Bug 2033212 - Get x509 error while running oc adm release mirror with --certificate-authority option
Summary: Get x509 error while running oc adm release mirror with --certificate-author...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Ross Peoples
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-16 08:46 UTC by Yunfei Jiang
Modified: 2023-01-17 14:06 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-17 14:06:04 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Yunfei Jiang 2021-12-16 08:46:33 UTC
Mirror images from mirror registry server using `oc adm release mirror` command with  `--certificate-authority=./client_ca.crt` option, get following x509 error:
```
x509: certificate signed by unknown authority
```

Additionally, if trust this CA in OS level:
```
sudo cp ./client_ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
```
Running `oc adm release mirror` (without `--certificate-authority` option) command, the images could be mirrored successfully without errors, which means the client_ca.crt is correct, but --certificate-authority does not work.

What did you expect to happen?
When the `. /client_ca.crt` is not trusted at OS level, running  `oc adm release mirror` command with `--certificate-authority=./client_ca.crt` option, could mirror images from remote server successfully without error.

oc version:
4.10.0-0.nightly-2021-12-06-201335

Comment 1 Maciej Szulik 2021-12-16 11:17:07 UTC
Can you provide me with a -v=9 output I'm curious which specific URL is returning that error, since there's a apiserver and image registry clients. The former should be already wired to --certificate-authority but it's possible that the latter might not, but without full output it's hard to figure this one out.


Note You need to log in before you can comment on or make changes to this bug.