Kubectl login fails with error: "x509: cannot verify signature: insecure algorithm SHA1-RSA" when SHA1 certificate is configured in VC/WCP.
search cancel

Kubectl login fails with error: "x509: cannot verify signature: insecure algorithm SHA1-RSA" when SHA1 certificate is configured in VC/WCP.

book

Article ID: 313282

calendar_today

Updated On: 03-19-2025

Products

VMware vCenter Server

Issue/Introduction

When VC and Workload Platform Management are replaced with SHA1 certificates, then the Kubectl login from the client machine (configured with SHA1 root CA certificates) will fail with the error "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)".

[client ~ ]# kubectl vsphere login --vsphere-username <username> --server <cluster-ip>
ERRO[0000] Error occurred during HTTP request: Get "https://<cluster-ip>/wcp/loginbanner": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "<cert_CA>")
There was an error when trying to connect to the server.\nPlease check the server URL and try again.FATA[0000] Error while connecting to host <cluster-ip>: Get "https://<cluster-ip>/wcp/loginbanner": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)
" while trying to verify candidate authority certificate "<cert_CA>").


Environment

VMware vCenter Server 7.0.3

Resolution

To resolve the issue, set the environmental variable GODEBUG=x509sha1=1 on the client machine before running the kubectl login.

Example: In Linux client
[client ~ ]# export GODEBUG=x509sha1=1