Yet another case of "x509: certificate signed by unknown authority, requeuing"

Version v0.13.1

Platform/Architecture openSUSE MicroOS 20231126 (immutable based on openSUSE Tumbleweed)

Describe the bug

time="2023-11-28T06:18:40Z" level=error msg="error syncing 'system-upgrade/k3s-server': handler system-upgrade-controller: Get \"https://update.k3s.io/v1-release/channels/stable\": x509: certificate signed by unknown authority, requeuing"

To Reproduce Use the following in your plan instead of a version:

channel: https://update.k3s.io/v1-release/channels/stable

Expected behavior The TLS certificate should be accepted.

Actual behavior Something goes wrong when trying to connect via HTTPS

I checked the mounts in the deployment, and all of them are existing on the host:

        volumeMounts:
        - mountPath: /etc/ssl
          name: etc-ssl
          readOnly: true
        - mountPath: /etc/pki
          name: etc-pki
          readOnly: true
        - mountPath: /etc/ca-certificates
          name: etc-ca-certificates
          readOnly: true
        - mountPath: /tmp
          name: tmp

$ ls -ld /etc/pki/ /etc/ssl/ /etc/ca-certificates/
drwxr-xr-x. 1 root root  16 14. Jun 20:05 /etc/ca-certificates//
drwxr-xr-x. 1 root root  10 22. Nov 18:05 /etc/pki//
drwxr-xr-x. 1 root root 198 17. Nov 20:29 /etc/ssl//

Additional context The bug was reported multiple times in different constellations:

• #94 (closed)
• #105 (closed)
• #243

What I failed to find is a clear description, which files the image looks for.

Or a reason, why it does not bring its own ca-certificates and just mounts the host's certificates in addition, in case someone is using an internal CA.