SslError when running Krustlet on macOS 12.1 M1

[rgreinho]

Following the bootstrapping section of the documentation, I am facing an issue when running Krustlet on macOS 12.1 with an M1 chip:

$ KUBECONFIG=~/.krustlet/config/kubeconfig ./krustlet-wasi --port 3000 --bootstrap-file=${HOME}/.krustlet/config/bootstrap.conf
Error: SslError: MAC verification failed during PKCS12 import (wrong password?)

The Krustlet was built from the main branch, commit 35a84d5.

[VishnuJin]

@rgreinho just wondering, have you gave it another try by deleting the config file ?

[bacongobbler]

ping. Any updates?

[bacongobbler]

I'm going to close this ticket due to inactivity, but please re-open if this still needs to be addressed. Thanks!

[rgreinho]

Sorry about the delay, but I had to step away from WASM and therefore Krustlet, for a while.

Here are the steps I followed, in addition of having attempted to run the steps from the various guides. I tried with minikube and kind. I end up being blocked by the same problem in all cases.

Delete cluster and configuration

╭ ~
╰❯ kind delete cluster
Deleting cluster "kind" ...

╭ ~
╰❯ rm -fr ~/.kube/ ~/.krustlet/

Recreate a cluster with kind

╭ ~ ⌛ 2s
╰❯ kind create cluster
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.24.0) 🖼
 ✓ Preparing nodes 📦
 ✓ Writing configuration 📜
 ✓ Starting control-plane 🕹️
 ✓ Installing CNI 🔌
 ✓ Installing StorageClass 💾
Set kubectl context to "kind-kind"
You can now use your cluster with:

kubectl cluster-info --context kind-kind

Have a nice day! 👋

Run steps from the source code

╭ krustlet on  main via 🦀 v1.60.0
╰❯ just build
cargo build
    Finished dev [unoptimized + debuginfo] target(s) in 0.47s

╭ krustlet on  main via 🦀 v1.60.0
╰❯ just
secret/bootstrap-token-xbkaja created
Switched to context "kind-kind".
Context "kind-kind" renamed to "tls-bootstrap-token-user@kubernetes".
User "tls-bootstrap-token-user" set.
Context "tls-bootstrap-token-user@kubernetes" modified.
Context "tls-bootstrap-token-user@kubernetes" modified.
KUBECONFIG=$(eval echo $CONFIG_DIR)/kubeconfig-wasi cargo run --bin krustlet-wasi  -- --node-name krustlet-wasi --port 3001 --bootstrap-file $(eval echo $CONFIG_DIR)/bootstrap.conf --cert-file $(eval echo $CONFIG_DIR)/krustlet-wasi.crt --private-key-file $(eval echo $CONFIG_DIR)/krustlet-wasi.key
    Finished dev [unoptimized + debuginfo] target(s) in 0.28s
     Running `target/debug/krustlet-wasi --node-name krustlet-wasi --port 3001 --bootstrap-file /Users/rgreinhofer/.krustlet/config/bootstrap.conf --cert-file /Users/rgreinhofer/.krustlet/config/krustlet-wasi.crt --private-key-file /Users/rgreinhofer/.krustlet/config/krustlet-wasi.key`
Jun 08 14:12:56.033 DEBUG kubelet::bootstrapping: Starting bootstrap config.node_name=krustlet-wasi
Jun 08 14:12:56.035 DEBUG bootstrap_auth: kubelet::bootstrapping: No existing kubeconfig found, loading bootstrap config bootstrap_file=/Users/rgreinhofer/.krustlet/config/bootstrap.conf
Jun 08 14:12:56.116  INFO bootstrap_auth: kubelet::bootstrapping: Got modified event, but CSR for authentication certs is not currently approved elapsed=4.881875ms
Jun 08 14:12:56.136  INFO bootstrap_auth: kubelet::bootstrapping: Got modified event, but CSR for authentication certs is not currently approved elapsed=24.21675ms
Jun 08 14:12:56.143 DEBUG bootstrap_auth: kubelet::bootstrapping: Certificate has been approved, generating kubeconfig
Jun 08 14:12:56.144 DEBUG bootstrap_auth: kubelet::bootstrapping: Writing generated kubeconfig to file path=/Users/rgreinhofer/.krustlet/config/kubeconfig-wasi
Jun 08 14:12:56.148 DEBUG bootstrap_tls: kubelet::bootstrapping: Starting bootstrap of TLS serving certs
Error: SslError: MAC verification failed during PKCS12 import (wrong password?)
error: Recipe `run` failed on line 46 with exit code 1

[rgreinho]

@bacongobbler if you could reopen this ticket, that would be great. Thank you.

[VishnuJin]

Hey mate, i vaguely remember having similar issue and it was related to OpenSsl

Did you give this answer a try ?
https://stackoverflow.com/questions/70431528/mac-verification-failed-during-pkcs12-import-wrong-password-azure-devops

Especially this part

export PATH="/opt/homebrew/opt/openssl@1.1/bin:$PATH"

P.S - I don't have my Mac in hand now to check if my .zshrc has this path

Edit: No, this path is not in my .zshrc
But the openssl version shows LibreSSL 2.8.3

[rgreinho]

Ah, good pointers! So here is what I tried:

╭ krustlet on  main via 🦀 v1.60.0
╰❯ openssl version
OpenSSL 3.0.3 3 May 2022 (Library: OpenSSL 3.0.3 3 May 2022)

╭ krustlet on  main via 🦀 v1.60.0
╰❯ export PATH="/opt/homebrew/opt/openssl@1.1/bin:$PATH"

╭ krustlet on  main via 🦀 v1.60.0
╰❯ openssl version
OpenSSL 1.1.1o  3 May 2022

╭ krustlet on  main via 🦀 v1.60.0
╰❯ just
KUBECONFIG=$(eval echo $CONFIG_DIR)/kubeconfig-wasi cargo run --bin krustlet-wasi  -- --node-name krustlet-wasi --port 3001 --bootstrap-file $(eval echo $CONFIG_DIR)/bootstrap.conf --cert-file $(eval echo $CONFIG_DIR)/krustlet-wasi.crt --private-key-file $(eval echo $CONFIG_DIR)/krustlet-wasi.key
    Finished dev [unoptimized + debuginfo] target(s) in 0.46s
     Running `target/debug/krustlet-wasi --node-name krustlet-wasi --port 3001 --bootstrap-file /Users/rgreinhofer/.krustlet/config/bootstrap.conf --cert-file /Users/rgreinhofer/.krustlet/config/krustlet-wasi.crt --private-key-file /Users/rgreinhofer/.krustlet/config/krustlet-wasi.key`
Jun 09 07:51:26.745 DEBUG kubelet::bootstrapping: Starting bootstrap config.node_name=krustlet-wasi
Jun 09 07:51:26.746 DEBUG bootstrap_auth: kubelet::bootstrapping: Found existing kubeconfig, loading...
Jun 09 07:51:26.762 DEBUG bootstrap_tls: kubelet::bootstrapping: Starting bootstrap of TLS serving certs
Error: SslError: MAC verification failed during PKCS12 import (wrong password?)
error: Recipe `run` failed on line 46 with exit code 1

So I am not sure whether it is an openssl or not. But in both cases, my version of openssl is different from the one you mentioned.

[bacongobbler]

Have you tried https://docs.krustlet.dev/community/developers/#building-without-openssl?

[rgreinho]

Good idea!

╭ krustlet on  main via 🦀 v1.60.0 ⌛ 2s
╰❯ just build --no-default-features --features rustls-tls
cargo build --no-default-features --features rustls-tls
  Downloaded rustls-native-certs v0.5.0
  Downloaded rustls-pemfile v0.2.1
  Downloaded hyper-rustls v0.22.1
  Downloaded ct-logs v0.8.0
  Downloaded 4 crates (79.2 KB) in 0.60s
   Compiling rustls-pemfile v0.2.1
   Compiling rustls v0.19.1
   Compiling ct-logs v0.8.0
   Compiling webpki-roots v0.21.1
   Compiling kubelet v1.0.0-alpha.1 (/Users/rgreinhofer/projects/krustlet/krustlet/crates/kubelet)
   Compiling krustlet v1.0.0-alpha.1 (/Users/rgreinhofer/projects/krustlet/krustlet)
   Compiling tokio-rustls v0.22.0
   Compiling rustls-native-certs v0.5.0
   Compiling hyper-rustls v0.22.1
   Compiling tonic v0.5.2
   Compiling warp v0.3.2
   Compiling kube v0.60.0
   Compiling reqwest v0.11.6
   Compiling oci-distribution v0.8.0
   Compiling wasi-experimental-http-wasmtime v0.6.0
   Compiling k8s-csi v0.4.0
   Compiling kube-runtime v0.60.0
   Compiling krator v0.5.0
   Compiling wasi-provider v1.0.0-alpha.1 (/Users/rgreinhofer/projects/krustlet/krustlet/crates/wasi-provider)
    Finished dev [unoptimized + debuginfo] target(s) in 31.31s

╭ krustlet on  main via 🦀 v1.60.0 ⌛ 31s
╰❯ rm -fr ~/.kube/ ~/.krustlet/

╭ krustlet on  main via 🦀 v1.60.0
╰❯ kind delete cluster
Deleting cluster "kind" ...

╭ krustlet on  main via 🦀 v1.60.0
╰❯ kind create cluster
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.24.0) 🖼
 ✓ Preparing nodes 📦
 ✓ Writing configuration 📜
 ✓ Starting control-plane 🕹️
 ✓ Installing CNI 🔌
 ✓ Installing StorageClass 💾
Set kubectl context to "kind-kind"
You can now use your cluster with:

kubectl cluster-info --context kind-kind

Thanks for using kind! 😊

╭ krustlet on  main via 🦀 v1.60.0 ⌛ 15s
╰❯ just
secret/bootstrap-token-x17dr6 created
Switched to context "kind-kind".
Context "kind-kind" renamed to "tls-bootstrap-token-user@kubernetes".
User "tls-bootstrap-token-user" set.
Context "tls-bootstrap-token-user@kubernetes" modified.
Context "tls-bootstrap-token-user@kubernetes" modified.
KUBECONFIG=$(eval echo $CONFIG_DIR)/kubeconfig-wasi cargo run --bin krustlet-wasi  -- --node-name krustlet-wasi --port 3001 --bootstrap-file $(eval echo $CONFIG_DIR)/bootstrap.conf --cert-file $(eval echo $CONFIG_DIR)/krustlet-wasi.crt --private-key-file $(eval echo $CONFIG_DIR)/krustlet-wasi.key
    Finished dev [unoptimized + debuginfo] target(s) in 0.33s
     Running `target/debug/krustlet-wasi --node-name krustlet-wasi --port 3001 --bootstrap-file /Users/rgreinhofer/.krustlet/config/bootstrap.conf --cert-file /Users/rgreinhofer/.krustlet/config/krustlet-wasi.crt --private-key-file /Users/rgreinhofer/.krustlet/config/krustlet-wasi.key`
Jun 09 08:26:14.009 DEBUG kubelet::bootstrapping: Starting bootstrap config.node_name=krustlet-wasi
Jun 09 08:26:14.011 DEBUG bootstrap_auth: kubelet::bootstrapping: No existing kubeconfig found, loading bootstrap config bootstrap_file=/Users/rgreinhofer/.krustlet/config/bootstrap.conf
Jun 09 08:26:14.120  INFO bootstrap_auth: kubelet::bootstrapping: Got modified event, but CSR for authentication certs is not currently approved elapsed=4.359541ms
Jun 09 08:26:14.130  INFO bootstrap_auth: kubelet::bootstrapping: Got modified event, but CSR for authentication certs is not currently approved elapsed=14.354208ms
Jun 09 08:26:14.135 DEBUG bootstrap_auth: kubelet::bootstrapping: Certificate has been approved, generating kubeconfig
Jun 09 08:26:14.135 DEBUG bootstrap_auth: kubelet::bootstrapping: Writing generated kubeconfig to file path=/Users/rgreinhofer/.krustlet/config/kubeconfig-wasi
Jun 09 08:26:14.139 DEBUG bootstrap_tls: kubelet::bootstrapping: Starting bootstrap of TLS serving certs
Error: SslError: MAC verification failed during PKCS12 import (wrong password?)
error: Recipe `run` failed on line 46 with exit code 1

╭ krustlet on  main via 🦀 v1.60.0 ⌛ 3s
╰❯[✖ ERROR] kubectl get nodes
NAME                 STATUS   ROLES           AGE   VERSION
kind-control-plane   Ready    control-plane   39s   v1.24.0

But for some reason it does not work either :/

[bacongobbler]

When you ran just with no feature flags, krustlet was recompiled without the “rustls-tls” flag. You need to add it to any invocation of just IIRC, not just just build.

This is hinted at in the documentation:

The same flags can be passed to just run if you want to just run the project instead.

[rgreinho]

Oh cool! trying that:

╭ krustlet on  main [!] via 🦀 v1.60.0
╰❯ just run --no-default-features --features rustls-tls
KUBECONFIG=$(eval echo $CONFIG_DIR)/kubeconfig-wasi cargo run --bin krustlet-wasi --no-default-features --features rustls-tls -- --node-name krustlet-wasi --port 3001 --bootstrap-file $(eval echo $CONFIG_DIR)/bootstrap.conf --cert-file $(eval echo $CONFIG_DIR)/krustlet-wasi.crt --private-key-file $(eval echo $CONFIG_DIR)/krustlet-wasi.key
    Finished dev [unoptimized + debuginfo] target(s) in 0.32s
     Running `target/debug/krustlet-wasi --node-name krustlet-wasi --port 3001 --bootstrap-file /Users/rgreinhofer/.krustlet/config/bootstrap.conf --cert-file /Users/rgreinhofer/.krustlet/config/krustlet-wasi.crt --private-key-file /Users/rgreinhofer/.krustlet/config/krustlet-wasi.key`
Jun 09 11:24:55.292 DEBUG kubelet::bootstrapping: Starting bootstrap config.node_name=krustlet-wasi
Jun 09 11:24:55.293 DEBUG bootstrap_auth: kubelet::bootstrapping: No existing kubeconfig found, loading bootstrap config bootstrap_file=/Users/rgreinhofer/.krustlet/config/bootstrap.conf
Error: HyperError: error trying to connect: invalid dnsname

Caused by:
    0: error trying to connect: invalid dnsname
    1: invalid dnsname
error: Recipe `run` failed on line 46 with exit code 1

I think it does not work because of what is written in the caveats sections:

the serving certs requested during bootstrap will not work for local development options like minikube or KinD as they do not have an FQDN

[hiroshi]

I have same SslError: MAC verification failed during PKCS12 import (wrong password?).
Using kind in Docker for M1 Mac.
Build krustlet from main (29e8a30).

I'll post a comment when get some progress.

EDIT: oh, I see this project seems to be dead now.
#722 (comment)