Reconciler error: x509: certificate signed by unknown authority

Question

Reconciler error: x509: certificate signed by unknown authority

fnmarquez opened this issue 3 years ago · 3 comments

fnmarquez commented 3 years ago

Hi,

I am trying to run the Operator connected to GHES, and when my runner operator pod starts is logging this:

DEBUG controller-runtime.manager.events Warning {"object": {"kind":"GithubActionRunner","namespace":"github-runner-app","name":"runner-pool","uid":"bc1ff677-d0f6-4500-8cb8-9656c192276a","apiVersion":"garo.tietoevry.com/v1alpha1","resourceVersion":"154520757"}, "reason": "ProcessingError", "message": "Get "https://ghes.local.com/api/v3/repos/MyCompany/test-runner-autoscale-f/actions/runners?per_page=30\": x509: certificate signed by unknown authority"}
2021-06-03T12:45:18.460Z ERROR controller-runtime.manager.controller.githubactionrunner Reconciler error {"reconciler group": "garo.tietoevry.com", "reconciler kind": "GithubActionRunner", "name": "runner-pool", "namespace": "github-runner-app", "error": "Get "https://ghes.local.com/api/v3/repos/MyCompany/test-runner-autoscale-f/actions/runners?per_page=30\": x509: certificate signed by unknown authority"}

I've done what you suggested here: #248
Can you help me?

Thanks,
Facundo

Answer 1 · 2021-06-03T13:24:05.000Z

Try settings SSL_CERT_FILE to point to the CA which signed it: https://stackoverflow.com/questions/40051213/where-is-golang-picking-up-root-cas-from

Stack Overflow
Where is Golang picking up root CAs from?
crypto/tls.Config.RootCAs states
// RootCAs defines the set of root certificate authorities
// that clients use when verifying server certificates.
// If RootCAs is nil, TLS uses the host's root C...

Answer 2 · 2021-06-03T13:53:54.000Z

So i have to include in this https://github.com/evryfs/github-actions-runner-operator/blob/master/Dockerfile an instruction to COPY the cert to:
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", // OpenSUSE
"/etc/pki/tls/cacert.pem", // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem", // Alpine Linux

An in which config file do I have to set the environment variable SSL_CERT_FILE???

GitHub
evryfs/github-actions-runner-operator
K8S operator for scheduling github actions runner pods - evryfs/github-actions-runner-operator

Answer 3 · 2021-06-04T11:35:30.000Z

the easiest is probably to mount the CA-cert as a file via configmap/secret, and point to that with the SSL_CERT_FILE env var.