tech question, certificate related 

Setup:

% openssl verify -x509_strict -CAfile /etc/caoimheca/services/cacert.pem /etc/etcd/etcd.crt
/etc/etcd/etcd.crt: OK
% grep _CA_ /etc/default/etcd
/etc/default/etcd:ETCD_TRUSTED_CA_FILE="/etc/caoimheca/services/ca-bundle.pem"
/etc/default/etcd:ETCD_PEER_TRUSTED_CA_FILE="/etc/caoimheca/services/ca-bundle.pem"
%

Follow

re: tech question, certificate related 

% journalctl -xn5000 -u etcd.service | grep _TRUSTED_
May 30 23:47:24 bn5 etcd[1147360]: recognized and used environment variable ETCD_PEER_TRUSTED_CA_FILE=/etc/caoimheca/services/cacert.pem
May 30 23:47:24 bn5 etcd[1147360]: recognized and used environment variable ETCD_TRUSTED_CA_FILE=/etc/caoimheca/services/cacert.pem
%

re: tech question, certificate related 

Why this then?

% journalctl -xn5000 -u etcd.service | grep x509
May 30 23:49:55 bn5 etcd[1147432]: health check for peer 41618d081194479f could not connect: x509: certificate signed by unknown authority (prober "ROUND_TRIPPER_SNAPSHOT")
May 30 23:49:55 bn5 etcd[1147432]: health check for peer 41618d081194479f could not connect: x509: certificate signed by unknown authority (prober "ROUND_TRIPPER_RAFT_MESSAGE")
%

re: tech question, certificate related 

Everything says that my certificates are cross-signed correctly from a common CA that is also being used by etcd, but they refuse to accept the peer certificates because they are "signed by unknown authority"? WHY?

Sign in to participate in the conversation
Eldritch Café

Une instance se voulant accueillante pour les personnes queers, féministes et anarchistes ainsi que pour leurs sympathisant·e·s. Nous sommes principalement francophones, mais vous êtes les bienvenu·e·s quelle que soit votre langue.

A welcoming instance for queer, feminist and anarchist people as well as their sympathizers. We are mainly French-speaking people, but you are welcome whatever your language might be.