External-dns: Getting "x509: certificate signed by unknown authority" with Route53 setup

Created on 19 May 2019 · 3Comments · Source: kubernetes-sigs/external-dns

Using the latest (as of 2019-05-18) version of registry.opensource.zalan.do/teapot/external-dns I'm getting the following logs:

level=error msg="RequestError: send request failed\ncaused by: Get https://route53.amazonaws.com/2013-04-01/hostedzone: x509: certificate signed by unknown authority"

It turns out that it cannot trust route53.amazonaws.com because /etc/ssl/certs directory is empty. I believe this problem is also the reason for #1035.

Possible solution: include certificate installation in the dockerfile:

RUN apk add ca-certificates && update-ca-certificates

Source

dryewo

Most helpful comment

I also see this issue using the latest tag:

time="2019-05-19T15:59:18Z" level=error msg="Get https://www.googleapis.com/dns/v1/projects/REDACTED/managedZones?alt=json&prettyPrint=false: x509: certificate signed by unknown authority"

Using the latest release of v0.5.14 resolves this issue.

For me, when I attempted this, latest resolved to docker-pullable://registry.opensource.zalan.do/teapot/external-dns@sha256:15e89230a0bbe62dac4c2af011fc3ed24384f2ec4df4899de16dda48c0087a93. I'm running on Google Kubernetes Engine, version v1.12.7-gke.10.

JamesLaverack on 19 May 2019

👍5

All 3 comments

I also see this issue using the latest tag:

time="2019-05-19T15:59:18Z" level=error msg="Get https://www.googleapis.com/dns/v1/projects/REDACTED/managedZones?alt=json&prettyPrint=false: x509: certificate signed by unknown authority"

Using the latest release of v0.5.14 resolves this issue.

JamesLaverack on 19 May 2019

👍5

The same is the case for AWS Route53 with latest docker image

time="2019-05-21T10:03:48Z" level=error msg="RequestError: send request failed\ncaused by: Get https://route53.amazonaws.com/2013-04-01/hostedzone: x509: certificate signed by unknown authority"