Skip to content

Getting x509 error when adding http repository to downstream cluster in Rancher

Article Number: 000021250

Environment

- Rancher 2.6.x, 2.7.x and Rancher 2.8.x

Situation

-  The 'http' type repository is in 'downloading' status with the error message " Get <HTTP git repo url>:x509:certificate signed by unknown authority".

Resolution

- The error will occur if using the certificate signed by a private CA on the repository. So, as a solution, we need to add the CA certificate to the HTTP-based repo. 

- Follow the below steps to add the custom CA certificate to HTTP based repo: 

Steps : 

A) Get the "caBundle" key: The caBundle key is a base64 encoded DER certificate, and you can get it using the command below.

openssl x509 -outform der -in ca.pem | base64 -w0

Note :  Make sure to replace the ca.pem certificate in the above command

B)  Go to Rancher UI -> select the downstream cluster ->  edit the rancher-repo and  "Edit YAML" and add the resulting value from above steps, in 'caBundle' section below : 

spec:
  forceUpdate: ""
  url: https://[url]
  caBundle: "<add_value_here>"

C) (Optional) If you do not want to add the custom CA and want to ingore/bypass the error, then add 'insecureSkipTLSVerify:true' flag in the clusterepo specification like below : 

spec:
  clientSecret: null
  forceUpdate: "2023-08-10T05:42:22Z"
  insecureSkipTLSVerify: true              << Note here 
  url: <URL>