Unable to pull images from private repository while installing Local Consumption Interface supervisor service on vCenter 9.0 "https://projects.packages.broadcom.com/v2/*: tis: failed to verify certificate: x509: certificate signed by unknown authority"
Article ID: 408529
Updated On:
Products
Issue/Introduction
When installing LCI using private repository, images couldn't be pulled due to which supervisor service is stuck in error state with the below error:
Reason: ReconcileFailed. Message: vendir: Error: Syncing directory '0': Syncing directory: with imgpkgBundle cont ents: Fetching image: Error while preparing a transport to talk with the registry: Unable to create round tripper: Get"https://projects.packages.broadcom.com/v2/*: tis: failed to verify certificate: x509: certificate signed by unknown authority (hint: The CA Certificate from URL is unknown/invalid. Add valid CA certificate to the kapp-controller confi guration to reconcile successfully).
Environment
vSphere Supervisor 9.x
Cause
Docker was used for image relocation instead of using imgpkg which is documented here, which led to missing or broken image references during deployment due to incorrect handling of relocation metadata.
For other related Registry Certificate issues for vSphere with Tanzu 7.x & vSphere 8.x, please check this KB .
Resolution
- Validate and update the CA certificate on the Supervisor VM:
-
SSH into the Supervisor VM.
-
Check the certificate at /etc/containerd/certs/private-repo/ca.crt.
-
Decode the ca.crt and confirm it matches the certificate used by the container registry configured in the vCenter UI. Container registry can be configured through this doc. If the certificate is incorrect, replace it with the correct one.
-
-
Restart relevant pods to apply the changes:
-
Restart both the kapp-controller pod and the image-controller pod on the supervisor vm.
-
Feedback
