Hitting the 'error setting certificate verify locations' after importing certificates

Issue

  • After importing certificates using the certificates-update operation, I am experiencing SSL issues in Jenkins similar to:
stderr: fatal: unable to access '<url>': error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

Environment

Related Issue

  • https://bugs.alpinelinux.org/issues/8379

Resolution

This exception suggests that the CA certificate located at <CAfile> is wrong or not accessible.

The certificates-update operations copies the certificates in the bastion /certificates directory to the workers / controllers under /etc/ssl/certs/. All the certificates under /etc/ssl/certs/ are concatenated to produce one file /etc/ssl/certs/ca-certificates.crt (using update-ca-certificates). The directory /etc/ssl/certs/ is also mounted to the certs container on workers and controllers. And the certs container is mounted to CJE tenants containers (i.e. cjoc, masters, elasticsearch, palace). This mechanic allows the certificates to be automatically updated in the tenant’s containers by simply updating the certs container.

A common issue occurs when the certificate(s) imported miss a line break at the end of the file. This causes the concatenation to produce a corrupted ca-certificate.crt. In which case the certificates are not correctly loaded by the tenants and the issue “unable to access ‘’: error setting certificate verify locations” arises. If one or more certificates miss a line break at the end, the concatenated certificate /etc/ssl/certs/ca-certificates.crt on your workers / controllers would be corrupted and contains lines like the following, which is an wrong:

[...]
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
[...]

The expected concatenated file should show each certificate separated by a line break:

[...]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[...]

To fix this, ensure each certificate imported ends with a line break. Then run the certificates-update operation again.

(Note: this has been filed as a bug against Alpine Linux - see https://bugs.alpinelinux.org/issues/8379 - that is the base image of the certs container.)

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.