Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

video-recorder: certificate verify failed: unable to get local issuer certificate #384

Closed
toby181 opened this issue Jun 6, 2023 · 6 comments
Closed

video-recorder: certificate verify failed: unable to get local issuer certificate #384

toby181 opened this issue Jun 6, 2023 · 6 comments
Labels
new-feature
Milestone
2.5.2

Comments

@toby181
Copy link

toby181 commented Jun 6, 2023

Hi together,

We've deployed moon2 in version 2.5 to k8s but we're having issues with uploading the video recording to our internal s3, the upload fails with "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)".
Opening the URL of our internal S3 within a manually started Chrome pod and and uploading a file there succeeds without any certificate warning.
The internal s3 is signed by SwissSign, which is available in the browsers cert store.
Browser: chrome, version 112
Our setup is described in #377.

Thanks!
@toby181
Copy link
Author

toby181 commented Jun 6, 2023

When doing a curl to our s3, which is a MinIO instance, we get this:
curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

@vania-pooh
Copy link
Member

@toby181 you then have to add your TLS certificate provide CA to additional trusted CAs: https://aerokube.com/moon/latest/#ca-certs

@toby181
Copy link
Author

toby181 commented Jun 6, 2023
edited
Loading

@vania-pooh
I already did that. I've exported the certificate chain (in total 4 certs) base64 encoded and added it to the additionalTrustedCAs in both the order it was exported and in reversed order.
I've already tried the CA only.

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: &name moon2
  namespace: moon1
spec:
  releaseName: *name
  interval: 5m
  timeout: 15m
  chart:
    spec:
      chart: moon2
      version: 2.5.0
      sourceRef:
        kind: HelmRepository
        name: ...
        namespace: ...
  values:
    quota:
      moon:
        namespace: ...
    ingress:
      enabled: true
      ...
    configs:
      default:
        sessionTimeout: 10m
        additionalTrustedCAs: |
          -----BEGIN CERTIFICATE-----

In the video-recorder pod I'm testing the connection with curl and got the following results.

$ curl https://minio.example.com/
curl: (77) error setting certificate verify locations:  CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
$ export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
$ curl https://minio.example.com/
-> "AccessDenied" response, which is good

@vania-pooh
Copy link
Member

@aandryashin any ideas?

@aandryashin
Copy link
Member

aandryashin commented Jun 6, 2023 via email

@vania-pooh vania-pooh added this to the 2.5.2 milestone Jun 9, 2023
@vania-pooh
Copy link
Member

Fixed in https://github.com/aerokube/moon2/pull/212. Will be released as Moon 2.5.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new-feature
Projects
None yet
Milestone
2.5.2
Development

No branches or pull requests
3 participants
@vania-pooh @aandryashin @toby181