video-recorder: certificate verify failed: unable to get local issuer certificate
toby181 opened this issue · comments
Hi together,
We've deployed moon2 in version 2.5 to k8s but we're having issues with uploading the video recording to our internal s3, the upload fails with "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)".
Opening the URL of our internal S3 within a manually started Chrome pod and and uploading a file there succeeds without any certificate warning.
The internal s3 is signed by SwissSign, which is available in the browsers cert store.
Browser: chrome, version 112
Our setup is described in #377.
Thanks!
When doing a curl to our s3, which is a MinIO instance, we get this:
curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
@toby181 you then have to add your TLS certificate provide CA to additional trusted CAs: https://aerokube.com/moon/latest/#ca-certs
@vania-pooh
I already did that. I've exported the certificate chain (in total 4 certs) base64 encoded and added it to the additionalTrustedCAs in both the order it was exported and in reversed order.
I've already tried the CA only.
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &name moon2
namespace: moon1
spec:
releaseName: *name
interval: 5m
timeout: 15m
chart:
spec:
chart: moon2
version: 2.5.0
sourceRef:
kind: HelmRepository
name: ...
namespace: ...
values:
quota:
moon:
namespace: ...
ingress:
enabled: true
...
configs:
default:
sessionTimeout: 10m
additionalTrustedCAs: |
-----BEGIN CERTIFICATE-----
In the video-recorder pod I'm testing the connection with curl and got the following results.
$ curl https://minio.example.com/
curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
$ export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
$ curl https://minio.example.com/
-> "AccessDenied" response, which is good
@aandryashin any ideas?
