Login to TMC SM using Tanzu cli is faling with failed to verify certificate: x509: certificate signed by unknown authority
Article ID: 432328
Updated On:
Products
Issue/Introduction
- Login to TMC-SM using Tanzu cli is faling with tls error "failed to verify certificate".
tanzu mission-control context create tmc --endpoint yourtmcsm.fqdn --idp-type pinniped --basic-auth
[i] Starting TMC login...[i] IDP type is set to "pinniped"[i] endpoint is set to "tmcsm.Domain"[i] [i] context is set to "tmc"[i] Logging in to TMC Self Managed (Pinniped)...[i] Pinniped Username/Password login...Error: failed to retrieve endpoints from well-known endpoint, Error [117]: OIDC Metadata Retrieval Error, detail: Get "https://pinniped-supervisor.tmcsm.Domain/provider/pinniped/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authorityUsage:
- Even after adding "--insecure" to skip x509 cert verification when interacting with upstream IDP (Pinniped or VCD only), still certificate validation failed to the next redirect login.
tanzu mission-control context create tmc --endpoint yourtmcsm.fqdn --idp-type pinniped --basic-auth --insecure
[i] Starting TMC login...[i] IDP type is set to "pinniped"[i] endpoint is set to "tmcsm.Domain"[i] [i] context is set to "tmc"[i] Logging in to TMC Self Managed (Pinniped)...[i] Pinniped Username/Password login...? Username tseadmin? Password [? for help] **********[i] Successfully created a TMC SelfManaged (Pinniped) context, "tmc"[i] Synchronizing other TMC plugins...[i] Fetching recommended plugins for active context 'tmc'...[i] Fetching recommended plugins for active context 'tmc-sm-cluster'...[ok] No recommended plugins found.[x] : unable to list plugins from discovery source 'default-tmc': Get "https://tmcsm.domain:443/v1alpha1/system/binaries/plugins": tls: failed to verify certificate: x509: certificate signed by unknown authorityError: exit status 1
Environment
VMware Tanzu Mission Control Self Manage (TMC-SM)
Cause
The certificate for issuer/Certificate Authority (CA) that issued the TMC SM DNS zone certificates is not trusted by the JumpBox where we trying to login to TMC SM using the "tanzu mission-control context create" command.
Resolution
- If the external endpoints for the DNS zone certificates were issued by Privet Certifications Authority (Ex Microsoft Certificate Authority), then we need to add its certificate to the JumpBox trusted store.
- If we used cert-manager to requests TLS certificates for the external endpoints listed in Configure a DNS zone. then we need to add the Cluster Issuer certificate to the JumpBox trusted store.
- To get the certificate for the Cluster Issuer you can run the following command on the context of the VKS cluster where TMC-SM is installed
#kubectl get secret -n cert-manager tmcsm-issuer -o jsonpath="{.data.ca\.crt"} | base64 -d > clusterIssuerCA.crt
Note: In this example the Cluster Issuer secret is called "tmcsm-issuer" and it should be under the cert-manager namespace.
Steps to Trust a root CA Certificate on:
- Windows JumpBox:
- Export the Certificate: If you have a .crt or .cer file, skip to step 2. If not, open the URL in Chrome/Edge, click "Not Secure" -> Certificate is not valid -> Details -> Export.
- Open Certificate Manager: Press Win + R, type certlm.msc (for Local Machine) or certmgr.msc (for Current User), and hit Enter.
- Import the Certificate:
- Navigate to Trusted Root Certification Authorities > Certificates.
- Right-click Certificates > All Tasks > Import.
- Follow the wizard to select your certificate file.
- Ubuntu JumpBox . See Install a root CA certificate in the trust store
Feedback
