Another case of "x509: certificate signed by unknown authority"
Version
system-upgrade-controller version v0.15.2 (b1a9781a)
Platform/Architecture
linux-amd64 Flatcar Container Linux stable 4152.2.2 for QEMU (immutable)
Describe the bug
I0324 02:10:05.643137 1 event.go:389] "Event occurred" object="system-upgrade/plan-k3s-server-upgrade" fieldPath="" kind="Plan" apiVersion="upgrade.cattle.io/v1" type="Warning" reason="ResolveFailed" message="Failed to resolve latest version from Spec.Channel: Get \"https://update.k3s.io/v1-release/channels/stable\": tls: failed to verify certificate: x509: certificate signed by unknown authority"system-upgrade-controller cannot upgrade the k3s cluster, do the TLS verify failure.
To Reproduce
Instead of a version use channel as below:
channel: https://update.k3s.io/v1-release/channels/stable
Expected behavior
Expect that the SSL certificate can be verified from the container.
Actual behavior
The SSL configuration is unable to verify the certificate and can't connect.
I can connect with curl, but I only have one symlink file. There is no /etc/pki or /etc/tls. Any assistance would be appreciated!
I have one syslinked file:
$ ls -l /etc/ssl/
drwxr-xr-x. 1 root root 14388 Feb 13 18:28 certs
-rw-r--r--. 1 root root 241 Feb 13 18:26 fipsmodule.cnf
lrwxrwxrwx. 1 root root 31 Feb 13 16:59 openssl.cnf -> ../../usr/share/ssl/openssl.cnf
drwx------. 1 root root 0 Feb 13 18:36 private
I tried adding a file mount
- mountPath: /usr/share/ssl/openssl.cnf
name: usr-ssl
readOnly: true
. . .
- hostPath:
path: /etc/ssl/openssl.cnf
type: File
name: usr-sslcurl
curl https://update.k3s.io/v1-release/channels/stable
<a href="https://github.com/k3s-io/k3s/releases/tag/v1.31.6+k3s1">Found</a>.Additional context
The bug was reported multiple times in different constellations:
I was unable to access the container to see what files are actually in the /etc/ssl/ folder.
I was unable to figure out the required files for the container to configure SSL. Why doesn't the container come with working SSL?