podman-desktop
podman-desktop copied to clipboard
containers
Podman-desktop does not pickup system certificates.
Bug description
Upon starting Podman Desktop, it won't respect system certificates. While I have specific root certificates configured for my cluster, other applications like Podman itself, curl, Java/Maven, and npm correctly use the system certificates (with appropriate configuration). However, Podman Desktop fails with errors like:
"Trying to watch pods on the kubernetes context named 'a-path-to-ns' but got a connection refused, retrying the connection in 21s. FetchError: request to https://url-to-cluster-names/pods failed, reason: unable to verify the first certificate"
Looking at the source code, specifically certificates.ts, I noticed Podman Desktop attempts to read certificates from /etc/ssl/certs. However, I can't find any explicit settings to specify a certificates directory or point to a ca-certificates.crt file to verify if that works or not. What's the proper way to configure certificate handling in Podman Desktop, using it without podman machine, on pure Linux.
Operating system
Ubuntu 22.04.x - latest updates.
Installation Method
Unpacking Tar.gz for Linux. Also tried the flatpak, same results.
Version
1.14.1
Steps to reproduce
In Ubuntu 22.04, with Podman 4.6.2 installed, add a custom cert for example, to a cluster .verify it works with apps using the system certs, or that is configured to use the system cert. kubectl etc, than start up podman-desktop and see that It fails with messages as described.
Relevant log output
Additional context
One solution suggestion would be a configuration option to let the user have the choice to point out system certificates.
are you using the binary (from the .tgz) or flatpak installation ?
I started with the flatpak, had the above problems, gave flatpak permissions to read system certs folder, same, then went for the tar version and same effect.
I experience the same behavior. Maybe this is related to the issue, that the flatpak would need to use the p11-kit as mentioned here: https://github.com/flatpak/flatpak/issues/2721?
Upon starting Podman Desktop, it won't respect system certificates. While I have specific root certificates configured for my cluster, other applications like Podman itself, curl, Java/Maven, and npm correctly use the system certificates (with appropriate configuration). However, Podman Desktop fails with errors like:
@janderssonse what is the result in your filesystem of having specific root certificates? Do you have additional .crt file in /etc/ssl/certs? Or in another directory?
I can see in podman sources:
// SetupCertificates opens all .crt, .cert, and .key files in dir and appends / loads certs and key pairs as appropriate to tlsc
while Podman Desktop only loads ca-certificates.crt and ca-bundle.crt files, and only in /etc/ssl/certs.
@janderssonse in order to reproduce your issue can you tell us how to you register your private certificate and where is it stored in your system ?
@jeffmaury I can confirm this issue on Mac OS 15.5. The certificate is installed in the login keychain, trusted and recognized in Chrome, Firefox, curl...
podman-desktop is installed via brew in version 1.19.2.
@janderssonse in order to reproduce your issue can you tell us how to you register your private certificate and where is it stored in your system ?
I've just realized, that you have raised a so far unanswered question regarding the reproduction of the issue.
In my case I install the root-ca/issuing-ca that I want to trust as a .pem file into /etc/pki/ca-trust/source/anchors/ and run update-ca-trust. (These steps are also documented here: https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/)
kubectl can access the respective kubernetes/openshift, while podman-desktop can't.
(I've just confirmed with podman-desktop v1.21.0 that the issue still exists.)
Note: Original issue reported on Ubuntu, but some users are reporting having the same issue with installation via brew, adding proper label.
