Skip to content

error getting latest release because "x509: certificate signed by unknown authority"

Version system-upgrade-controller version v0.6.2 (9ed50a5)

Platform/Architecture linux-amd64

Describe the bug After applying a Plan, omitting the version field and setting the channel field to a URL that resolves to a release of k3 as described in the documentation, the controller will complain:

W1010 07:58:53.832507       1 client_config.go:543] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
time="2020-10-10T07:58:53Z" level=info msg="Creating CRD plans.upgrade.cattle.io"
time="2020-10-10T07:58:54Z" level=info msg="Waiting for CRD plans.upgrade.cattle.io to become available"
time="2020-10-10T07:58:54Z" level=info msg="Done waiting for CRD plans.upgrade.cattle.io to become available"
time="2020-10-10T07:58:54Z" level=info msg="Starting /v1, Kind=Secret controller"
time="2020-10-10T07:58:54Z" level=info msg="Starting upgrade.cattle.io/v1, Kind=Plan controller"
time="2020-10-10T07:58:54Z" level=info msg="Starting /v1, Kind=Node controller"
time="2020-10-10T07:58:54Z" level=info msg="Starting batch/v1, Kind=Job controller"
E1010 08:07:35.109182       1 controller.go:135] error syncing 'system-upgrade/server-plan': handler system-upgrade-controller: Get https://update.k3s.io/v1-release/channels/latest: x509: certificate signed by unknown authority, requeuing

This repeats continuously.

To Reproduce

Install the system upgrade controller:

kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/download/v0.6.2/system-upgrade-controller.yaml

Apply the following plan:

---
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
  name: server-plan
  namespace: system-upgrade
spec:
  concurrency: 1
  cordon: true
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/master
      operator: In
      values:
      - "true"
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
  channel: https://update.k3s.io/v1-release/channels/latest

Expected behavior It should find the latest release.

Actual behavior It doesn't find the latest release due to "certificate signed by unknown authority".

Additional context I saw a similar issue in #94 (closed). The system does have /etc/ssl/, and the system is up to date.