This Certificate Was Signed by an Unknown Authority

this certificate was signed by an unknown authority

SOLVED!

The problem was missing apple WWDR intermediate certificate.

We must also install the WWDR intermediate certificate issued by Apple’s worldwide developer relations. It can be downloaded from the portal or directly at
http://developer.apple.com/certificationauthority/AppleWWDRCA.cer
Make sure you add this to your keychain as well.

To add the certificate: open your keychain utility software on your Mac computer, then go to File→Import items, then select AppleWWDRCA.cer.

flux deployment error X509 certificate signed by unknown authority

Flux doesn't trust the certificate presented by your git server github.xxxxxx.com

Quick workaround is to use --insecure-skip-tls-verify flag as described here: https://fluxcd.io/docs/cmd/flux_bootstrap_git/

Full command:

flux create source helm label-webhook --url https://github.xxxxxx.com/user1/test-repo/tree/main/chart --namespace label-webhook --cert-file=./tls/label-webhook.pem --key-file=./tls/label-webhook-key.pem --ca-file=./tls/ca.pem --verbose --insecure-skip-tls-verify

It's interesting there wasn't problem with flux bootstrap git step but it probably just create configuration for repository in this step and not establish connection to it.

Whatever certificates you are generating don't have anything to do with your GIT server TLS certificate. Seems you're doing some admission webhook magic but the certs you generate there have nothing in common with github.xxxxxx.com certificate so there is no need to specify if in --ca-file flag.

Permanent solution is to get the CA certificate that signed the github.xxxxxx.com so you need to ask the administrators of the GIT server to provide you CA file and specify that one in --ca-file flag. Not the one you created for your webhook experiments.

Related Topics