tls: failed to find any PEM data in certificate input

[zeph]

tls: failed to find any PEM data in certificate input

this is all I get back... my KUBECONFIG is properly set, I
daily work with it switching between several configurations

seems the kubeletctl is not handling this yaml section properly

clusters:
- cluster:
    certificate-authority-data: xyz

[g3rzi]

Hi, thank you for reporting.
I will try to reproduce it and check.

Meanwhile,
does it work if you run it with the certificate file as arguments? like that:

kubeletctl.exe pods -s <node_ip> --cacert /etc/kubernetes/pki/ca.crt --cert /var/lib/kubelet/pki/kubelet-client-current.pem --key /var/lib/kubelet/pki/kubelet-client-current.pem

Are you using cloud deployment such ask AKE, EKS, etc or something else?
What are the authentication and authorization settings in the kubelet config file (/var/lib/kubelet/config.yaml) inside the target node? I am interesting in these fields (an example):

apiVersion: kubelet.config.k8s.io/v1beta1 
authentication: 
  anonymous: 
    enabled: false      
    ... 
authorization: 
    mode: Webhook 

[g3rzi]

@zeph any update?

[hxhBrofessor]

getting the same issue

export KUBECONFIG=~/.kube/config

[] Using KUBECONFIG environment variable
[] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2021/02/24 18:30:23 tls: failed to find any PEM data in certificate input

[pavankumar-go]

same here

[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2021/10/28 15:13:34 tls: failed to find any PEM data in certificate input

[zeph]

@zeph any update?

I didn't step into this in a long time, sorry... I have nothing to add
(but seems some other folks are stepping into it)

[navzen2000]

this tool is unable to read certificate-authority-data from Kubeconfig

kubeletctl
[] Using KUBECONFIG environment variable
[] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2022/05/10 03:22:05 tls: failed to find any PEM data in certificate input

[g3rzi]

Hi everyone,

We did number of tests from two machines and it worked for us.
We noticed that kubeletctl knows to read PEM fields, the problem is caused by a bed PEM inside the config file.

Do you use the following fields?

• certificate-authority-data
• client-certificate-data
• client-key-data

If yes, these fields should be in base64. It also shouldn't have multiple rows, the base64 should be in one row.

Can you please share with us an example of how it appears in your config file?
No need to share private data, you can blue most of it, we just want to understand.

[g3rzi]

We were able to reproduce it by using a wrong data inside the field client-ceritficate-data.
For example:

 client-ceritficate-data: MIIDCjCCAfKg...zraDpdn4jg=

You can get it by running:

 cat /root/.minikube/ca.crt  

Fix it to be one linear and add it to client-ceritficate-data, inside the config file.

I explained it to someone else in #8 that expirienced a similar issue:
The certificate-authority-data, client-certificate-data and client-key-data should be in base64:

[g3rzi]

Another way with a misconfigured config file:

root@manager1:/home/cyber# ./kubeletctl_linux_amd64 pods
[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
2022/09/12 06:23:01 tls: failed to find any PEM data in certificate input
root@manager1:/home/cyber# cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
    extensions:
    - extension:
        last-update: Mon, 05 Sep 2022 12:55:19 UTC
        provider: minikube.sigs.k8s.io
        version: v1.26.1
      name: cluster_info
    server: https://192.168.49.2:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    extensions:
    - extension:
        last-update: Mon, 05 Sep 2022 12:55:19 UTC
        provider: minikube.sigs.k8s.io
        version: v1.26.1
      name: context_info
    namespace: default
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
root@manager1:/home/cyber#

[zeph]

sorry @g3rzi ...I can't recall how and if I circumvented this... I has a specific use case in which I had to be sure I had only one configuration in there and not several as I normally do, composing the env variable KUBE_CONFIG ... I'll close it, unless someone else can provide you more info (I guess they can reopen it)

thanks for the effort spent looking into it, I feel guilty I can't provide more info

[g3rzi]

Thanks, sorry for the delay. I will keep watching for someone having the same issue. From our checks from different computers it seems a wrong config file but maybe we are missing something.

[karthikeayan]

Running into same issue, I am on EKS. Structure of ~/.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJTRIMMEDGSUNBVEUtLS0tLQo=
    server: https://TRIMMED.eks.amazonaws.com
  name: arn:aws:eks:TRIMMED:cluster/TRIMMED-cluster
contexts:
- context:
    cluster: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
    user: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
  name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
current-context: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - TRIMMED
      - eks
      - get-token
      - --cluster-name
      - TRIMMED-cluster
      command: aws
      env:
      - name: AWS_PROFILE
        value: my-profile

[g3rzi]

@karthikeayan thanks,
I supposed you removed some of the data because of publishing it here right?

certificate-authority-data: LS0tLS1CRUdJTiBDRVJTRIMMEDGSUNBVEUtLS0tLQo=

If yes, can you make sure it is in one line?

[karthikeayan]

@g3rzi you are right. I removed it to reduce noise. Yes, it is one line. I read your comments above and I don't think I have any issues with certificate-authority-data.

[g3rzi]

OK, interesting.
We were able to reproduce it on EKS, we are working on it, thank you.

[g3rzi]

Quick update, the problem is because we are not supporting:

- name: arn:aws:eks: TRIMMED:cluster/TRIMMED-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - TRIMMED
      - eks
      - get-token
      - --cluster-name
      - TRIMMED-cluster
      command: aws

We are working to support the execution of aws to get the token for EKS.
Btw, by using the kubiscan-sa service account it will work:

--cacert ca.crt -s <node_ip> --token eyJhbG... pods

[g3rzi]

Hi @karthikeayan,

We published release for version 1.9 which supports EKS, you can check it.