Bug 2033212

Summary: Get x509 error while running oc adm release mirror with --certificate-authority option
Product: OpenShift Container Platform Reporter: Yunfei Jiang <yunjiang>
Component: ocAssignee: Ross Peoples <rpeoples>
oc sub component: oc QA Contact: zhou ying <yinzhou>
Status: CLOSED WONTFIX Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, jima, jpower, mfojtik, mhrivnak, vdinh
Version: 4.10   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 14:06:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yunfei Jiang 2021-12-16 08:46:33 UTC 
Mirror images from mirror registry server using `oc adm release mirror` command with  `--certificate-authority=./client_ca.crt` option, get following x509 error:
```
x509: certificate signed by unknown authority
```

Additionally, if trust this CA in OS level:
```
sudo cp ./client_ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
```
Running `oc adm release mirror` (without `--certificate-authority` option) command, the images could be mirrored successfully without errors, which means the client_ca.crt is correct, but --certificate-authority does not work.

What did you expect to happen?
When the `. /client_ca.crt` is not trusted at OS level, running  `oc adm release mirror` command with `--certificate-authority=./client_ca.crt` option, could mirror images from remote server successfully without error.

oc version:
4.10.0-0.nightly-2021-12-06-201335
Comment 1 Maciej Szulik 2021-12-16 11:17:07 UTC 
Can you provide me with a -v=9 output I'm curious which specific URL is returning that error, since there's a apiserver and image registry clients. The former should be already wired to --certificate-authority but it's possible that the latter might not, but without full output it's hard to figure this one out.