Skip to main content

Troubleshooting

This is a compendium of common errors.

x509: certificate signed by unknown authority

  • The error occurs when a container is trying to make an https request but doesn't have any SSL certificates installed locally. Note that these do not have to be signed by a CA.
  • This happens when a Dockerfile is created for the container from scratch.

Addressing https traffic to another service within the cluster that is listening for http traffic

  • This commonly occurs when addressing a service foo from a service bar, both of which are within the cluster Consider the following scenario:
  • Service foo is externally accessible at https://foo.example.com with tls-termination and has the port 3000 open on the container.
  • The right way to access the service foo from within the cluster is by targeting http://foo:3000 or http://foo.myenv.svc.cluster.local:3000
  • Note the http and https above.
  • Addressing the service foo from within the cluster as https://foo:3000 will fail
  • In case it is imperative that some ingress rules and proxy conditions are to be applied to inbound traffic, take a look at this and this

503 errors on deploying a service

  • The most common cause is a port misconfiguration
  • Verify that readinessProbe and livenessProbe are targeting the correct container port and that the container port is returning a 2xx for that probe

Working with Cloudflare

Please refer to the guide on cloudflare setup

Environment creation fails (AWS)

An environment consists of a VPC, along with its subnets, NAT gateway, and an external IP. Creating this could fail when there is insufficient quota in the AWS account-region to provision these resources. An increase in quota can be requested through the AWS console.

  1. EIP increase https://us-east-2.console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-0263D0A3 (or whichever region you choose) - increase from the previous limit to a larger number (say 25). One per env is required.
  2. VPC increase https://us-east-2.console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-F678F1CE (or whichever region you choose) - increase from the previous limit to a larger number (say 25). One per env is required.
  3. VPN Gateway increase https://us-east-2.console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-7029FAB6 (or whichever region you choose) - increase from the previous limit to a larger number (say 25). One per env is required.
  4. NAT Gateway increase https://us-east-2.console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-FE5A380F (or whichever region you choose) - increase from the previous limit to a larger number (say 25). One per env is required.

After this is done, destroy the failed environment and create a new one to resolve this issue.