search

knative / func

Knative Functions client API and CLI
Apache License 2.0
274 stars 138 forks source link

certificate signed by unknown authority #2444

Open ysiivan opened 1 month ago

ysiivan commented 1 month ago

Trying to build a function fails with tls: failed to verify certificate: x509: certificate signed by unknown authority

end of output:
...
paketo-buildpacks/pip-install     0.6.1
paketo-buildpacks/python-start    0.14.15
paketo-buildpacks/procfile        5.8.0
===> RESTORING
===> BUILDING
target distro name/version labels not found, reading /etc/os-release file

Paketo Buildpack for CA Certificates 3.7.0
  https://github.com/paketo-buildpacks/ca-certificates
  Launch Helper: Contributing to layer
    Creating /layers/paketo-buildpacks_ca-certificates/helper/exec.d/ca-certificates-helper
Paketo Buildpack for CPython 1.13.0
  Resolving CPython version
    Candidate version sources (in priority order):
                -> ""
      <unknown> -> ""

    Selected CPython version (using ): 3.10.14

  Executing build process
    Installing CPython 3.10.14
failed to fetch dependency: failed to make request: Get "https://artifacts.paketo.io/python/python_3.10.14_linux_x64_jammy_9e7c333f.tgz": tls: failed to verify certificate: x509: certificate signed by unknown authority
ERROR: failed to build: exit status 1

Error: failed to build the function: executing lifecycle: failed with status code: 51

I am behind the company's ssl terminating/traffic inspecting appliance and I'm used to having to tweak different systems to set the custom certificates.

The question is - how to do it for knative?. I followed this, but it made no difference.

Any help?

P.S. Incidentally, the documentation shows creating a secret named customca, yet it is referred in the controller's yaml as custom-certs.

ReToCode commented 1 month ago

Moved from Serving. CC @knative/func-writers

jordanbecketmoore commented 3 weeks ago

@ysiivan I've found a solution for myself to this issue. You need to tell your buildpacks where your ca-certificates.crt is. You can do this by setting the buildEnvs in your func.yaml file. Set SSL_CERT_DIR to wherever it is you keep your certificates. If you have the SSL_CERT_DIR env set in your environment already, you can use the below mustache syntax to inject it. 

runtime: python
registry: registry.local:5000
created: 2024-08-20T00:47:41.658874026+10:00
build:
  builder: pack
  buildEnvs:
  - name: SSL_CERT_DIR
    value: {{ env:SSL_CERT_DIR }}

If this still isn't working for you, you can always place your ca-certificates.crt in your function's working directory and replace {{ env:SSL_CERT_DIR }} with /workspace