x509: certificate signed by unknown authority with private quay with cert using private PKI

[gorantornqvist]

Hi,
I have trouble getting CSO to play with our private Quay 3.5 registry, I get this error in the cso operator pod:

level=error msg="Failed to sync layer data" key=somepod err="Get https://my-registry.mydomain.com/.well-known/app-capabilities: x509: certificate signed by unknown authority"

If I enter the cso operator pod I can see the ca.crt in /extra-certs/ and a curl works fine.

$ oc rsh container-security-operator-864f446cd6-7dlf5
sh-4.4$
sh-4.4$ cd /extra-certs/
sh-4.4$ ls -l
total 0
lrwxrwxrwx. 1 root root 13 Jun 17 08:38 ca.crt -> ..data/ca.crt
sh-4.4$ curl --cacert ca.crt https://my-registry.mydomain.com/.well-known/app-capabilities
{"appName": "io.quay", "capabilities": {"io.quay.view-image": {"url-template": "https://my-registry.mydomain.com/{namespace}/{reponame}:{tag}"}, "io.quay.image-security": {"rest-api-template": "https://my-registry.mydomain.com/api/v1/repository/{namespace}/{reponame}/image/{imageid}/security", "deprecated": true}, "io.quay.manifest-security": {"rest-api-template": "https://my-registry.mydomain.com/api/v1/repository/{namespace}/{reponame}/manifest/{digest}/security"}}}

However if I do a curl without cacert it doesnt work so it looks like the cert doesnt exist in the os trust bundle, cant find anything in /etc/pki/ca-trust/source/anchors/ either.

Thanks for any help ...

[gorantornqvist]

Sorry, I had only the CA certificates in the ca.crt file ,
Root CA
Intermediate CA

I added the servercert for the quay registry to the bundle and then it started working ...

Closing ...