SSL certificate verification failure

[jleavers]

Describe the bug

I am trying to use the vcd-cli from an Ubuntu server to connect to a vCD that has a certificate signed by an internal CA.

I am also using the CSE, and to enable SSL verification for this I had to proceed as follows:

mkdir -p /usr/share/ca-certificates/extra
# Put the CA into this directory
dpkg-reconfigure ca-certificates
# Choose yes
# Tick the box for the new CA cert
# Tab to OK
# Verify
grep extra /etc/ca-certificates.conf
extra/my-ca.crt
# Commit
update-ca-certificates

At this point I am able to curl https://vcd-fqdn without an error. However, as Python uses its own embedded certificate bundle I had to override this with an environment variable.

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

At this point the CSE works with certificate verification enabled, with no problems. However - I am still having some problems with the vcd-cli.

Some commands work:

vcd login vcd-fqdn org user -p pass
user logged in, org: 'org', vdc: 'vdc'
cse@cse-01:~$ vcd cse cluster list
Name Org Owner VDC K8s Runtime K8s Version Status
-------- ----------- -------- ----------- ------------- --------------------- ----------------
k8s org user vdc TKGm TKGm v1.21.2+vmware.1 CREATE:SUCCEEDED

But some do not:

vcd cse cluster info k8s
2022-01-13 10:11:18,084 WARNING Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1091)'))': /cloudapi/1.0.0/entities/types/vmware/tkgcluster/1.0.0?filter=entity.metadata.name%3D%3Dk8s
2022-01-13 10:11:18,095 WARNING Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1091)'))': /cloudapi/1.0.0/entities/types/vmware/tkgcluster/1.0.0?filter=entity.metadata.name%3D%3Dk8s
2022-01-13 10:11:18,106 WARNING Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1091)'))': /cloudapi/1.0.0/entities/types/vmware/tkgcluster/1.0.0?filter=entity.metadata.name%3D%3Dk8s
Usage: vcd cse cluster info [OPTIONS] [NAME]
Try 'vcd cse cluster info -h' for help.

Error: HTTPSConnectionPool(host='vcd-fqdn', port=443): Max retries exceeded with url: /cloudapi/1.0.0/entities/types/vmware/tkgcluster/1.0.0?filter=entity.metadata.name%3D%3Dk8s (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1091)')))

How should vcd-cli be supplied with a trusted internal CA? Or - is the only solution to set verify: to false in ~/.vcd-cli/profiles.yaml?

Reproduction steps

1. Set up an internal vCD instance with an SSL certificate signed by an internal CA.
2. Import to management server
3. Some vcd-cli commands fail with SSL verification error

Expected behavior

There should be a way of providing vcd-cli with a CA certificate.

Additional context

No response

[fnoorden]

vcd login has the options: -i, --no-verify-ssl-certs Verify SSL certificates -w, --disable-warnings Do not display warnings when not verifying SSL certificates

Did you already try these options?

[jleavers]

Yes, as using -i sets verify to false in ~/.vcd-cli/profiles.yaml. While this works it would be better to specify a trusted certificate or certificate bundle as opposed to disabling certificate validation, especially as in this scenario the certificate is already trusted by the OS and by CSE.