[60] Peer certificate cannot be authenticated with given CA certificates (0)

Demodoggo · June 23, 2023, 8:51am

Problem: pulp ostree repository sync failed

Expected outcome: successful sync

Pulpcore version: 3.23.2

Pulp plugins installed and their versions: multi-process image (pulp in one container, latest)

Operating system - distribution and version: Fedora 38

Other relevant data:
I’m currently testing pulp to manage a fleet of SBCs running Fedora IOT.
Creating an ostree remote and repository were successful, but when syncing, I’m getting the following error:

Error: Task /pulp/api/v3/tasks/...../ failed: 'g-io-error-quark: While fetching https://ostree.fedoraproject.org/iot/summary.sig: [60] Peer certificate cannot be authenticated with given CA certificates (0)'

If I understand this correctly, the error [60] is equivalent to a curl error 60 (SSL not validated). Now I have two questions:

Does the trailing (0) mean that pulp does not recognize any valid ca-certifictes?

Do I need to provide the certificate of our IT (located behind a corporate firewall with SSL inspection) or a certificate issued by the folks over at Fedora? (And how can I get that if that is the case?)

pulp ostree remote list

returns:

[
  {
    "pulp_href": "/pulp/api/v3/remotes/ostree/ostree/de254859-7ac7-42cf-a6ed-79938f6d5654/",
    "pulp_created": "2023-06-22T11:11:36.256465Z",
    "name": "iot_remote",
    "url": "https://ostree.fedoraproject.org/iot",
    "ca_cert": "-----BEGIN CERTIFICATE-----.....cert goes here.......----END CERTIFICATE-----",
    "client_cert": null,
    "tls_validation": false,
    "proxy_url": null,
    "pulp_labels": {},
    "pulp_last_updated": "2023-06-23T07:38:37.775586Z",
    "download_concurrency": null,
    "max_retries": null,
    "policy": "immediate",
    "total_timeout": null,
    "connect_timeout": null,
    "sock_connect_timeout": null,
    "sock_read_timeout": null,
    "headers": null,
    "rate_limit": null,
    "hidden_fields": [
      {
        "name": "client_key",
        "is_set": false
      },
      {
        "name": "proxy_username",
        "is_set": false
      },
      {
        "name": "proxy_password",
        "is_set": false
      },
      {
        "name": "username",
        "is_set": false
      },
      {
        "name": "password",
        "is_set": false
      }
    ],
    "depth": 0,
    "include_refs": [],
    "exclude_refs": []
  }
]

Demodoggo · June 26, 2023, 9:12am

Any help would be appreciated

dkliban · June 26, 2023, 8:59pm

Just remove the ca_cert from the remote. Your system CA should be enough to sync from fedora.

lubosmj · June 27, 2023, 2:56pm

Also, you may need to change the URL of the remote. I cannot access the URL. In the end, you should reference the exact repository, like: https://kojipkgs.fedoraproject.org/compose/iot/repo/.