Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing root certificates on windows-2019: X509: CERTIFICATE SIGNED BY UNKNOWN AUTHORITY #628

Open
wulfland opened this issue Mar 26, 2020 · 2 comments

Comments

@wulfland
Copy link

@wulfland wulfland commented Mar 26, 2020

Describe the bug
On the windows-2019, not all root CA certificates are installed. Some are missing (for example Quo Vadis). This leads for some tools to the following error: X509: CERTIFICATE SIGNED BY UNKNOWN AUTHORITY when calling a API vis SSL.

Area for Triage:
Servers

Question, Bug, or Feature?:
Bug

Virtual environments affected

  • macOS 10.15
  • Ubuntu 16.04 LTS
  • Ubuntu 18.04 LTS
  • Windows Server 2016 R2
  • Windows Server 2019

Expected behavior
I expect the same default root CAs on windows-2019 then on Windows 10 or Linux. If I run gci Cert:\CurrentUser\AuthRoot on my Windows 10, I get a list of 30 entries (including QuoVadis).

Actual behavior
If I run gci Cert:\CurrentUser\AuthRoot on windows-2019 I only get a list of 19 entries.

Workaraound
As a workaround you can install the certificates in the pipeline using certutil:

certutil -f -addstore root <FILEPATH>.cer

I posted the workaround here.

@al-cheb

This comment has been minimized.

Copy link
Contributor

@al-cheb al-cheb commented Mar 26, 2020

Hello, @wulfland
Could you please check the list of certificates after import? If this list is good for you we can import it on image.

- name: Import Root CA
  run: |
        $null = certutil.exe -generateSSTFromWU roots.sst
        Import-Certificate -FilePath roots.sst -CertStoreLocation Cert:\LocalMachine\Root
  shell: powershell
@wulfland

This comment has been minimized.

Copy link
Author

@wulfland wulfland commented Mar 26, 2020

Hello @al-cheb ,
I tested it and it works 👍 . Now that's a big list your are going to import :-D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.