Knowledge Base

Scenario

When performing a local install of DigiCert One, the Ambassador service fails to install correctly.

Cause

This failure occurs when all of the needed ports are not open. This also happens when multiple nodes are installed as well. All of the ports on the Master and worker nodes need to be open and for the install to complete.

Solution

To resolve this issue, you must run the following commands on all nodes (Master and worker)

#Master

sudo firewall-cmd --permanent --add-port=6443/tcp # Kubernetes API server

sudo firewall-cmd --permanent --add-port=2379-2380/tcp # etcd server client API

sudo firewall-cmd --permanent --add-port=10250/tcp # Kubelet API

sudo firewall-cmd --permanent --add-port=10251/tcp # kube-scheduler

sudo firewall-cmd --permanent --add-port=10252/tcp # kube-controller-manager

sudo firewall-cmd --add-masquerade --permanent

sudo firewall-cmd --permanent --add-port=8285/udp # Flannel

sudo firewall-cmd --permanent --add-port=8472/udp # Flannel

sudo firewall-cmd --permanent --add-port=30000-32767/tcp

sudo firewall-cmd –reload

systemctl restart firewalld

#Node

firewall -cmd –-permanent –add-port=10250/tcp

firewall -cmd –-permanent –add-port=8285/udp # Flannel

firewall -cmd –-permanent –add-port=8472/udp # Flannel

firewall -cmd –-permanent –add-port=300000-32767/tcp

sudo firewall-cmd --add-masquerade --permanent

sudo firewall-cmd –reload

systemctl restart firewalld

If you have any questions or need assistance, please contact DigiCert PKI Support.