非 base64 编码的证书:
Failed creating HTTP client to fetch the Discovery URI "<Discovery-document URI>" with error: Unable to decode data field, the value should be Base64 encoded
证书格式不正确或采用 base64 编码但值不正确:
Unable to connect to 'https://example.com', encountered the following error: Problem with the SSL CA cert (path? access rights?). Details: error setting certificate verify locations: CAfile: /tmp/example.pem CApath: none (The certificate could not be read, this is most likely because it's empty or contains a formatting error. Please check your configuration.)
证书格式不正确或采用 base64 编码但值不正确:
Failed fetching the Discovery URI "<Discovery-document URI>" with error: Unable to load TLS certificates.
解决方案
您可以通过以下方式之一解决这些问题:
您在 ClientConfig 中提供的证书值应该是 base64 编码的字符串和 PEM 格式的字符串。如需了解详情,请参阅对 CA 证书进行编码。
证书链不完整或与服务器不匹配:SSL peer certificate was not OK. Details: SSL certificate problem: unable to get local issuer certificate
证书链不完整(对应于不是从根开始或不连续的无效部分链):
Failed fetching the Discovery URI "<Discovery-document URI>" with error: The server's TLS certificate did not match expectations.
证书链有效,但与 OIDC 服务器不匹配:
AIS was expecting the server to have a different certificate
证书链有效,但与 OIDC 服务器不匹配:
Failed fetching the Discovery URI "<Discovery-document URI>" with error: The server's TLS certificate did not match expectations.
解决方案
您在 ClientConfig 中提供的证书值需要包含与身份提供方匹配的格式正确的证书链。如需详细了解如何设置证书格式和编码,请参阅对 CA 证书进行编码。
在 Windows 机器上将 gcloud anthos auth login 命令与 OIDC 搭配使用来生成 kubeconfig 文件以用于集群访问时,kubectl 命令可能会失败,并显示以下错误消息:The command line is too long.
此问题专门在 Windows 系统上发生,不会影响使用同一 kubeconfig 文件的 Linux 机器。根本原因与用户属于大量群组(大约 70 到 200 个群组,具体取决于群组名称的长度)时,Azure Active Directory (Azure AD) 所生成的身份验证令牌的大小有关。
此大型令牌会导致 kubectl 命令的执行失败,因为它超出了 Windows 允许的命令行长度上限(8,191 个字符)。
错误消息
$ kubectl --kubeconfig test-kubeconfig.yml get nodes
The command line is too long.
The command line is too long.
E0102 11:02:29.115256 24320 memcache.go:265] couldn't get current server API group list: Get "https://10.35.0.86:443/api?timeout=32s": getting credentials: exec: executable gcloud failed with exit code 1
The command line is too long.
E0102 11:02:29.350238 24320 memcache.go:265] couldn't get current server API group list: Get "https://10.35.0.86:443/api?timeout=32s": getting credentials: exec: executable gcloud failed with exit code 1
The command line is too long.
E0102 11:02:30.062811 24320 memcache.go:265] couldn't get current server API group list: Get "https://10.35.0.86:443/api?timeout=32s": getting credentials: exec: executable gcloud failed with exit code 1
Unable to connect to the server: getting credentials: exec: executable gcloud failed with exit code 1
解决方案
如需解决此问题,请执行以下操作:
升级到 GKE 集群 1.28 版或更高版本
如果您运行的 GKE 集群版本低于 1.28,建议您升级到受支持的版本。
减少受影响用户的群组成员资格
将进行身份验证的用户所属的群组数量减少到有问题的阈值(大约 70 个群组)以下,即可解决此问题。
增加受影响用户的群组成员资格
Microsoft Entra ID 功能会限制令牌中发出的群组数量。介于 70 到 200 之间的群组成员资格数量可能会导致身份验证问题。不过,您可以通过将群组成员资格数量增加到超出此限制来解决身份提供方问题。由于此限制的行为,当成员资格数量过大时,Azure AD 会在 id_token 中省略群组,以防止命令行过长,因而可解决身份提供方问题。请查看 Microsoft Entra ID 文档,以确认限制并了解更多详情。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-07-31。"],[],[],null,["This document provides troubleshooting guidance for OIDC and AzureAD identity provider issues\nin GKE Identity Service.\n\nIncorrect formatting of certificate\n\nThis issue occurs when the certificate value has formatting errors. Formatting\nissues can correspond to certificate values that aren't base64 encoded and values\nthat are base64 encoded but incorrect. The issue can also arise if the certificate\nisn't signed by a root certificate authority or a correctly formatted trust chain isn't provided.\n\nError messages\n\nThe following examples are of error messages for scenarios where the certificate format is incorrect:\n\n- Certificate that is not base64 encoded:\n `Failed creating HTTP client to fetch the Discovery URI \"\u003cDiscovery-document URI\u003e\" with error: Unable to decode data field, the value should be Base64 encoded`\n\n- Certificate that is not formatted correctly or is base64 encoded but incorrect:\n `Unable to connect to 'https://example.com', encountered the following error: Problem with the SSL CA cert (path? access rights?). Details: error setting certificate verify locations: CAfile: /tmp/example.pem CApath: none (The certificate could not be read, this is most likely because it's empty or contains a formatting error. Please check your configuration.)`\n\n- Certificate that is not formatted correctly or is base64 encoded but incorrect:\n `Failed fetching the Discovery URI \"\u003cDiscovery-document URI\u003e\" with error: Unable to load TLS certificates.`\n\nSolution\n\nYou can resolve the issues in one of the following ways:\n\n- The certificate value you provide in the ClientConfig should be a base64 encoded string and PEM formatted string. For more information, see [Encode CA certificates](/kubernetes-engine/enterprise/identity/setup/format-certificates#encodecertificate).\n- If your provider doesn't use certificates signed by a root certificate authority, then you need to configure GKE Identity Service with a certificate trust chain. For more information, see [Intermediate certificates](/kubernetes-engine/enterprise/identity/setup/format-certificates#intermediatecertificates).\n\nWrong certificate value\n\nThis issue occurs when the certificate has a mismatched value. In this case, the formatting of the certificates is correct, however they don't match the server. It can also indicate that there were no certificates in the configuration.\n\nA certificate value can be considered incorrect in any of the following scenarios:\n\n- An incorrect certificate value is shared in the ClientConfig. A certificate value is incorrect when the `issuer` of the server certificate does not match the `subject` of the configured certificate.\n- The certificate in the ClientConfig isn't a base64 encoded string.\n- The certificate chain is not provided when intermediate certificates are used to issue the server certificate.\n\nError message\n\nThe following examples are of error messages for scenarios where there's a mismatch in the certificate value:\n\n- Certificate chain is not complete or does not match the server:\n `SSL peer certificate was not OK. Details: SSL certificate problem: unable to get local issuer certificate`\n\n- Certificate chain is not complete (corresponds to an invalid partial chain which doesn't start at the root or isn't contiguous):\n `Failed fetching the Discovery URI \"\u003cDiscovery-document URI\u003e\" with error: The server's TLS certificate did not match expectations.`\n\n- Certificate chain is valid but doesn't match the OIDC server:\n `AIS was expecting the server to have a different certificate`\n\n- Certificate chain is valid but doesn't match the OIDC server:\n `Failed fetching the Discovery URI \"\u003cDiscovery-document URI\u003e\" with error: The server's TLS certificate did not match expectations.`\n\nSolution\n\nThe certificate value you provide in the ClientConfig needs to include a correctly formatted certificate chain that matches the identity provider.\nFor more information on how to format and encode certificates, see [Encode CA certificates](/kubernetes-engine/enterprise/identity/setup/format-certificates#encodecertificate).\n\n`kubectl` commands fail when using a kubeconfig file generated by the `gcloud anthos auth login` command\n\nWhen you use the `gcloud anthos auth login` command with OIDC on Windows machines to generate a kubeconfig file for cluster access, `kubectl` commands might fail with the following error message: **`The command line is too long.`**\nThis issue occurs specifically on Windows systems and does not affect Linux machines that use the same kubeconfig file. The underlying cause is related to the size of the authentication token that's generated by Azure Active Directory (Azure AD) when a user belongs to a large number of groups (approximately 70 to 200 groups, depending on the lengths of group names).\n\nThis large token causes the execution of `kubectl` commands to fail because it exceeds the maximum length of the command line that's allowed by Windows, which is *8,191* characters.\n\nError message\n\n```\n$ kubectl --kubeconfig test-kubeconfig.yml get nodes\n\nThe command line is too long.\nThe command line is too long.\nE0102 11:02:29.115256 24320 memcache.go:265] couldn't get current server API group list: Get \"https://10.35.0.86:443/api?timeout=32s\": getting credentials: exec: executable gcloud failed with exit code 1\nThe command line is too long.\nE0102 11:02:29.350238 24320 memcache.go:265] couldn't get current server API group list: Get \"https://10.35.0.86:443/api?timeout=32s\": getting credentials: exec: executable gcloud failed with exit code 1\nThe command line is too long.\nE0102 11:02:30.062811 24320 memcache.go:265] couldn't get current server API group list: Get \"https://10.35.0.86:443/api?timeout=32s\": getting credentials: exec: executable gcloud failed with exit code 1\nUnable to connect to the server: getting credentials: exec: executable gcloud failed with exit code 1\n```\n\nSolution\n\nTo resolve this issue, do the following:\n\n- **Upgrade to GKE cluster version 1.28 or later**\n\n If you're running a version of GKE cluster that is earlier than 1.28, we recommend that you upgrade to the supported version.\n- **Reduce the affected user's group memberships**\n\n Reducing the number of groups the authenticating user belongs to below the problematic threshold (approximately 70 groups) can resolve the issue.\n- **Increase the affected user's group memberships**\n\n The [Microsoft Entra ID feature has a limit](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims) for the number of groups emitted in a token. Having between 70 to 200 group memberships might cause authentication problems. However, you can resolve the identity provider issues by increasing the number of group memberships beyond this limit. Due to the behavior of this limit, Azure AD omits groups from the `id_token` when the number of memberships becomes excessively large, preventing the command line from becoming too long and so resolving the identity provider issues. Review the [Microsoft Entra ID documentation](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims) to confirm the limit and for more details."]]
