Cannot join with long hostname

[kaimast]

When running a microk8s join command on a node with a long hostname I run into the following error

Contacting cluster at 198.22.255.24
Traceback (most recent call last):
  File "/snap/microk8s/5891/scripts/wrappers/join.py", line 1033, in <module>
    join(prog_name="microk8s join")
  File "/snap/microk8s/5891/usr/lib/python3/dist-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/snap/microk8s/5891/usr/lib/python3/dist-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/snap/microk8s/5891/usr/lib/python3/dist-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/snap/microk8s/5891/usr/lib/python3/dist-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/snap/microk8s/5891/scripts/wrappers/join.py", line 1024, in join
    join_dqlite(connection_parts, verify, worker)
  File "/snap/microk8s/5891/scripts/wrappers/join.py", line 783, in join_dqlite
    join_dqlite_worker_node(info, master_ip, master_port, token)
  File "/snap/microk8s/5891/scripts/wrappers/join.py", line 851, in join_dqlite_worker_node
    update_cert_auth_kubelet(token, info["ca"], master_ip, master_port)
  File "/snap/microk8s/5891/scripts/wrappers/join.py", line 460, in update_cert_auth_kubelet
    cert = get_client_cert(
  File "/snap/microk8s/5891/scripts/wrappers/join.py", line 281, in get_client_cert
    subprocess.check_call(cmd_cert.split(), stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
  File "/snap/microk8s/5891/usr/lib/python3.8/subprocess.py", line 364, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/snap/microk8s/5891/usr/bin/openssl', 'req', '-new', '-sha256', '-key', '/var/snap/microk8s/current/certs/kubelet.key', '-out', '/var/snap/microk8s/current/certs/kubelet.csr', '-subj', '/CN=system:node:node2.cskama-171507.advosuwmadison-pg0.cloudlab.umass.edu/O=system:nodes']' returned non-zero exit status 1.

Running the openssl command manually reveals the problem

$ sudo /snap/microk8s/5891/usr/bin/openssl req -new -sha256 -key /var/snap/microk8s/current/certs/kubelet.key -out /var/snap/microk8s/current/certs/kubelet.csr -subj /CN=system:node:node2.cskama-171507.advosuwmadison-pg0.cloudlab.umass.edu/O=system:nodes
problems making Certificate Request
140169048745280:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:../crypto/asn1/a_mbstr.c:107:maxsize=64

microk8s should not put the entire hostname into the CN field. They cannot be longer than 64 characters per the ASN1 standard. See for example this answer on StackOverflow.

[neoaggelos]

Hi @kaimast

Unfortunately, a certificate with CN=system:node:$hostname is a requirement for kubelet, see https://kubernetes.io/docs/setup/best-practices/certificates/#configure-certificates-for-user-accounts

Would it be an option to shorten the hostname of the node (e.g. by removing the domain name)?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.