Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL certificate problem: unable to get local issuer certificate When AutoCert is True #2039

Closed
Sanketbhandare opened this issue Mar 19, 2024 · 2 comments

Comments

@Sanketbhandare
Copy link

SSL certificate problem: unable to get local issuer certificate When AutoCert is True

Expected Behavior

Secure TLS based pod to pod communication should be done with AutoCert

Current Behavior

Keeping AutoCert true causing issue during pod to pod communication.

curl -v https://minio.tlsdemo.svc.cluster.local
* processing: https://minio.tlsdemo.svc.cluster.local
*   Trying 10.107.220.59:443...
* Connected to minio.tlsdemo.svc.cluster.local (10.107.220.59) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate

Possible Solution

Steps to Reproduce (for bugs)

  1. Create a new Tenant using Minio Operator, during Creation, please keep TLS & AutoCert option enabled under Security Tab.
  2. Once tenant gets created successfully, Check all minio resources & services are deployed properly or not.
  3. Take SSH into any of application / busybox pod, and try to hit curl request to your minio service. (curl -v https://minio.tlsdemo.svc.cluster.local)
  4. You'll be able to see the logs with above mentioned error.

Context

Regression

Your Environment

  • Version used (minio-operator): 5.0.12
  • Environment name and version (e.g. kubernetes v1.17.2): Kubernetes v1.26.4, Helm version v3.12.0
  • Server type and version: AlmaLinux release 8.5 (Arctic Sphynx)
  • Operating System and version (uname -a): Linux dev-yyk8smst1 4.18.0-348.7.1.el8_5.x86_64 Add Minio operator  #1 SMP Tue Dec 21 13:57:48 EST 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Link to your deployment file:
@dvaldivia
Copy link
Collaborator

In your busybox you need to trust the Root CA of the cluster, we use the Certificate Signing Requests from kubernetes to get the certificates we use, please add the kubernetes root CA to your applications in order to trust this certificate.

In your busybox

cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/ssl/certs/

or have curl trust /var/run/secrets/kubernetes.io/serviceaccount/ca.crt via --cacert

@Sanketbhandare
Copy link
Author

@dvaldivia Thanks Daniel, issue stands resolved after adding root CA to applications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants