C
Coder.com6mo ago
Conor

Access url is throwing a cert error

I have coder deployed using helm on a k3s cluster. I also have a self signed CA which is needed to authenticate requests to https://coder.lan values.yaml files: 
coder:
  certs:
    secrets:
      - name:  homelab-ca
        value: cert.crt
  service:
    type: ClusterIP
  env:
    - name: CODER_PG_CONNECTION_URL
      valueFrom:
        secretKeyRef:
          name: coder-db-url
          key: url

    - name: CODER_ACCESS_URL
      value: "https://coder.lan"

    - name: CODER_WILDCARD_ACCESS_URL
      value: "*.coder.lan"
  image:
    repo: "ghcr.io/coder/coder"
    tag: "v2.11.2"
coder:
  certs:
    secrets:
      - name:  homelab-ca
        value: cert.crt
  service:
    type: ClusterIP
  env:
    - name: CODER_PG_CONNECTION_URL
      valueFrom:
        secretKeyRef:
          name: coder-db-url
          key: url

    - name: CODER_ACCESS_URL
      value: "https://coder.lan"

    - name: CODER_WILDCARD_ACCESS_URL
      value: "*.coder.lan"
  image:
    repo: "ghcr.io/coder/coder"
    tag: "v2.11.2"
Error: EACS03: get healthz endpoint: Get "https://coder.lan/healthz": tls: failed to verify certificate: x509: certificate signed by unknown authority The cert is being mounted to /etc/ssl/certs successfully. However, it is not being updated for curl (for example) to access the url without getting an x509: certificate signed by unknown authority error Any ideas why this is?
Solution:
found the solution to the issue: ```YAML coder: certs: secrets:...
Jump to solution
4 Replies
Codercord
Codercord6mo ago
<#1253084386769895524>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
ShamesBond
ShamesBond6mo ago
Are you able to use curl directly? That error sounds like it's complaining about the CA and not the cert itself, that might point to permissions issue with the mounted cert. You could try mounting the CA instead
Conor
ConorOP6mo ago
The CA is correct, when I try to curl inside the servers pod it also gets a cert error. When I wget the url and specifically define the ca file location with the —ca-certificate flag with the ca file then it works fine. Seems like an issue with the server not doing update-ca-certificates or whatever needs to be done to put the cert into /etc/ssl/certs/certificates.crt
Solution
Conor
Conor6mo ago
found the solution to the issue: 
coder:
  certs:
    secrets:
      - name:  homelab-ca
        value: cert.crt
coder:
  certs:
    secrets:
      - name:  homelab-ca
        value: cert.crt
should be 
coder:
  certs:
    secrets:
      - name:  homelab-ca
        key: cert.crt
coder:
  certs:
    secrets:
      - name:  homelab-ca
        key: cert.crt
Want results from more Discord servers?
Add your server