x509: certificate signed by unknown authority

[princeje]

Hello, I'm new to this so maybe this is an easy problem to fix? I have a Kubernetes cluster running and want to use images that are locally signed with Cosign with Connaisseur. But kubectl logs -f kubectl logs -f connaisseur-deployment-xxxxxxxxx-xxxxx shows a 509 error. But what cert is not trusted? Cosign CA? The private key of the key-pair i generated with cosign? The registry tls cert? Where does the cert need to be added as trusted to? Master node or the Connaisseur pod?

Thanks.

[2022-10-25 17:24:29,212] DEBUG: {'message': 'starting verification of image "registry:12345/testimage:latest" using rule "registry:12345/*:*" with arguments {\'trust_root\': \'my-test-validator\'} and validator "my-public-key".', 'context': {'user': 'system:admin', 'operation': 'CREATE', 'kind': 'StatefulSet', 'name': 'apigateway', 'namespace': 'test-platform', 'image': 'registry:12345/testimage:latest', 'policy_rule': <connaisseur.config.Rule object at 0x7f21fa89f940>, 'validator': <connaisseur.validators.cosign.cosign_validator.CosignValidator object at 0x7f21fa81aef0>}}
[2022-10-25 17:24:29,294] INFO: COSIGN output of trust root 'my-test-validator' for image'registry:12345/testimage:latest': RETURNCODE: 1; STDOUT: ; STDERR: Error: Get "https://registry:12345/v2/": x509: certificate signed by unknown authority
main.go:62: error during command execution: Get "https://registry:12345/v2/": x509: certificate signed by unknown authority

[2022-10-25 17:24:29,294] INFO: {'message': 'Unexpected Cosign exception for image "registry:12345/testimage:latest": Error: Get "https://registry:12345/v2/": x509: certificate signed by unknown authority\nmain.go:62: error during command execution: Get "https://registry:12345/v2/": x509: certificate signed by unknown authority\n.', 'context': {'trust_data_type': 'dev.cosignproject.cosign/signature', 'stderr': 'Error: Get "https://registry:12345/v2/": x509: certificate signed by unknown authority\nmain.go:62: error during command execution: Get "https://registry:12345/v2/": x509: certificate signed by unknown authority\n', 'image': 'registry:12345/testimage:latest', 'trust_root': 'my-test-validator', 'detection_mode': True}}
[2022-10-25 17:24:29,295] DEBUG: No alerting configuration file found.

[phbelitz]

Hoy! It's the certificate of the registry you are using. This can be configured in the values.yaml for the specific validator you are using. In this case you are usign a cosign validator, were you can add a cert field with the custom certificate of the registry. More on that is described in our documentation. Cheers

[princeje]

hello, after some time we picked up trying to implement this again, and we are still getting this error even after adding the registry cert like you said in the values.yml file along with the auth credentials. Our cluster is an offline system so not sure if that has something to do with it.