Edit

Share via

Known issue - Invalid certificate error during deployment with an AKS cluster

  • Article

APPLIES TO: Python SDK azureml v1

During machine learning deployments using an AKS cluster, you may receive an invalid certificate error, such as {"code":"BadRequest","statusCode":400,"message":"The request is invalid.","details":[{"code":"KubernetesUnaccessible","message":"Kubernetes error: AuthenticationException. Reason: InvalidCertificate"}].

Status: Open

Problem area: Inferencing

Symptoms

Azure Machine Learning deployments with an AKS cluster fail with the error:

{"code":"BadRequest","statusCode":400,"message":"The request is invalid.","details":[{"code":"KubernetesUnaccessible","message":"Kubernetes error: AuthenticationException. Reason: InvalidCertificate"}], and the following error is shown in the MMS logs:

K8sReadNamespacedServiceAsync failed with AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback. at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](tioadapteradapterbooleanreceivefirstbytereauthenticationdatabooleanisapm) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)

Cause

This error occurs because the certificate for AKS clusters created before January 2021 does not include the Subject Key Identifier value, which prevents the required Authority Key Identifier value from being generated.

Solutions and workarounds

There are two options to resolve this issue:

Next steps