Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connot pull from OKD cluster via pod or oc command with error x509: certificate is valid for ***Clusterdomain *** , not *** registry-1.docker.io *** #1700

Closed
glennodickson opened this issue Aug 10, 2023 · 0 comments
Closed

Connot pull from OKD cluster via pod or oc command with error x509: certificate is valid for ***Clusterdomain *** , not *** registry-1.docker.io *** #1700

glennodickson opened this issue Aug 10, 2023 · 0 comments

Comments

@glennodickson
Copy link

Hi

I have a basic installation cluster OKD4.13. Nothing is installed on it just yet.

Describe the bug
It seems that when pulling from repositories such as docker or quay.io it errors saying the unsigned certificate is incompatible with the docker/quay certificate. Also tried deploying springboot application using JKube and received the same error message.

Unsure why pulling it is concerned with the cluster's unsigned certificate when it is accessing and handshaking with the repos certificate which is signed.

The below errors show when pulling from the docker (or quay) repos:
(x509: certificate is valid for *.apps.test.fritz.box, not registry-1.docker.io)

Version
4.13.0-0.okd-2023-08-04-164726
UPI

How reproducible
Execute below commands for Docker and Quay.

Accessing Docker

Command:
oc import-image myproject/myimage-ref-source:mytag --from="docker.io/balazsszeti/hello:sleeper" --confirm

Output:


error: tag sleeper failed: Internal error occurred: docker.io/balazsszeti/hello:sleeper: Get "https://registry-1.docker.io/v2/": x509: certificate is valid for *.apps.test.fritz.box, not registry-1.docker.io
imagestream.image.openshift.io/myimage-ref-source imported with errors

Name:                   myimage-ref-source
Namespace:              test
Created:                7 minutes ago
Labels:                 <none>
Annotations:            openshift.io/image.dockerRepositoryCheck=2023-08-10T15:00:56Z
Image Repository:       default-route-openshift-image-registry.apps.test.fritz.box/test/myimage-ref-source
Image Lookup:           local=false
Unique Images:          0
Tags:                   1

mytag
  tagged from docker.io/balazsszeti/hello:sleeper

  ! error: Import failed (InternalError): Internal error occurred: docker.io/balazsszeti/hello:sleeper: Get "https://registry-1.docker.io/v2/": x509: certificate is valid for *.apps.test.fritz.box, not registry-1.docker.io

Accessing Quay.io

Command:

oc import-image quay.io/andreipope/podman-nuxtjs-demo --confirm

Output:

       
error: tag latest failed: Internal error occurred: quay.io/andreipope/podman-nuxtjs-demo:latest: Get "https://quay.io/v2/": x509: certificate is valid for *.apps.test.fritz.box, not quay.io
imagestream.image.openshift.io/podman-nuxtjs-demo imported with errors

Name:                   podman-nuxtjs-demo
Namespace:              test
Created:                1 second ago
Labels:                 <none>
Annotations:            openshift.io/image.dockerRepositoryCheck=2023-08-10T15:59:14Z
Image Repository:       default-route-openshift-image-registry.apps.test.fritz.box/test/podman-nuxtjs-demo
Image Lookup:           local=false
Unique Images:          0
Tags:                   1

latest
  tagged from quay.io/andreipope/podman-nuxtjs-demo

  ! error: Import failed (InternalError): Internal error occurred: quay.io/andreipope/podman-nuxtjs-demo:latest: Get "https://quay.io/v2/": x509: certificate is valid for *.apps.test.fritz.box, not quay.io
      1 second ago


error: imported completed with errors

View Certificate

Command:

openssl s_client -connect quay.io:443

Output:

CONNECTED(00000003)
depth=1 CN = ingress-operator@1690637905
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 CN = ingress-operator@1690637905
verify return:1
depth=0 CN = *.apps.test.fritz.box
verify return:1
---
Certificate chain
 0 s:CN = *.apps.test.fritz.box
   i:CN = ingress-operator@1690637905
 1 s:CN = ingress-operator@1690637905
   i:CN = ingress-operator@1690637905
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIIXhDDkfnqsyIwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE
AwwbaW5ncmVzcy1vcGVyYXRvckAxNjkwNjM3OTA1MB4XDTIzMDcyOTEzMzgyNVoX
DTI1MDcyODEzMzgyNlowIDEeMBwGA1UEAwwVKi5hcHBzLnRlc3QuZnJpdHouYm94
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBOq4/SKvLvI625mkaQQ
diG8tr1lHpb52YttdsufzBWli4ceYdpnGxifOBwlvB6mIpxhJoyBHahh+IaOi+IN
G39UU0o0QtTxPRm38NDPimv90CZ/AtDX5I5ewCc5JvgU6mokw3Y3lSDSo8GBRVdN
nX+uFl34yGhnIPkgZOPXm9EgFLydH/29kSFBySrZotK4GpbaOx85HPXtlA1CpbfB
++1FVOEkOt/cMeX6VzzyH9Y6YMhKoj8B3uzPQ6W73wKRLg/dDDZPct+woahADpB7
hcH7MRwTQay0OH4r5WVEZ5wnlvas88YbMdxi1rh41zJ5dOS0UhkzcV2oGKex4CL5
RQIDAQABo4GYMIGVMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRVz2W7XseHlU/swAwB4eY/BCnLSjAf
BgNVHSMEGDAWgBR5yE2CUFagMZI0YuSbIlHIfwQbcDAgBgNVHREEGTAXghUqLmFw
cHMudGVzdC5mcml0ei5ib3gwDQYJKoZIhvcNAQELBQADggEBAOrPwMrkTESB+ouv
Wd3TCpT3Z73k6u5izP5dO7mVM9o7DbwTdelZvsYa0Z7DX8NsFVSbfDUjqpmTCRKs
2J4Y+LYLvDfIhqUbKFBSswQT/IZKEGvG9Jwy1Hm8jOmu4PAcGVu0KZ5iyUWSymQV
R8sYxxcBUzdMR8ZJyWh3xOv6bexoM7mS1Ca88N1lZhlrNY3RmlFCD1rG23VLgvEw
gHXRko4ulyk5AM6T98XOLKVH2sa0pXjoR637Bc+SXj/ADqw7WmBSnk1HtgiUG1BR
kWNrb7YArzz7Sf3QRwA3mo2jGCxVlQeOV1uZawPTxymgVKx3mg3Sy/az001XTA3t
EMmTs1U=
-----END CERTIFICATE-----
subject=CN = *.apps.test.fritz.box

issuer=CN = ingress-operator@1690637905

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2202 bytes and written 369 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 99057A87CADBB21A71E211BD8C9726270706A4E7A684BBC7AB30CD942F075F72
    Session-ID-ctx: 
    Resumption PSK: 6B82072ECDA3FFA52945798DC54586779160154F4E290C93B63C775F481D2186
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 76 1b d7 bc 25 b9 46-7f 55 be b3 b5 5c f9 d5   6v...%.F.U...\..
    0010 - ae 21 f1 ff cd 3d 4d 7a-a4 96 5d 7c 16 fb 81 f6   .!...=Mz..]|....
    0020 - 5f 96 cc f0 60 63 73 ff-8e e9 de 03 e1 0f b8 79   _...`cs........y
    0030 - 04 64 bd 97 df 2a af 35-8d d4 2d 8d 1a 4d 4e 47   .d...*.5..-..MNG
    0040 - fa 27 e6 89 91 1f 54 28-b6 b1 15 5d d2 14 5d 30   .'....T(...]..]0
    0050 - 45 4b de 3b 7a 36 2d a1-b5 6e 20 da f8 18 79 9d   EK.;z6-..n ...y.
    0060 - 34 a3 1a 81 95 b9 2c 09-dd 30 dd 17 a7 77 48 69   4.....,..0...wHi
    0070 - 83 6c af 47 86 13 31 a8-06 c7 49 80 46 2d 32 22   .l.G..1...I.F-2"
    0080 - 5c d3 e5 0f a9 d5 d4 dd-ff 6b 93 38 f5 b4 a0 97   \........k.8....
    0090 - 11 38 46 54 9f b1 77 c2-58 5a d1 ed ee 2b d0 70   .8FT..w.XZ...+.p
    00a0 - aa 40 8e 25 41 5f 61 5d-30 3c 2c c0 16 be 52 7e   .@.%A_a]0<,...R~
    00b0 - 00 f4 e0 9b f3 29 1c ef-66 70 5c 31 4f bb 97 14   .....)..fp\1O...

    Start Time: 1691564004
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: FF6CB57D902C1391977AD95BE47CA448105271D7AAAAE6DB083C0CDFDEE33210
    Session-ID-ctx: 
    Resumption PSK: 128A76302E9C5F01726BA97D005D900F786D59C1157161B5D884E083BE2F5D1A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 76 1b d7 bc 25 b9 46-7f 55 be b3 b5 5c f9 d5   6v...%.F.U...\..
    0010 - e8 51 12 d0 44 c7 a0 f9-96 1e 3e 15 23 b3 ce 99   .Q..D.....>.#...
    0020 - b6 5d a8 d1 3d 2c 29 c1-9c 99 c0 de 10 41 30 18   .]..=,)......A0.
    0030 - 92 23 09 23 30 b1 d3 73-ac f3 14 6c 4c 16 13 35   .#.#0..s...lL..5
    0040 - 3e 70 93 09 46 4d 9a 54-af fc 59 30 c4 55 f6 97   >p..FM.T..Y0.U..
    0050 - f3 b8 69 47 37 5d 8e b0-a0 dc f9 92 d7 5e ed 14   ..iG7].......^..
    0060 - a7 35 6a 92 a8 1e cc 58-bf 54 57 2b b9 cd 25 e0   .5j....X.TW+..%.
    0070 - 17 d4 9b b5 85 0a 6a 4f-2a 61 e5 e0 49 a5 b9 0e   ......jO*a..I...
    0080 - d6 55 bc 06 e9 e3 f9 65-46 90 22 17 13 72 ce e1   .U.....eF."..r..
    0090 - 75 12 74 13 c3 b1 21 55-73 94 cf 4b 49 8b 62 e9   u.t...!Us..KI.b.
    00a0 - e4 10 d7 26 13 c8 80 87-87 90 7c bb bb 5e 0c df   ...&......|..^..
    00b0 - 1e 44 ff f4 4d 1d 08 50-d0 14 47 2e 26 2d 3b 88   .D..M..P..G.&-;.

    Start Time: 1691564004
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
HTTP/1.1 408 Request Time-out
content-length: 110
cache-control: no-cache
content-type: text/html
connection: close

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed

TIA
Glenn
@okd-project okd-project locked and limited conversation to collaborators Aug 10, 2023
@vrutkovs vrutkovs converted this issue into discussion #1701 Aug 10, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@glennodickson