Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-3378

Wrong/ misleading certificate error log for backup when certificate check is disabled

XMLWordPrintable

    • 4
    • False
    • Hide

      None

      Show
      None
    • False
    • ToDo
    • 0
    • 0.000
    • Very Likely
    • 0
    • Customer Escalated, Customer Facing
    • None
    • Unset
    • Unknown
    • No

      There is a misleading certificate error log present in backup logs when insecureSkipTLSVerify is set as "true".
      DPA:

      ~~~

      apiVersion: oadp.openshift.io/v1alpha1
      kind: DataProtectionApplication
      metadata:
        name: velero
        namespace: openshift-adp
      spec:
        backupLocations:
        - velero:
            config:
              insecureSkipTLSVerify: "true"
              profile: default
              region: us-east-1
              s3ForcePathStyle: "true"
              s3Url: https://s3-openshift-storage.apps.abc.in
            credential:
              key: cloud
              name: cloud-credentials
            default: true
            objectStorage:
              bucket: bucket-data-7ae6eebf-1111-4444-b105-4a44d7c07df3
              prefix: velero
            provider: aws
        configuration:
          nodeAgent:
            enable: true
            uploaderType: kopia
          velero:
            defaultPlugins:
            - openshift
            - aws
            - kubevirt
      status:
        conditions:
        - lastTransitionTime: "2024-01-23T07:16:34Z"
          message: Reconcile complete
          reason: Complete
          status: "True"

      ~~~

      With  insecureSkipTLSVerify: "true", SSL/TLS security is disabled.
      Still the velero backup logs shows below error:

      ~~~

      An error occurred: Get "https://s3-openshift-storage.apps.abc.in/bucket-data-7ae6eebf-1111-4444-b105-4a44d7c07df3/velero/backups/mybackup/mybackup-logs.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tiZrwemXjFgPe2NLIWWX%2F20240123%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240123T072103Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=d58a3f11111111111e63e2cc77fc24073ada5bf5a70507c4cf01b46d72018f8": tls: failed to verify certificate: x509: certificate signed by unknown authority

      ~~~
      Even backup is completed. Backup describe output:
      ~~~

      Name:         mybackup
      Namespace:    openshift-adp
      Phase:  Completed
      Started:    2024-01-23 07:17:21 +0000 UTC
      Completed:  2024-01-23 07:17:54 +0000 UTC

      Total items to be backed up:  11
      Items backed up:              11

      Resource List:  <error getting backup resource list: Get "https://s3-openshift-storage.apps.abc.in/bucket-data-7ae6eebf-1111-4444-b105-4a44d7c07df3/velero/backups/mybackup/mybackup-logs.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tiZrwemXjFgPe2NLIWWX%2F20240123%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240123T072103Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=d58a3f11111111111e63e2cc77fc24073ada5bf5a70507c4cf01b46d72018f8": tls: failed to verify certificate: x509: certificate signed by unknown authority>

      ~~~

      This velero backup log seems misleading.

      We tried to set the CA with insecureSkipTLSVerify: "false" and caCert with correct CA for s3Url but still error came.

              wnstb Wes Hayutin
              rhn-support-adeshpan Aditya Deshpande
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: