X509: certificate signed by unknown authority

sihara · April 3, 2023, 5:59am

downloading image fails recently below.

# lxc init images:ubuntu/22.04 vm000 --vm
Creating vm000
Error: Failed instance creation: Get "https://sgp1lxdmirror01.do.letsbuildthe.cloud/images/ubuntu/jammy/amd64/default/20230402_07:42/lxd.tar.xz": tls: failed to verify certificate: x509: certificate signed by unknown authority

what’s going here?

sdeziel · April 3, 2023, 1:45pm

@stgraber, is that a hiccup due to the newly added image mirrors?

stgraber · April 3, 2023, 2:43pm

Can’t tell, the error is truncated.

stgraber · April 3, 2023, 2:44pm

https://sgp1lxdmirror01.do.letsbuildthe.cloud/images/ get me a valid certificate here.

tomp · April 3, 2023, 5:01pm

Been working fine for me on the fra server

tomp · April 3, 2023, 5:01pm

What lxd version is this?

mpontillo · April 3, 2023, 6:16pm

I just remembered that a trust root for Let’s Encrypt expired in September 2021 and caused issues for some people; maybe devices without the appropriate updates would have problems with the new mirrors for that reason.

sihara · April 3, 2023, 8:57pm

# lxd --version 
5.12

5.1.2 is running.

# curl https://cloud-images.ubuntu.com/releases/streams/v1/index.json -o /dev/null 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 27438  100 27438    0     0  25796      0  0:00:01  0:00:01 --:--:-- 25811

# curl https://sgp1lxdmirror01.do.letsbuildthe.cloud/releases/streams/v1/index.json -o /dev/null 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

still getting ssl certificate problem at mirorr site…

mpontillo · April 3, 2023, 10:05pm

What operating system are you running LXD on? Is it fully updated with the most recent trusted root certificates?

You may want to ensure that the root certificates mentioned here are trusted by your system: https://letsencrypt.org/certificates/

sihara · April 4, 2023, 12:14am

Thanks for everyone to confirm!
After investigations on my side, mirror site “sgp1lxdmirror01.do.letsbuildthe.cloud” didn’t work on any nodes inside of our firewall. That site matched in our firewall rules.
We work this out. it’s perfectly fine for now. Thanks again.