func icon indicating copy to clipboard operation
func copied to clipboard
verified publisher icon knative

certificate signed by unknown authority

Open ysiivan opened this issue 1 year ago • 4 comments

Trying to build a function fails with tls: failed to verify certificate: x509: certificate signed by unknown authority

end of output:
...
paketo-buildpacks/pip-install     0.6.1
paketo-buildpacks/python-start    0.14.15
paketo-buildpacks/procfile        5.8.0
===> RESTORING
===> BUILDING
target distro name/version labels not found, reading /etc/os-release file

Paketo Buildpack for CA Certificates 3.7.0
  https://github.com/paketo-buildpacks/ca-certificates
  Launch Helper: Contributing to layer
    Creating /layers/paketo-buildpacks_ca-certificates/helper/exec.d/ca-certificates-helper
Paketo Buildpack for CPython 1.13.0
  Resolving CPython version
    Candidate version sources (in priority order):
                -> ""
      <unknown> -> ""

    Selected CPython version (using ): 3.10.14

  Executing build process
    Installing CPython 3.10.14
failed to fetch dependency: failed to make request: Get "https://artifacts.paketo.io/python/python_3.10.14_linux_x64_jammy_9e7c333f.tgz": tls: failed to verify certificate: x509: certificate signed by unknown authority
ERROR: failed to build: exit status 1

Error: failed to build the function: executing lifecycle: failed with status code: 51

I am behind the company's ssl terminating/traffic inspecting appliance and I'm used to having to tweak different systems to set the custom certificates.

The question is - how to do it for knative?. I followed this, but it made no difference.

Any help?

P.S. Incidentally, the documentation shows creating a secret named customca, yet it is referred in the controller's yaml as custom-certs.

ysiivan avatar Jul 24 '24 22:07 ysiivan

Moved from Serving. CC @knative/func-writers

ReToCode avatar Jul 25 '24 05:07 ReToCode

@ysiivan I've found a solution for myself to this issue. You need to tell your buildpacks where your ca-certificates.crt is. You can do this by setting the buildEnvs in your func.yaml file. Set SSL_CERT_DIR to wherever it is you keep your certificates. If you have the SSL_CERT_DIR env set in your environment already, you can use the below mustache syntax to inject it.

runtime: python
registry: registry.local:5000
created: 2024-08-20T00:47:41.658874026+10:00
build:
  builder: pack
  buildEnvs:
  - name: SSL_CERT_DIR
    value: {{ env:SSL_CERT_DIR }}

If this still isn't working for you, you can always place your ca-certificates.crt in your function's working directory and replace {{ env:SSL_CERT_DIR }} with /workspace

jordanbecketmoore avatar Aug 19 '24 19:08 jordanbecketmoore

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Jul 10 '25 01:07 github-actions[bot]