error: certificate verify failed (unable to get issuer certificate) #163
Description
With OpenShift 4.0, or when using an intermediate CA certificate and no root CA cert with the kubernetes api server, you may get errors like this:
2018-12-10 21:21:37 +0000 [error]: fluent/log.rb:362:error: config error file="/etc/fluent/fluent.conf" error_class=Fluent::ConfigError error="Invalid Kubernetes API v1 endpoint https://kubernetes.default.svc: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)"
2018-12-10 21:21:53 +0000 [error]: config error file="/etc/fluent/fluent.conf" error_class=Fluent::ConfigError error="Invalid Kubernetes API v1 endpoint https://kubernetes.default.svc: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)"
The problem is that openssl tries to verify the entire cert chain, from the intermediate CAs to the root CA cert. The client must have all of these CA certs in order to verify the kubernetes api server cert. The workaround is to construct your own ca_file consisting of the service CA file (default /var/run/secrets/kubernetes.io/serviceaccount/ca.crt) concatenated with any other intermediate CA cert files and the root CA cert file.