Скачать или смотреть Resolving x509: certificate signed by unknown authority Error When Pulling Images from Harbor in k3s

Learn how to fix the `x509: certificate signed by unknown authority` error when using k3s Kubernetes with a private Harbor container registry. Follow this detailed guide for effective solutions.
---
This video is based on the question https://stackoverflow.com/q/72893964/ asked by the user 'maantarng' ( https://stackoverflow.com/u/16151219/ ) and on the answer https://stackoverflow.com/a/72907875/ provided by the user 'Vad1mo' ( https://stackoverflow.com/u/1156199/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Failed to pull image with "x509: certificate signed by unknown authority" error

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Troubleshooting the x509: certificate signed by unknown authority Error in k3s

When working with Kubernetes, particularly in a setup using k3s and Harbor as a private container registry, you may encounter an x509: certificate signed by unknown authority error while trying to pull images. This issue typically arises from the use of a self-signed certificate in Harbor. Let's explore how to troubleshoot and resolve this error effectively.

Understanding the Problem

In Kubernetes, pulling images from a container registry requires the nodes to trust the certificates used by the registry. When you use a self-signed certificate, the kubelet (the agent that runs on each node) doesn’t recognize it as trustworthy by default. Hence, you may experience an ImagePullBackOff state when attempting to create a pod, leading to the following error message:

[[See Video to Reveal this Text or Code Snippet]]

Example Scenario

In the given scenario, you created a pod using a YAML configuration as follows:

[[See Video to Reveal this Text or Code Snippet]]

Despite applying this configuration, the image pulling fails.

Solution: Making the Certificate Trusted

To resolve this x509 error, you need to ensure that the CA (Certificate Authority) certificate is trusted by the host system. Here are the detailed steps to do so:

Step 1: Prepare the Certificate

First, confirm you have the self-signed CA certificate that you used when setting up Harbor. This file is typically named myca.pem.

Step 2: Install the CA Certificate

You will need to place the CA certificate into the trust store of your host system. Here are the commands you need to run:

[[See Video to Reveal this Text or Code Snippet]]

Make sure that the certificate file has a .crt extension in the specified directory, as this is required for it to be recognized.

Step 3: Restart the k3s Service

After updating the certificate trust, restart the k3s service to apply the changes. Depending on your system setup, you can do this with one of the following commands:

[[See Video to Reveal this Text or Code Snippet]]

Conclusion

By following these steps, you will have successfully resolved the x509: certificate signed by unknown authority error when pulling images from your Harbor registry in k3s. Always ensure that your certificates are correctly placed and recognized by the system to avoid similar issues in the future.

If you encounter any further issues or have questions, feel free to reach out or consult the official Kubernetes documentation for additional resources.