rosa - x509: certificate signed by unknown authority

Latest response

Hello,

When I am trying to follow https://aws.amazon.com/blogs/aws/red-hat-openshift-service-on-aws-now-generally-availably/ to setup openshift cluster on AWS, I am seeing the following error when I run rosa
ERR: Failed to get current account: can't send request: Get "https://api.openshift.com/api/accounts_mgmt/v1/current_account": x509: certificate signed by unknown authority

I am unable to create cluster. How to fix this error?

Thanks for your time

AV
Log in to join the conversation

Responses

CW Newbie 15 points
12 October 2021 7:36 PM

I am also experiencing this. I have verified that commands such as openssl s_client -connect api.openshift.com:443 are working fine, just the ROSA CLI is having this issue.

AV Newbie 15 points
12 October 2021 7:56 PM

I got past this issue by using a linux box. Originally I was trying on windows laptop. Not sure what exactly in the environment impacted finding certificates. I just tried on a shared linux server we had and it worked fine without issues. I created cluster using that and then did "oc login " to that cluster on windows. Which worked fine.

CW Newbie 15 points
12 October 2021 7:59 PM

Thanks for the information. I am also on a Windows machine, although I would like to know where the ROSA CLI is looking for certificates because when I do a secure connection with curl/openssl/etc, everything works fine... it's almost like the ROSA CLI is using some other location to find certificates that my shell is not using.

Edit: it doesn't appear to matter which shell I am using. I have observed this error with both Git Bash and PowerShell on Windows.

TH Newbie 10 points
18 October 2021 4:18 PM

I am also experiencing this...have you found an answer other than try from a linux box?

AV Newbie 15 points
18 October 2021 4:25 PM

I heard back from Amazon and below is what they said:


Thank you for your patience and I appreciate your pro-active efforts for isolating this issue specific to Windows OS.

Yes you are right. The issue appears for ROSA CLI in Windows OS only, whereas the executables for Linux and macOS are unaffected. I was able to reproduce this issue at my end as well:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Users\abc\Downloads\rosa-windows>rosa whoami
ERR: Failed to get current account: Get "https://api.openshift.com/api/accounts_mgmt/v1/current_account": can't send request: x509: certificate signed by unknown authority

C:\Users\abc\Downloads\rosa-windows>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I would like to inform you that from our end, we already have escalated this issue to Red Hat Openshift Support and currently the issue is being investigated by Red Hat Engineering. While they work towards a resolution, I will keep you posted for any updates/workarounds.
TH Newbie 10 points
18 October 2021 4:27 PM

Great thank you for letting me know.

CW Newbie 15 points
18 October 2021 4:43 PM

I logged a support ticket with Red Hat and this is what they said on 2021-10-13:

We have identified the cause of the issue you are experiencing and an update to the ROSA CLI for Windows will soon be made available, subject to passing quality and certification checks.

We will provide you with an update again once the software has been released, but should you have any further questions at this time, please do not hesitate to let us know.

DS Red Hat Community Member 24 points
18 October 2021 11:57 PM

The cause of the issue is the Windows version of the installer requires the Lets Encrypt certificate to be embedded into the installer. This is because the Windows version of golang can not reach into the Window OS to pick up the root CA bundle, like it can for Linux and MacOs. This KCS (rosa commands fails on Windows) explain more details. A new version of the installer should be available in the next few days and will also be announced on the KCS.