Talos - Bootstrap - x509 Unknown Authority

Problem#

When bootstrapping a Talos Linux cluster, talosctl bootstrap may fail with an error:

rpc error: code = Unavailable desc = last connection error: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"

This occurred during an installation on Proxmox.

Solution / Workaround#

The issue was resolved by performing the following steps:

Boot only one control plane node initially.
Run talosctl apply-config --insecure --nodes <IP_of_first_node> --file controlplane.yaml targeting only that single node.
Wait for the node to become healthy.
Repeat steps 1-3 for each subsequent control plane node, one at a time.
Before running talosctl bootstrap, modify the talosconfig to point to only one of the control plane node IPs as the endpoint: baah talosctl config endpoint <IP_of_one_control_plane_node> talosctl config node <IP_of_one_control_plane_node>
Run talosctl bootstrap. This should now succeed.

Potential Cause#

This suggests a potential timing or certificate propagation issue when initializing multiple control plane nodes simultaneously through the talosctl apply-config command with multiple --nodes flags in the initial setup.

Related#

Talos Linux - Configuration Generation with talosctl
Talos Linux - Applying Control Plane Configuration

Talos - Bootstrap - x509 Unknown Authority

Problem#

Solution / Workaround#

Potential Cause#

Related#

On This Page