Tls: failed to verify certificate: x509

Grafana
,
1

While installing Grafana using podman in the logs
I am receiveing this error

logger=plugin.signature.key_retriever t=2024-04-11T08:04:35.651696061Z level=error msg="Error downloading plugin manifest keys" error="Get \"https://grafana.com/api/plugins/ci/keys\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

Can anyone tell why this error is rising and how to fix it ?

2

Make sure your container has CA certificates, which will be used to verify that https connection.
Especially, enterprise companies are doing deep tls inspection, so you may need custom CA/tls configuration in that kind of enterprise environment.

4

In container , in which path i should check the CA ceritificate is present or not?

5 
# curl -v https://grafana.com/api/plugins/ci/keys
*   Trying 34.120.177.193:443...
* TCP_NODELAY set
* Connected to grafana.com (34.120.177.193) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=New York; L=New York; O=Raintank Inc.; CN=grafana.com
*  start date: Feb  2 00:00:00 2024 GMT
*  expire date: Mar  4 23:59:59 2025 GMT
*  subjectAltName: host "grafana.com" matched cert's "grafana.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
...

So https://grafana.com is signed/issued by DigiCert Global G2 TLS RSA SHA256 2020 CA1 an your local CA files (CAfile: /etc/ssl/certs/ca-certificates.crt, CApath: /etc/ssl/certs - locations and file names depends on used OS), must contain certs which will be used to verify whole cert chain:

image
image2589×477 29.4 KB

DigiCert Global Root G2 is CA cert, which is usually already part of OS CA certs, so normal users don’t need to do anything. But big enterprises are running TLS inspections and you need their CA certs then.

6

For my machine this is the location of CAfiles /etc/pki/tls/certs/ca-bundle.crt
and its contains the DigiCert Global Root G2 cert,

so are you saying to add this DigiCert Global G2 TLS RSA SHA256 2020 CA1 as custom CA?

7

Pls provide output from curl -v https://grafana.com/api/plugins/ci/keys from the container (not from machine). Only THEN you will know if need or DigiCert Global Root G2 cert or another CA cert.

8 
> CONNECT grafana.com:443 HTTP/1.1
> Host: grafana.com:443
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
< Proxy-Agent: Zscaler/6.2
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: 

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
9

Here you are - you don’t have direct connectivity, but you have (security - zscaler) proxy in your network. So ask your proxy admin how it is configured. Please use formatted text for code, logs, configs…

1 Like