Issue
When Spinnaker attempts to connect to any client services behind a TLS endpoint, you receive the following error:
Reason: extension (5) should not be presented in certificate_request
Cause
It may be related to a Java and Go bug mentioned here:
https://github.com/golang/go/issues/35722#issuecomment-557209799.
Solution
A potential workaround is to force Spinnaker to use TLS 1.2 by adding the following config: -Djdk.tls.client.protocols=TLSv1.2
.
Operator
If you use the Operator to configure and manage Spinnaker, add the config to the service settings for the services that are making the call. The following example adds the config to Igor:
apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
name: spinnaker
spec:
spinnakerConfig:
service-settings:
igor:
env:
JAVA_OPTS: -Djdk.tls.client.protocols=TLSv1.2
Halyard
If you use Halyard, add the config to the the service-settings/<service>.yml
file for the service making the call:
env:
JAVA_OPTS: -Djdk.tls.client.protocols=TLSv1.2
As Tested On Version
2.18.1