Brak certyfikatów nadrzędnych dla hub.eadministracja.nask.pl

Instalacja i tematy techniczne
1

Przy próbie aktualizacji repozytorium pojawia się błąd:
Get “https://hub.eadministracja.nask.pl/chartrepo/ezdrp/index.yaml”: tls: failed to verify certificate: x509: certificate signed by unknown authority

openssl s_client -showcerts -connect hub.eadministracja.nask.pl:443
CONNECTED(00000003)
depth=0 CN = *.eadministracja.nask.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.eadministracja.nask.pl
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.eadministracja.nask.pl
verify return:1
---
Certificate chain
 0 s:CN = *.eadministracja.nask.pl
   i:C = PL, O = cyber_Folks S.A., CN = cyber_Folks
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 25 06:37:21 2024 GMT; NotAfter: Jul 25 06:37:20 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFbTCCBFWgAwIBAgIQWP62tF60o4pQpBQIAwBGCzANBgkqhkiG9w0BAQsFADA+
MQswCQYDVQQGEwJQTDEZMBcGA1UECgwQY3liZXJfRm9sa3MgUy5BLjEUMBIGA1UE
AwwLY3liZXJfRm9sa3MwHhcNMjQwNzI1MDYzNzIxWhcNMjUwNzI1MDYzNzIwWjAj
MSEwHwYDVQQDDBgqLmVhZG1pbmlzdHJhY2phLm5hc2sucGwwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAASpiwanKXh7wwRIVyjaViD/Y7OkFWA4qFCRvQFSPwGVJRHy
W7htgBbsPH3VLNhMHiOH9kkv00rVGZjm2PFj4/g3o4IDSzCCA0cwDAYDVR0TAQH/
BAIwADBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY3liZXJmb2xrczIuY3JsLmNl
cnR1bS5wbC9jeWJlcmZvbGtzMi5jcmwwdwYIKwYBBQUHAQEEazBpMC4GCCsGAQUF
BzABhiJodHRwOi8vY3liZXJmb2xrczIub2NzcC1jZXJ0dW0uY29tMDcGCCsGAQUF
BzAChitodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvY3liZXJmb2xrczIuY2Vy
MB8GA1UdIwQYMBaAFAXdscREO+GiglNy4nZdqRT5JK1FMB0GA1UdDgQWBBRhPUTm
gjC+uMLyWcmT/3UFdK/TozBNBgNVHSAERjBEMAgGBmeBDAECATA4Bg0qhGgBhvZ3
AgUBCS4DMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vd3d3LmNlcnR1bS5wbC9DUFMw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIHgDA7
BgNVHREENDAyghgqLmVhZG1pbmlzdHJhY2phLm5hc2sucGyCFmVhZG1pbmlzdHJh
Y2phLm5hc2sucGwwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB1AN3cyjSV1+EW
BeeVMvrHn/g9HFDf2wA6FBJ2Ciysu8gqAAABkOibx9wAAAQDAEYwRAIgciH92UUS
fdJx3KFtaNK0AcD3ahmJlHt7PMMY4fVv4dECIEUlo+I474Ro/rgrSK7a5Yrl2jk8
udcQLKsdxW/u2r48AHYADeHyMCvTDcFAYhIJ6lUu/Ed0fLHX6TDvDkIetH5OqjQA
AAGQ6JvIEAAABAMARzBFAiEAo2RDrvzvX7Ai96oM+WLS2kg4xaialIYh/d25+i8S
fWsCIDi7Np3A6Jae0gBZAM7i5QM+IdUrYi3Lji5QeKYyQjHYAHcAfVkeEuF4Knsc
YWd8Xv340IdcFKBOlZ65Ay/ZDowuebgAAAGQ6JvIPwAABAMASDBGAiEAt5Pl+MdH
Q2C8SGfTRhANXAIX4E52a+sP68CYK3YDT98CIQCuRxo6gPpATo06hykArRt2HfKR
yabNMR4dTXd6wPFf5TANBgkqhkiG9w0BAQsFAAOCAQEAp7aSp4UOtAZawGUrXbDQ
IkGn8l2Ab9M8l97bb3WL1fdCgDOUa6NwxKwEpRq4NIs5tu2CLUrIQ7hvN9w0S7Vw
K4htAT6f96YaTQvpIhBfwXJD9tMKvefbZPkE9RFMnQIs5CbwyGIPUKK6ynotSyj1
hSNJHS1q8JqMWWsH8YJO0TTDwxuFiWP4Qryg/DHsPd5llQ4RGstkCaWe6ZHOUnNW
9o9SpXEB5jGP+BK2beS2SDwvP6aZwbyoorSAlC7+VPRZg+7IEneLrvehq8/uoGUx
u4m7aI5DhcH0IW9ukbpPXv5dwBbIyDOrmgDS3kBZAMDZvAflCXrp5Onz4W8a/06B
Ng==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.eadministracja.nask.pl
issuer=C = PL, O = cyber_Folks S.A., CN = cyber_Folks
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1690 bytes and written 425 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 42D3C790DA9D5440F20ACD5037AAA90AD90D22F01F69E0A0D0EC1057A854BA92
    Session-ID-ctx:
    Master-Key: 92CEF8841D84FC2C3E1626EBC0B2B69C6E2EA3246E80ED5D0A4CE2FA77B474A7C22B8B82D35FE3DDC2EA155FF659E2B2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1721910559
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---
2

Proszę jeszcze raz spróbować, bo rzeczywiście przez chwilę mogły być problemy.

3

Dzień dobry,

od piątku próbuję postawić testowego EZD wg instrukcji z podręcznika. Niestety po dodaniu repozytorium w Rancher pojawia się błąd: Get "https://hub.eadministracja.nask.pl/chartrepo/ezdrp/index.yaml": x509: certificate signed by unknown authority

image
image1390×122 47.2 KB

jeszcze to daję radę ominąć edytując repo w YAML i dodając insecureSkipTLSVerify: true w sekcji spec.
Niestety nawet pominięcie tego powoduje błędy w instalacji, gdyż nieprawidłowy certyfikat uniemożliwia pobieranie plików.
Czy jest to tylko tymczasowy problem jak ostatnio, czy coś u mnie nie tak?

openssl s_client -showcerts -connect hub.eadministracja.nask.pl:443
CONNECTED(00000003)
depth=0 CN = *.eadministracja.nask.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.eadministracja.nask.pl
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.eadministracja.nask.pl
verify return:1
---
Certificate chain
 0 s:CN = *.eadministracja.nask.pl
   i:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG4H0FT923908502, emailAddress = support@fortinet.com
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 25 06:37:21 2024 GMT; NotAfter: Jul 25 06:37:20 2025 GMT
-----BEGIN CERTIFICATE-----
MIISxjCCEa6gAwIBAgIIM7pHOZtUSOkwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
ETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkxGTAXBgNVBAMMEEZHNEgwRlQ5MjM5MDg1MDIxIzAhBgkqhkiG9w0BCQEWFHN1
cHBvcnRAZm9ydGluZXQuY29tMB4XDTI0MDcyNTA2MzcyMVoXDTI1MDcyNTA2Mzcy
MFowIzEhMB8GA1UEAwwYKi5lYWRtaW5pc3RyYWNqYS5uYXNrLnBsMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAESFLutmh946wzeYCEevds0NmIQIbvnoVJahPux6Dj
7gePvEkxkuarmZBopdwanTUTNV4K5jOWV6AJHhMXWq7UpqOCEEAwghA8MAwGA1Ud
EwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMDsGA1UdEQQ0MDKCGCouZWFkbWluaXN0
cmFjamEubmFzay5wbIIWZWFkbWluaXN0cmFjamEubmFzay5wbDCCD90GCWCGSAGG
+EIBDQSCD84KTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1N
TU1NTU1NTU1NCk1NTU1NTU1NTU1NTU1NTU1NTU1NTVdYMDBYV01NTU1NTU1NTU1N
TU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1NTU1NTVdLa286LiAgLjtva0tXTU1NTU1N
TU1NTU1NTU1NTU0KTU1NTU1NTU1NTU5rZG9sYzsnLi4uLGxvb2MsLiAuJztjbG9k
a05NTU1NTU1NTU1NCk1NTU1NTU1NTU1PLiAuLDs6bGRPWFdNTU1NV0trZGw6LCcu
IC5PTU1NTU1NTU1NTQpNTU1NTU1NTU1NTy4gbFdNTU1NTU1NTU1NTU1NTU1NTU1X
YyAuT01NTU1NTU1NTU0KTU1NTU1NTU1NTU8uIGxNTU1XTlhOTlhYWFhOTlhOV01N
TWwgLk9NTU1NTU1NTU1NCk1NTU1NTU1NTU1PLiBsTU1XT2xsa09vbGxvT2tsb09X
TU1sIC5PTU1NTU1NTU1NTQpNTU1NTU1NTU1NTy4gbE1NTmtvb09YS0tLS1hPb29r
Tk1NbCAuT01NTU1NTU1NTU0KTU1NTU1NTU1NTU8uIGxNTVh4bGxPTldNTVdOT2xs
eFhNTWwgLk9NTU1NTU1NTU1NCk1NTU1NTU1NTU1PLiBsTU1XT29vTzB4ZGR4ME9v
b09OTU1sIC5PTU1NTU1NTU1NTQpNTU1NTU1NTU1NMCcgY1dNV1hreDBLa3h4a0sw
eGtLV01XYyAnME1NTU1NTU1NTU0KTU1NTU1NTU1NTU5sIC54V01NTU1NTU1NTU1N
TU1NTU1XeC4gbE5NTU1NTU1NTU1NCk1NTU1NTU1NTU1NWGMgLmxYTU1NTU1NTU1N
TU1NTU1YbC4gY1hNTU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1OeCcgLm9LV01NTU1N
TU1NV0tkJyAneE5NTU1NTU1NTU1NTU0KTU1NTU1NTU1NTU1NTU1YZCcgLjp4S1dN
TVdLeDouICdkWE1NTU1NTU1NTU1NTU1NCk1NTU1NTU1NTU1NTU1NTU1Oa2MuIC4s
OjosLiAuY2tOTU1NTU1NTU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1NTU1NTU1NWE9v
Ojs7Om9PWE1NTU1NTU1NTU1NTU1NTU1NTU0KTU1NTU1NTU1NTU1NTU1NTU1NTU1N
TU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NCk1NTU1NTU1NTU1NTU1NTU1NTU1N
TU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1NTU1NTU1N
TU1XWDAwWFdNTU1NTU1NTU1NTU1NTU1NTU1NTU0KTU1NTU1NTU1NTU1NTU1NTU1X
S2tvOi4gIC47b2tLV01NTU1NTU1NTU1NTU1NTU1NCk1NTU1NTU1NTU1Oa2RvbGM7
Jy4uLixsb29jLC4gLic7Y2xvZGtOTU1NTU1NTU1NTQpNTU1NTU1NTU1NTy4gLiw7
OmxkT1hXTU1NTVdLa2RsOiwnLiAuT01NTU1NTU1NTU0KTU1NTU1NTU1NTU8uIGxX
TU1NTU1NTU1NTU1NTU1NTU1NV2MgLk9NTU1NTU1NTU1NCk1NTU1NTU1NTU1PLiBs
TU1NV05YTk5YWFhYTk5YTldNTU1sIC5PTU1NTU1NTU1NTQpNTU1NTU1NTU1NTy4g
bE1NV09sbGtPb2xsb09rbG9PV01NbCAuT01NTU1NTU1NTU0KTU1NTU1NTU1NTU8u
IGxNTU5rb29PWEtLS0tYT29va05NTWwgLk9NTU1NTU1NTU1NCk1NTU1NTU1NTU1P
LiBsTU1YeGxsT05XTU1XTk9sbHhYTU1sIC5PTU1NTU1NTU1NTQpNTU1NTU1NTU1N
Ty4gbE1NV09vb08weGRkeDBPb29PTk1NbCAuT01NTU1NTU1NTU0KTU1NTU1NTU1N
TTAnIGNXTVdYa3gwS2t4eGtLMHhrS1dNV2MgJzBNTU1NTU1NTU1NCk1NTU1NTU1N
TU1ObCAueFdNTU1NTU1NTU1NTU1NTU1NV3guIGxOTU1NTU1NTU1NTQpNTU1NTU1N
TU1NTVhjIC5sWE1NTU1NTU1NTU1NTU1NWGwuIGNYTU1NTU1NTU1NTU0KTU1NTU1N
TU1NTU1NTngnIC5vS1dNTU1NTU1NTVdLZCcgJ3hOTU1NTU1NTU1NTU1NCk1NTU1N
TU1NTU1NTU1NWGQnIC46eEtXTU1XS3g6LiAnZFhNTU1NTU1NTU1NTU1NTQpNTU1N
TU1NTU1NTU1NTU1NTmtjLiAuLDo6LC4gLmNrTk1NTU1NTU1NTU1NTU1NTU0KTU1N
TU1NTU1NTU1NTU1NTU1NTVhPbzo7OzpvT1hNTU1NTU1NTU1NTU1NTU1NTU1NCk1N
TU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTQpN
TU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU0K
TU1NTU1NTU1NTU1NTU1NTU1NTU1NV1gwMFhXTU1NTU1NTU1NTU1NTU1NTU1NTU1N
Ck1NTU1NTU1NTU1NTU1NTU1NV0trbzouICAuO29rS1dNTU1NTU1NTU1NTU1NTU1N
TQpNTU1NTU1NTU1NTmtkb2xjOycuLi4sbG9vYywuIC4nO2Nsb2RrTk1NTU1NTU1N
TU0KTU1NTU1NTU1NTU8uIC4sOzpsZE9YV01NTU1XS2tkbDosJy4gLk9NTU1NTU1N
TU1NCk1NTU1NTU1NTU1PLiBsV01NTU1NTU1NTU1NTU1NTU1NTVdjIC5PTU1NTU1N
TU1NTQpNTU1NTU1NTU1NTy4gbE1NTVdOWE5OWFhYWE5OWE5XTU1NbCAuT01NTU1N
TU1NTU0KTU1NTU1NTU1NTU8uIGxNTVdPbGxrT29sbG9Pa2xvT1dNTWwgLk9NTU1N
TU1NTU1NCk1NTU1NTU1NTU1PLiBsTU1Oa29vT1hLS0tLWE9vb2tOTU1sIC5PTU1N
TU1NTU1NTQpNTU1NTU1NTU1NTy4gbE1NWHhsbE9OV01NV05PbGx4WE1NbCAuT01N
TU1NTU1NTU0KTU1NTU1NTU1NTU8uIGxNTVdPb29PMHhkZHgwT29vT05NTWwgLk9N
TU1NTU1NTU1NCk1NTU1NTU1NTU0wJyBjV01XWGt4MEtreHhrSzB4a0tXTVdjICcw
TU1NTU1NTU1NTQpNTU1NTU1NTU1NTmwgLnhXTU1NTU1NTU1NTU1NTU1NTVd4LiBs
Tk1NTU1NTU1NTU0KTU1NTU1NTU1NTU1YYyAubFhNTU1NTU1NTU1NTU1NTVhsLiBj
WE1NTU1NTU1NTU1NCk1NTU1NTU1NTU1NTU54JyAub0tXTU1NTU1NTU1XS2QnICd4
Tk1NTU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1NTVhkJyAuOnhLV01NV0t4Oi4gJ2RY
TU1NTU1NTU1NTU1NTU0KTU1NTU1NTU1NTU1NTU1NTU5rYy4gLiw6OiwuIC5ja05N
TU1NTU1NTU1NTU1NTU1NCk1NTU1NTU1NTU1NTU1NTU1NTU1YT286Ozs6b09YTU1N
TU1NTU1NTU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1N
TU1NTU1NTU1NTU1NTU1NTU0KTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1N
TU1NTU1NTU1NTU1NTU1NTU1NCk1NTU1NTU1NTU1NTU1NTU1NTU1NTVdYMDBYV01N
TU1NTU1NTU1NTU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1NTU1NTVdLa286LiAgLjtv
a0tXTU1NTU1NTU1NTU1NTU1NTU0KTU1NTU1NTU1NTU5rZG9sYzsnLi4uLGxvb2Ms
LiAuJztjbG9ka05NTU1NTU1NTU1NCk1NTU1NTU1NTU1PLiAuLDs6bGRPWFdNTU1N
V0trZGw6LCcuIC5PTU1NTU1NTU1NTQpNTU1NTU1NTU1NTy4gbFdNTU1NTU1NTU1N
TU1NTU1NTU1XYyAuT01NTU1NTU1NTU0KTU1NTU1NTU1NTU8uIGxNTU1XTlhOTlhY
WFhOTlhOV01NTWwgLk9NTU1NTU1NTU1NCk1NTU1NTU1NTU1PLiBsTU1XT2xsa09v
bGxvT2tsb09XTU1sIC5PTU1NTU1NTU1NTQpNTU1NTU1NTU1NTy4gbE1NTmtvb09Y
S0tLS1hPb29rTk1NbCAuT01NTU1NTU1NTU0KTU1NTU1NTU1NTU8uIGxNTVh4bGxP
TldNTVdOT2xseFhNTWwgLk9NTU1NTU1NTU1NCk1NTU1NTU1NTU1PLiBsTU1XT29v
TzB4ZGR4ME9vb09OTU1sIC5PTU1NTU1NTU1NTQpNTU1NTU1NTU1NMCcgY1dNV1hr
eDBLa3h4a0sweGtLV01XYyAnME1NTU1NTU1NTU0KTU1NTU1NTU1NTU5sIC54V01N
TU1NTU1NTU1NTU1NTU1XeC4gbE5NTU1NTU1NTU1NCk1NTU1NTU1NTU1NWGMgLmxY
TU1NTU1NTU1NTU1NTU1YbC4gY1hNTU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1OeCcg
Lm9LV01NTU1NTU1NV0tkJyAneE5NTU1NTU1NTU1NTU0KTU1NTU1NTU1NTU1NTU1Y
ZCcgLjp4S1dNTVdLeDouICdkWE1NTU1NTU1NTU1NTU1NCk1NTU1NTU1NTU1NTU1N
TU1Oa2MuIC4sOjosLiAuY2tOTU1NTU1NTU1NTU1NTU1NTQpNTU1NTU1NTU1NTU1N
TU1NTU1NWE9vOjs7Om9PWE1NTU1NTU1NTU1NTU1NTU1NTU0KTU1NTU1NTU1NTU1N
TU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NCk1NTU1NTU1NTU1N
TU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTQpNTU1NTU1NTU1N
TU1NTU1NTU1NTU1XWDAwWFdNTU1NTU1NTU1NTU1NTU1NTU1NTU0KTU1NTU1NTU1N
TU1NTU1NTU1XS2tvOi4gIC47b2tLV01NTU1NTU1NTU1NTU1NTU1NCk1NTU1NTU1N
TU1Oa2RvbGM7Jy4uLixsb29jLC4gLic7Y2xvZGtOTU1NTU1NTU1NTQpNTU1NTU1N
TU1NTy4gLiw7OmxkT1hXTU1NTVdLa2RsOiwnLiAuT01NTU1NTU1NTU0KTU1NTU1N
TU1NTU8uIGxXTU1NTU1NTU1NTU1NTU1NTU1NV2MgLk9NTU1NTU1NTU1NCk1NTU1N
TU1NTU1PLiBsTU1NV05YTk5YWFhYTjANBgkqhkiG9w0BAQsFAAOCAQEAvKdVvCP7
ItUR3v0N1T3p4KUz9JrtNti/PJbyksV80Sc8c6Vr8j8WxZGSffnl8g9A54Tk9paS
u7YsYNiYt0D4SyCGs731NcZqHsZ/t0RAzXOlylQWEuTcAgisXl9CXU+TZtcTvk4a
Vmuyjd+jQanzxG+mchAWiG2690IU2aoFcAB6a6/dyp07Plrp7aH+eeQJ6oeYZTSL
DrDEpR4M0xAcrfrpkzpfst+yo6PGEnh/4B+HlzWe9H6yDvBbwmRMAVHHP1QWIDS3
3AxYdElOkTQU9zs2jxJhR6Z/Vso68ovL8pBDqhK17b+6ApBGpqBDin1xPnGCfDkR
3yg3/gxH7xlZtQ==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.eadministracja.nask.pl
issuer=C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG4H0FT923908502, emailAddress = support@fortinet.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5106 bytes and written 421 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: F039E30832FD5C963E669B2EDE275083490E836444F9DAB1E560BDC3400DA2FF
    Session-ID-ctx: 
    Master-Key: DFE30BCC7EB73B99A698610E0F6D5D844CACB319B4A75BBC3777CCAF8EDA7093735F351B429E62F9A4D1FFBFBB350273
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1738490629
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
4

Dodaj ten adres do zaufanych w fortigate albo wyłącz inspekcję ssl

5

Dzięki za odpowiedź.
Mam wyłączoną. Jak dodaję jakiekolwiek inne repozytoria nie mam tego błędu:

image
image1138×220 26.4 KB

Chyba, że Rancher zapamiętał pierwsze połączenie z EZD jak inspekcja była włączona. Można jakość wyczyścić cache?

6

Instalacja jednowęzłowa? Na pewno jest już ok? Komenda z poprzedniego posta z “mastera” zwraca prawidłowo certyfikat?

7

Jednowęzłowa. OpenSSL ciągle wskazuje na Fortigate. Próbowałem resetować certyfikaty systemowe i nic. Ten jeden konkretny adres wskazuje Fortigate. Każdy inny adres który sprawdzałem jest OK.
W pierwszym poście cert pokazywał na cyber_folks i problem był tymczasowy, więc przez analogię może to być po stronie serwera hub.administracja…
Napiszę jeszcze do administracji firewalla czy na pewno na tym adresie nie ma jakiś specjalnych polityk.

8

Nie. To są dwa osobne tematy.

W konfiguracji deep packet inspection/ssl inspection należałoby dodać ten adres do wyjątków.

9

Temat załatwiony. Admin fortigate zmienił kolejność polityk i jest ok. Dziękuję za pomoc!

1 polubienie