-
Bug
-
Resolution: Duplicate
-
Critical
-
None
-
False
-
None
-
False
-
Compatibility/Configuration, User Experience
-
Medium
When trying to do docker pulls from Quay, it gets 502 gateway errors. The quay app pod logs are showing that this is a TLS verification error.
gunicorn-registry stdout | 2022-05-11 12:47:41,662 [274] [DEBUG] [botocore.httpsession] Certificate path: /usr/local/lib/python3.8/site-packages/certifi/cacert.pem
gunicorn-registry stdout | 2022-05-11 12:47:41,662 [274] [DEBUG] [urllib3.connectionpool] Starting new HTTPS connection (5): lonec4203.server.rbsgrp.net:9021
gunicorn-registry stdout | 2022-05-11 12:47:41,681 [274] [DEBUG] [botocore.endpoint] Exception received when sending HTTP request.
gunicorn-registry stdout | Traceback (most recent call last):
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 336, in ssl_wrap_socket
gunicorn-registry stdout | context.load_verify_locations(ca_certs, ca_cert_dir)
gunicorn-registry stdout | ssl.SSLError: [X509] PEM lib (_ssl.c:4264)
gunicorn-registry stdout | During handling of the above exception, another exception occurred:
gunicorn-registry stdout | Traceback (most recent call last):
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/botocore/httpsession.py", line 311, in send
gunicorn-registry stdout | urllib_response = conn.urlopen(
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 719, in urlopen
gunicorn-registry stdout | retries = retries.increment(
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 376, in increment
gunicorn-registry stdout | raise six.reraise(type(error), error, _stacktrace)
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/packages/six.py", line 735, in reraise
gunicorn-registry stdout | raise value
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 665, in urlopen
gunicorn-registry stdout | httplib_response = self._make_request(
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 376, in _make_request
gunicorn-registry stdout | self._validate_conn(conn)
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
gunicorn-registry stdout | conn.connect()
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 352, in connect
gunicorn-registry stdout | self.sock = ssl_wrap_socket(
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 338, in ssl_wrap_socket
gunicorn-registry stdout | raise SSLError(e)
gunicorn-registry stdout | urllib3.exceptions.SSLError: [X509] PEM lib (_ssl.c:4264)
gunicorn-registry stdout | During handling of the above exception, another exception occurred:
gunicorn-registry stdout | Traceback (most recent call last):
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/botocore/endpoint.py", line 200, in _do_get_response
gunicorn-registry stdout | http_response = self._send(request)
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/botocore/endpoint.py", line 269, in _send
gunicorn-registry stdout | return self.http_session.send(request)
gunicorn-registry stdout | File "/usr/local/lib/python3.8/site-packages/botocore/httpsession.py", line 338, in send
gunicorn-registry stdout | raise SSLError(endpoint_url=request.url, error=e)
gunicorn-registry stdout | botocore.exceptions.SSLError: SSL validation failed for
[X509] PEM lib (_ssl.c:4264)
It appears that the script Quay uses to create a CA certificate bundle, does not put new lines at the end of a certificate which means that when certificates are bundled, some end up with the beginning and end lines in the same place. Quay config editor only shows the service-ca certificate. Is there anywhere else we can change the certificates that are misaligned?