Troubleshooting

This is a compendium of common errors.

x509: certificate signed by unknown authority

  • The error occurs when a container is trying to make an https request but doesn't have any SSL certificates installed locally. Note that these do not have to be signed by a CA.
  • This happens when a Dockerfile is created for the container from scratch.

Addressing https traffic to another service within the cluster that is listening for http traffic

  • This commonly occurs when addressing a service foo from a service bar, both of which are within the cluster
    Consider the following scenario:
  • Service foo is externally accessible at https://foo.example.com with tls-termination and has the port 3000 open on the container.
  • The right way to access the service foo from within the cluster is by targeting http://foo:3000 or http://foo.myenv.svc.cluster.local:3000
  • Note the http and https above.
  • Addressing the service foo from within the cluster as https://foo:3000 will fail
  • In case it is imperative that some ingress rules and proxy conditions are to be applied to inbound traffic, take a look at this and this

503 errors on deploying a service

  • The most common cause is a port misconfiguration
  • Verify that readinessProbe and livenessProbe are targeting the correct container port and that the container port is returning a 200 for that probe

Cloudflare issues

Please refer to Working with Cloudflare