Getting x509 error when adding http repository to downstream cluster in Rancher

This document (000021250) is provided subject to the disclaimer at the end of this document.

Environment

- Rancher 2.6.x, 2.7.x and Rancher 2.8.x

Situation

- The 'http' type repository is in 'downloading' status with the error message " Get <HTTP git repo url>:x509:certificate signed by unknown authority".

Resolution

- The error will occur if using the certificate signed by a private CA on the repository. So, as a solution, we need to add the CA certificate to the HTTP-based repo.

- Follow the below steps to add the custom CA certificate to HTTP based repo:

Steps :

A) Get the "caBundle" key: The caBundle key is a base64 encoded DER certificate, and you can get it using the command below.

openssl x509 -outform der -in ca.pem | base64 -w0

Note :  Make sure to replace the ca.pem certificate in the above command

B)  Go to Rancher UI -> select the downstream cluster ->  edit the rancher-repo and  "Edit YAML" and add the resulting value from above steps, in 'caBundle' section below :

spec:
  forceUpdate: ""
  url: https://[url]
  caBundle: "<add_value_here>"

C) (Optional) If you do not want to add the custom CA and want to ingore/bypass the error, then add 'insecureSkipTLSVerify:true' flag in the clusterepo specification like below :

spec:
  clientSecret: null
  forceUpdate: "2023-08-10T05:42:22Z"
  insecureSkipTLSVerify: true              << Note here 
  url: <URL>

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.