kubernetes tls: failed to parse certificate from server: x509: certificate contains duplicate extensions

Hi Rajnish Sharma,

The error "x509: certificate contains duplicate extensions" is an issue related to the TLS certificate used by your AKS cluster's API server. This isn't a typical configuration problem but a flaw in the certificate itself. Because of this, clients like kubectl cannot establish a secure TLS handshake with the control plane, and every API request fails.

Standard steps such as az aks rotate-certs, az aks reset-service-principal, or a control-plane-only upgrade, generally refresh valid certificates, but they cannot correct a structurally invalid or corrupted API server certificate.

Details on how AKS manages, rotates, and refreshes control-plane and client certificates-Certificate Rotation in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Learn –

Few steps to troubleshoot the issue:

1.Corporate Proxy / SSL Interception: Organizations use a proxy or firewall that inspects secure traffic for security reasons. the proxy “sits in the middle” of your connection, decrypts it, and then re-encrypts it. If this process is not done correctly, it can alter the certificate and add duplicate fields, so confirm it by accessing the cluster from a machine outside the corporate network (bypassing the proxy).

2.Kubeconfig Validation: Ensure your kubeconfig is valid and pointing to the correct cluster.

3.Comparison with a New Cluster: Create a temporary test AKS cluster and if that cluster works fine but the current one fails, this confirms the issue is isolated to the certificates in MxHHStaging-K8-Cluster.

4.Check Certificate Validity: Ensure that the certificates in use are valid and not expired.

5.Upgrade AKS: If you’re using an older version of AKS, consider upgrading to the latest version as there can be bug fixes related to certificate management

6.Monitor Logs for Further Insights: Check the logs for more information on this error.

If the above checks confirm the issue is not caused by proxy, kubeconfig, or certificate issue, then the root cause is indeed a malformed API server TLS certificate in AKS. This is a control-plane issue that might not be resolved from your side. The most effective and direct solution is to engage Microsoft's support team. They have the necessary tools and access to inspect the specific state of your cluster and its certificate signing requests on the backend.

How to Create a Support Ticket:

·       Sign in to the Azure portal.

·       Go to Help + support in the left-hand navigation panel.

·       Click on New support request.

·       For Issue type, select Technical.

·       Under Service, choose Kubernetes Service (AKS).

·       Provide the Resource Group and Cluster Name for your cluster: MxHHStaging-K8-RG and MxHHStaging-K8-Cluster.

·       In the Problem summary, clearly state the error message: "tls: failed to parse certificate from server: x509: certificate contains duplicate extensions".

·       In the Problem details, mention all the troubleshooting steps you have already performed, including az aks rotate-certs, az aks update, and az aks upgrade. This will save time by showing them what's already been ruled out.

The Microsoft platform team will need to regenerate the API server certificate for your cluster to restore proper TLS connectivity. . For additional troubleshooting information on AKS, you can refer here: Troubleshoot Azure Kubernetes Service (AKS) issues | Microsoft Learn.

Let me know if you require any additional information from my end. I happy to help you with the queries. If the information is helpful, please click on Upvote and Accept Answer on it so that it can help other community members.

Thank you,

Rashmika