregatedapis-svc to extract certificate Certificate exists in container at /etc/ssl/certs/custom-ca-bundle.pem Certificates matched successfully - OK
To view the certificate chain involved when accessing the Veeam Kasten for Kubernetes Dashboard, use the following openssl command with the -host option set to the domain name of the dashboard.
Within the output, you may see Root CA and Intermediate CA certificates in the chain. Please copy all of the CA certificates into a file named custom-ca-bundle.pem and review: 'Using Trusted Root Certificate Authority Certificates for TLS'.
Example Command Output
In this output, there are 4 certificates belonging to the following Certificate Authorities:
# openssl s_client -host kasten.io -port 443 -prexit -showcerts CONNECTED(00000005) depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = kasten.io verify return:1 --- Certificate chain 0 s:CN = kasten.io i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon -----BEGIN CERTIFICATE----- <cert> -----END CERTIFICATE----- 1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon i:C = US, O = Amazon, CN = Amazon Root CA 1 -----BEGIN CERTIFICATE----- <cert> -----END CERTIFICATE----- 2 s:C = US, O = Amazon, CN = Amazon Root CA 1 i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 -----BEGIN CERTIFICATE----- <cert> -----END CERTIFICATE----- 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority -----BEGIN CERTIFICATE----- <cert> -----END CERTIFICATE----- --- Server certificate subject=CN = kasten.io issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 5369 bytes and written 375 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case