Citizen with certificate as a kubernetes secret - doesn't work

[ealasgarov]

@outsideris @AndriiOmelianenko @robburger

I've deployed citizen as a pod in kubernetes cluster and have set up a certificate signed by a public CA authority (not self-signed). Cert is stored in kubernetes secret (from tls.crt and tls.key).

Exposed port 3000 of the container with a kubernetes service to port 443 and setup an ingress resource with TLS.

When reaching out to my registry URL: "https://tfregistry.mydomain.com/health" I receive OK, so the setup seems to be correct. Also in google chrome no complains about SSL -- it is as expected.

However when trying to push to my registry (using binaries "citizen-win" from windows 10 machine or "citizen-linux" from redhat 7.5), I'm facing following issue

command: citizen module infra storage azurerm 1.0.0 --registry https://tfregistry.mydomain.com

response: **√ compress the terraform module × publish infra/storage/azurerm/1.0.0** RequestError: unable to verify the first certificate at ClientRequest.<anonymous> (C:\snapshot\citizen\node_modules\got\dist\source\core\index.js:956:111) at Object.onceWrapper (events.js:422:26) at ClientRequest.emit (events.js:327:22) at ClientRequest.<anonymous> (C:\snapshot\citizen\node_modules\@szmarczak\http-timer\dist\source\index.js:39:20) at TLSSocket.socketErrorListener (_http_client.js:467:9) at TLSSocket.emit (events.js:315:20) at emitErrorNT (internal/streams/destroy.js:100:8) at emitErrorCloseNT (internal/streams/destroy.js:68:3) at processTicksAndRejections (internal/process/task_queues.js:84:21) at TLSSocket.onConnectSecure (_tls_wrap.js:1496:34) at TLSSocket.emit (events.js:315:20) at TLSSocket._finishInit (_tls_wrap.js:931:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:705:12) { code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE', timings: { start: 1645783553415, socket: 1645783553419, lookup: 1645783553501, connect: 1645783553565, secureConnect: undefined, upload: undefined, response: undefined, end: undefined, error: 1645783553605, abort: undefined, phases: { wait: 4, dns: 82, tcp: 64, tls: undefined, request: undefined, firstByte: undefined, download: undefined, total: 190 } } }

setting NODE_TLS_REJECT_UNAUTHORIZED to 0 (as env. var. both in the registry container or on the machine from where I'm pushing the module) did not resolve the problem. I've tried using images older than 0.4.0 (latest) - same issue.

Can you please help with troubleshooting?

[ealasgarov]

update: It seems like there wasn't a full cert chain in the k8s secret, I've now rectified that, and getting a new error now:

√ compress the terraform module × publish infra/storage/azurerm/1.0.0 HTTPError: Response code 500 (Internal Server Error) at Request.<anonymous> (C:\snapshot\citizen\node_modules\got\dist\source\as-promise\index.js:117:42) at processTicksAndRejections (internal/process/task_queues.js:97:5) { code: undefined, timings: { start: 1645792475308, socket: 1645792475311, lookup: 1645792475365, connect: 1645792475397, secureConnect: 1645792475438, upload: 1645792475440, response: 1645792475504, end: 1645792475508, error: undefined, abort: undefined, phases: { wait: 3, dns: 54, tcp: 32, tls: 41, request: 2, firstByte: 64, download: 4, total: 200 } } }

[ealasgarov]

In this case the problem was a missing env. var. for AWS_REGION for s3, it solved the issue.

[trix32641]

As quick solution (not recommended) I added system env variable that node.js ignore SSL certs validation: export NODE_TLS_REJECT_UNAUTHORIZED=0