Cannot connect to host notary.docker.io:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)')]\n"}

[amitsaurabh32]

Hi All, I am getting the below unknown error when trying to test the default connaisseur configuration, As per the logs it seems to be some ssl certificate error. Any advise on the this?

root@amit-pc:/home/amit/connaisseur# kubectl run demo --image=docker.io/securesystemsengineering/testimage:signed
Error from server: admission webhook "connaisseur-svc.connaisseur.svc" denied the request: unknown error. please check the logs.
root@amit-pc:/home/amit/connaisseur# kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
connaisseur connaisseur-deployment-68ccd9cfb7-54s6v 1/1 Running 0 83s
connaisseur connaisseur-deployment-68ccd9cfb7-7lwmz 1/1 Running 0 83s
connaisseur connaisseur-deployment-68ccd9cfb7-dbx7q 1/1 Running 0 83s
kube-system coredns-5d78c9869d-sjh4b 1/1 Running 0 11m
kube-system etcd-minikube 1/1 Running 0 11m
kube-system kube-apiserver-minikube 1/1 Running 0 11m
kube-system kube-controller-manager-minikube 1/1 Running 1 (12m ago) 12m
kube-system kube-proxy-km9j7 1/1 Running 0 11m
kube-system kube-scheduler-minikube 1/1 Running 0 12m
kube-system storage-provisioner 1/1 Running 1 (11m ago) 11m

kubectl logs connaisseur-deployment-68ccd9cfb7-54s6v -n connaisseur
{"timestamp": "2023-10-16 12:10:41.419312", "message": "Traceback (most recent call last):\n File "/usr/local/lib/python3.11/site-packages/aiohttp/connector.py", line 980, in _wrap_create_connection\n return await self._loop.create_connection(*args, **kwargs) # type: ignore[return-value] # noqa\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.11/asyncio/base_events.py", line 1112, in create_connection\n transport, protocol = await self._create_connection_transport(\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.11/asyncio/base_events.py", line 1145, in _create_connection_transport\n await waiter\n File "/usr/local/lib/python3.11/asyncio/futures.py", line 287, in await\n yield self # This tells Task to wait for completion.\n ^^^^^^^^^^\n File "/usr/local/lib/python3.11/asyncio/tasks.py", line 349, in __wakeup\n future.result()\n File "/usr/local/lib/python3.11/asyncio/futures.py", line 203, in result\n raise self._exception.with_traceback(self._exception_tb)\n File "/usr/local/lib/python3.11/asyncio/sslproto.py", line 575, in _on_handshake_complete\n raise handshake_exc\n File "/usr/local/lib/python3.11/asyncio/sslproto.py", line 557, in _do_handshake\n self._sslobj.do_handshake()\n File "/usr/local/lib/python3.11/ssl.py", line 979, in do_handshake\n self._sslobj.do_handshake()\nssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n File "/app/connaisseur/flask_application.py", line 120, in __async_mutate\n response = await __admit(admission_request, session)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/app/connaisseur/flask_application.py", line 152, in __admit\n await patches\n File "/usr/local/lib/python3.11/asyncio/tasks.py", line 349, in __wakeup\n future.result()\n File "/usr/local/lib/python3.11/asyncio/tasks.py", line 279, in __step\n result = coro.throw(exc)\n ^^^^^^^^^^^^^^^\n File "/app/connaisseur/flask_application.py", line 247, in __validate_image\n trusted_digest = await validator.validate(image, **validator_arguments)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/app/connaisseur/validators/notaryv1/notaryv1_validator.py", line 50, in validate\n signed_image_targets = await self.__process_chain_of_trust(\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/app/connaisseur/validators/notaryv1/notaryv1_validator.py", line 121, in __process_chain_of_trust\n trust_data_list = await asyncio.gather(\n ^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.11/asyncio/tasks.py", line 349, in __wakeup\n future.result()\n File "/usr/local/lib/python3.11/asyncio/tasks.py", line 279, in __step\n result = coro.throw(exc)\n ^^^^^^^^^^^^^^^\n File "/app/connaisseur/validators/notaryv1/notary.py", line 110, in get_trust_data\n async with session.get(**request_kwargs) as response:\n File "/usr/local/lib/python3.11/site-packages/aiohttp/client.py", line 1141, in aenter\n self._resp = await self._coro\n ^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.11/site-packages/aiohttp/client.py", line 536, in _request\n conn = await self._connector.connect(\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.11/site-packages/aiohttp/connector.py", line 540, in connect\n proto = await self._create_connection(req, traces, timeout)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.11/site-packages/aiohttp/connector.py", line 901, in _create_connection\n _, proto = await self._create_direct_connection(req, traces, timeout)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.11/site-packages/aiohttp/connector.py", line 1209, in _create_direct_connection\n raise last_exc\n File "/usr/local/lib/python3.11/site-packages/aiohttp/connector.py", line 1178, in _create_direct_connection\n transp, proto = await self._wrap_create_connection(\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.11/site-packages/aiohttp/connector.py", line 982, in _wrap_create_connection\n raise ClientConnectorCertificateError(req.connection_key, exc) from exc\naiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host notary.docker.io:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)')]\n"}
{"timestamp": "2023-10-16 12:10:41.420851", "client_ip": "10.244.0.1", "method": "POST", "path": "/mutate", "query": "timeout=30s", "protocol": "HTTP/1.1", "status_code": "200"}

[xopham]

@amitsaurabh32 how did you install Connaisseur?
Are redirecting docker.io or intercepting the requests? It seems that connaisseur fails complaining about a self-signed tls cert from docker.io

[amitsaurabh32]

Hi @xopham,

I have installed connaisseur using helm with default configuration as explained in the documentation. I am getting the above error when trying to run kubectl run demo --image=docker.io/securesystemsengineering/testimage:signed

[xopham]

Does the problem persist? If so, could you extend on your cluster config, type, connaisseur version, etc