# Error from server (InternalError): error when creating "pod.yaml": Internal error occurred: failed calling webhook "pod-validator.example.com": failed to call webhook: Post "https://webhook-service.namespace.svc:443/validate": x509: certificate is valid for *.example.com, not webhook-service.namespace.svc - **ID:** `kubernetes/webhook-invalid-certificate` - **Domain:** kubernetes - **Category:** auth_error - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause The TLS certificate used by the admission webhook server does not include the Kubernetes service DNS name (e.g., webhook-service.namespace.svc) in its SAN, causing the API server to reject the connection. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Kubernetes 1.25 | active | — | — | | Kubernetes 1.28 | active | — | — | | cert-manager 1.12 | active | — | — | ## Workarounds 1. **Regenerate the TLS certificate with the correct SANs including the Kubernetes service DNS name. Using cert-manager, create a Certificate resource with `dnsNames: ["webhook-service.namespace.svc", "webhook-service.namespace.svc.cluster.local"]`.** (90% success) ``` Regenerate the TLS certificate with the correct SANs including the Kubernetes service DNS name. Using cert-manager, create a Certificate resource with `dnsNames: ["webhook-service.namespace.svc", "webhook-service.namespace.svc.cluster.local"]`. ``` 2. **Alternatively, update the webhook configuration to use a different service name that matches the certificate's SAN, but this is less common.** (70% success) ``` Alternatively, update the webhook configuration to use a different service name that matches the certificate's SAN, but this is less common. ``` ## Dead Ends - **** — Disabling TLS verification in the webhook configuration (`insecureSkipTLSVerify: true`) bypasses security but is not recommended for production. (30% fail) - **** — Recreating the webhook deployment without regenerating the certificate will produce the same error. (90% fail)