- Posted In
- Red Hat OpenShift Service on AWS
rosa - x509: certificate signed by unknown authority
When I am trying to follow https://aws.amazon.com/blogs/aws/red-hat-openshift-service-on-aws-now-generally-availably/ to setup openshift cluster on AWS, I am seeing the following error when I run rosa
ERR: Failed to get current account: can't send request: Get "https://api.openshift.com/api/accounts_mgmt/v1/current_account": x509: certificate signed by unknown authority
I am unable to create cluster. How to fix this error?
Thanks for your time
I am also experiencing this. I have verified that commands such as openssl s_client -connect api.openshift.com:443 are working fine, just the ROSA CLI is having this issue.
I got past this issue by using a linux box. Originally I was trying on windows laptop. Not sure what exactly in the environment impacted finding certificates. I just tried on a shared linux server we had and it worked fine without issues. I created cluster using that and then did "oc login " to that cluster on windows. Which worked fine.
Thanks for the information. I am also on a Windows machine, although I would like to know where the ROSA CLI is looking for certificates because when I do a secure connection with curl/openssl/etc, everything works fine... it's almost like the ROSA CLI is using some other location to find certificates that my shell is not using.
Edit: it doesn't appear to matter which shell I am using. I have observed this error with both Git Bash and PowerShell on Windows.
I am also experiencing this...have you found an answer other than try from a linux box?
I heard back from Amazon and below is what they said:
Great thank you for letting me know.
I logged a support ticket with Red Hat and this is what they said on 2021-10-13:
We have identified the cause of the issue you are experiencing and an update to the ROSA CLI for Windows will soon be made available, subject to passing quality and certification checks.
We will provide you with an update again once the software has been released, but should you have any further questions at this time, please do not hesitate to let us know.
The cause of the issue is the Windows version of the installer requires the Lets Encrypt certificate to be embedded into the installer. This is because the Windows version of golang can not reach into the Window OS to pick up the root CA bundle, like it can for Linux and MacOs. This KCS (rosa commands fails on Windows) explain more details. A new version of the installer should be available in the next few days and will also be announced on the KCS.