Getting x509 error when adding http repository to downstream cluster in Rancher
This document (000021250) is provided subject to the disclaimer at the end of this document.
Environment
- Rancher 2.6.x, 2.7.x and Rancher 2.8.x
Situation
- The ' http' type repository is in ' downloading' status with the error message " Get
Resolution
- The error will occur if using the certificate signed by a private CA on the repository. So, as a solution, we need to add the CA certificate to the HTTP-based repo.
- Follow the below steps to add the custom CA certificate to HTTP based repo:
Steps :
A) Get the "caBundle" key: The caBundle key is a base64 encoded DER certificate, and you can get it using the command below.
openssl x509 -outform der -in ca.pem | base64 -w0
Note : Make sure to replace the ca.pem certificate in the above command
B) Go to Rancher UI -> select the downstream cluster -> edit the rancher-repo and "Edit YAML" and add the resulting value from above steps, in 'caBundle' section below :
spec:
forceUpdate: ""
url: https://[url]
caBundle: "<add_value_here>"
C) (Optional) If you do not want to add the custom CA and want to ingore/bypass the error, then add 'insecureSkipTLSVerify:true' flag in the clusterepo specification like below :
spec:
clientSecret: null
forceUpdate: "2023-08-10T05:42:22Z"
insecureSkipTLSVerify: true << Note here
url: <URL>
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.