Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificate signed by unknown authority #2444

Open
ysiivan opened this issue Jul 24, 2024 · 2 comments
Open

certificate signed by unknown authority #2444

ysiivan opened this issue Jul 24, 2024 · 2 comments

Comments

@ysiivan
Copy link

ysiivan commented Jul 24, 2024

Trying to build a function fails with tls: failed to verify certificate: x509: certificate signed by unknown authority

end of output:
...
paketo-buildpacks/pip-install     0.6.1
paketo-buildpacks/python-start    0.14.15
paketo-buildpacks/procfile        5.8.0
===> RESTORING
===> BUILDING
target distro name/version labels not found, reading /etc/os-release file

Paketo Buildpack for CA Certificates 3.7.0
  https://github.com/paketo-buildpacks/ca-certificates
  Launch Helper: Contributing to layer
    Creating /layers/paketo-buildpacks_ca-certificates/helper/exec.d/ca-certificates-helper
Paketo Buildpack for CPython 1.13.0
  Resolving CPython version
    Candidate version sources (in priority order):
                -> ""
      <unknown> -> ""

    Selected CPython version (using ): 3.10.14

  Executing build process
    Installing CPython 3.10.14
failed to fetch dependency: failed to make request: Get "https://artifacts.paketo.io/python/python_3.10.14_linux_x64_jammy_9e7c333f.tgz": tls: failed to verify certificate: x509: certificate signed by unknown authority
ERROR: failed to build: exit status 1

Error: failed to build the function: executing lifecycle: failed with status code: 51

I am behind the company's ssl terminating/traffic inspecting appliance and I'm used to having to tweak different systems to set the custom certificates.

The question is - how to do it for knative?. I followed this, but it made no difference.

Any help?

P.S. Incidentally, the documentation shows creating a secret named customca, yet it is referred in the controller's yaml as custom-certs.
@ysiivan ysiivan changed the title "certificate signed by unknown authority"? certificate signed by unknown authority Jul 24, 2024
@ReToCode ReToCode transferred this issue from knative/serving Jul 25, 2024
@ReToCode
Copy link
Member

Moved from Serving. CC @knative/func-writers

@jordanbecketmoore
Copy link

jordanbecketmoore commented Aug 19, 2024
edited
Loading

@ysiivan I've found a solution for myself to this issue. You need to tell your buildpacks where your ca-certificates.crt is. You can do this by setting the buildEnvs in your func.yaml file. Set SSL_CERT_DIR to wherever it is you keep your certificates. If you have the SSL_CERT_DIR env set in your environment already, you can use the below mustache syntax to inject it.

runtime: python
registry: registry.local:5000
created: 2024-08-20T00:47:41.658874026+10:00
build:
  builder: pack
  buildEnvs:
  - name: SSL_CERT_DIR
    value: {{ env:SSL_CERT_DIR }}

If this still isn't working for you, you can always place your ca-certificates.crt in your function's working directory and replace {{ env:SSL_CERT_DIR }} with /workspace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ReToCode @ysiivan @jordanbecketmoore