search

aerokube / moon

Browser automation solution for Kubernetes and Openshift supporting Selenium, Playwright, Puppeteer and Cypress
http://aerokube.com/moon/latest
Apache License 2.0
224 stars 19 forks source link

video-recorder: certificate verify failed: unable to get local issuer certificate #384

Closed toby181 closed 1 year ago

toby181 commented 1 year ago

Hi together,

We've deployed moon2 in version 2.5 to k8s but we're having issues with uploading the video recording to our internal s3, the upload fails with "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)". Opening the URL of our internal S3 within a manually started Chrome pod and and uploading a file there succeeds without any certificate warning. The internal s3 is signed by SwissSign, which is available in the browsers cert store. Browser: chrome, version 112 Our setup is described in https://github.com/aerokube/moon/issues/377.

Thanks!

toby181 commented 1 year ago

When doing a curl to our s3, which is a MinIO instance, we get this: curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

vania-pooh commented 1 year ago

@toby181 you then have to add your TLS certificate provide CA to additional trusted CAs: https://aerokube.com/moon/latest/#ca-certs

toby181 commented 1 year ago

@vania-pooh I already did that. I've exported the certificate chain (in total 4 certs) base64 encoded and added it to the additionalTrustedCAs in both the order it was exported and in reversed order. I've already tried the CA only.

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: &name moon2
  namespace: moon1
spec:
  releaseName: *name
  interval: 5m
  timeout: 15m
  chart:
    spec:
      chart: moon2
      version: 2.5.0
      sourceRef:
        kind: HelmRepository
        name: ...
        namespace: ...
  values:
    quota:
      moon:
        namespace: ...
    ingress:
      enabled: true
      ...
    configs:
      default:
        sessionTimeout: 10m
        additionalTrustedCAs: |
          -----BEGIN CERTIFICATE-----

In the video-recorder pod I'm testing the connection with curl and got the following results.

$ curl https://minio.example.com/
curl: (77) error setting certificate verify locations:  CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
$ export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
$ curl https://minio.example.com/
-> "AccessDenied" response, which is good
vania-pooh commented 1 year ago

@aandryashin any ideas?

aandryashin commented 1 year ago

Will check, looks like the issue.

вт, 6 июн. 2023 г., 12:16 Ivan Krutov @.***>:

@aandryashin https://github.com/aandryashin any ideas?

— Reply to this email directly, view it on GitHub https://github.com/aerokube/moon/issues/384#issuecomment-1578267289, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKY23M5WHMVN7LTTUBQEYDXJ3YONANCNFSM6AAAAAAY37E6FA . You are receiving this because you were mentioned.Message ID: @.***>

vania-pooh commented 1 year ago

Fixed in https://github.com/aerokube/moon2/pull/212. Will be released as Moon 2.5.2.