self-hosted icon indicating copy to clipboard operation
self-hosted copied to clipboard

Published 20 hours ago verified publisher icon getsentry

ERROR symbolicator_service::download: Failed to fetch file list error=download failed: certificate verify failed

Open chris-laack opened this issue 1 year ago • 6 comments

Self-Hosted Version

24.1.1

CPU Architecture

x86_64

Docker Version

25.0.3, build 4debf41

Docker Compose Version

v2.24.5

Steps to Reproduce

we pass our root ca of the installation via the directory self-hosted-24.1.1/certificates. This works for the web container. However, this does not seem to work for the Symbolicator.
How can we pass our root ca to the symbolicator so that we no longer get a certificate error?

Expected Result

no certificate error during download

Actual Result

docker logs sentry-self-hosted-symbolicator-1

024-02-13T11:59:09.766571Z ERROR symbolicator_service::download: Failed to fetch file list error=download failed: certificate verify failed 2024-02-13T12:08:01.044660909Z ERROR symbolicator_service::download: Failed to fetch file list error=download failed: certificate verify failed

Event ID

No response

chris-laack avatar Feb 13 '24 12:02 chris-laack

Have you restarted your docker containers after adding these custom certificates? Have you seen this page?

https://develop.sentry.dev/self-hosted/custom-ca-roots/

hubertdeng123 avatar Feb 14 '24 23:02 hubertdeng123

Good morning

we use ansible for the installation and updates of the sentry. After each successful start of the update, the entire container is restarted. Our certificate is also not present in the Symbolicator Conatiner.

Symbolicator Container:

pwd /etc/ssl/certs ls -la |grep -i aok update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.

It seems to me that our certificate is not being copied from the self-hosted-24.1.1/certificates directory into the Symbolicator container during the update or installation process. However, this works with the web container.

Install Log:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.

Regards

Chris

chris-laack avatar Feb 15 '24 08:02 chris-laack

Interesting, if you docker compose exec into symbolicator and perform ls /usr/local/share/ca-certificates, do you see the certificates? If you do that in the web container, do you see the certificates?

hubertdeng123 avatar Feb 16 '24 23:02 hubertdeng123

this looks as follows in both containers

sentry-self-hosted-web-1 -> certificate available

docker exec -it sentry-self-hosted-web-1 /bin/sh
cd /usr/local/share/ca-certificates
# ls -la
total 12
drwxrwxr-x 2 root root 4096 Feb 21 09:44 .
drwxr-xr-x 1 root root   17 Nov 29 04:49 ..
-rw-rw-r-- 1 root root   50 Feb 16 16:40 .gitignore
--w----r-T 1 root root 1244 Feb 21 09:44 company-ca.crt

sentry-self-hosted-symbolicator-1 -> certificate not available

docker exec -it sentry-self-hosted-symbolicator-1 /bin/sh
cd /usr/local/share/ca-certificates
# ls -la
total 0
drwxr-xr-x 2 root root  6 Feb 14 02:07 .
drwxr-xr-x 1 root root 29 Feb 14 02:07 ..

chris-laack avatar Feb 21 '24 12:02 chris-laack

Did you run update-ca-certificates, or copy the certs in manually? You may still need to run the update script even after a manual copy.

azaslavsky avatar Feb 22 '24 22:02 azaslavsky

No, I have not. Until now I assumed that this would be taken over by the docker compose script. If this is not possible, I can include the procedure in our ansible scripts. I will test this and let you know if it works.

chris-laack avatar Feb 23 '24 07:02 chris-laack

I have now added the certificate to the symbolicator container using ansible and it now works. Thanks for your help.

chris-laack avatar Mar 08 '24 12:03 chris-laack