I set up a publisher machine and created a repository with cvmfs_server mkfs using an https gateway. When I try to start a transaction with cvfs_server transaction I get this error:
Make lease acquire request failed: 60. Reply:
(unexpected termination) cannot acquire lease
which if I understand correctly comes from libcurl and corresponds to this libcurl error:
CURLE_PEER_FAILED_VERIFICATION (60)
The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK. This error code has been unified with CURLE_SSL_CACERT since 7.62.0. Its previous value was 51.
So I looked into the logs of the reverse proxy running in front of the gateway and found:
level=debug msg="http: TLS handshake error from 131.154.96.113:61805: remote error: tls: unknown certificate authority"
So it looks a lot like libcurl inside cvmfs_server is missing the CA certificates. I tried to set X509_CERT_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt in /etc/cvmfs/repositories.d/my.repo/server.conf but that didn’t help.
I’m sure the general setup is correct since I can interact with the gateway api using curl from the publisher machine, and curl is using the /etc/pki/tls/certs/ca-bundle.crt bundle. So I’d say it’s a CVMFS configuration issue, but I can’t figure out what’s wrong in the above described setup. Any help is greatly appreciated, thanks.