You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm following KES Getting Started guide, and it doesn't work. Kes client doesn't accept the self-signed certificate of the server, and all "solutions", I've found [1,2], recommend disabling TLS to make KES work. This is very strange: why would I install KMS and KES to later disable encryption?
What is the correct way to run kes with a self-signed or "custom" certificate?
How to reproduce (just follow the tutorial):
kes identity new --ip "127.0.0.1" --key "private.key" --cert "public.crt" localhost
kes identity new --key=client.key --cert=client.crt MyApp
cat <<EOF >config.yamladdress: 0.0.0.0:7373 # Listen on all network interfaces on port 7373admin: identity: 02ef5321ca409dbc7b10e7e8ee44d1c3b91e4bf6e2198befdebee6312745267b # The client.crt identitytls: key: private.key # The KES server TLS private key cert: public.crt # The KES server TLS certificatekeystore: fs: path: ./keysEOF
kes server --config config.yaml
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_CERT=client.crt
export KES_CLIENT_KEY=client.key
kes key create my-key-1
Output of the last command:
Error: failed to create key "my-key-1": Post "https://127.0.0.1:7373/v1/key/create/my-key-1": tls: failed to verify certificate: x509: certificate signed by unknown authority
Expected behavior
Tutorial/documentation must show correct configuration, including the case with self-signed certificates.
Avoid recommending to disable TLS for anything except debugging.
The text was updated successfully, but these errors were encountered:
A KES server is secure-by-default and can only be run with TLS. In this guide, we use self-signed certificates for simplicity.
The following command generates a new TLS private key (private.key) and a self-signed X.509 certificate (public.crt) issued for the IP 127.0.0.1 and DNS name localhost
You are providing a self-signed certificate for the KES server. Hence, the KES CLI (client) cannot verify whether the certificate presented by the KES server is "authentic".
Either add this certificate to the OS CA certificates or use the -k / --insecure flag for the KES CLI commands.
I'm following the official documentation, and it doesn't work.
Ideally KES CLI must support custom CA.
Alternatively, you can simply provide instructions to disable TLS (I would not recommend showing bad practice in the documentation, though).
In any case the documentation should be updated, as it makes an impression of minio/kes not being mature enough.
Bug describtion
I'm following KES Getting Started guide, and it doesn't work. Kes client doesn't accept the self-signed certificate of the server, and all "solutions", I've found [1,2], recommend disabling TLS to make KES work. This is very strange: why would I install KMS and KES to later disable encryption?
What is the correct way to run kes with a self-signed or "custom" certificate?
How to reproduce (just follow the tutorial):
Output of the last command:
Expected behavior
Tutorial/documentation must show correct configuration, including the case with self-signed certificates.
Avoid recommending to disable TLS for anything except debugging.
The text was updated successfully, but these errors were encountered: