CA certificates for cvmfs_server on publisher machine

I set up a publisher machine and created a repository with cvmfs_server mkfs using an https gateway. When I try to start a transaction with cvfs_server transaction I get this error:

Make lease acquire request failed: 60. Reply: 
(unexpected termination) cannot acquire lease

which if I understand correctly comes from libcurl and corresponds to this libcurl error:


The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK. This error code has been unified with CURLE_SSL_CACERT since 7.62.0. Its previous value was 51. 

So I looked into the logs of the reverse proxy running in front of the gateway and found:

level=debug msg="http: TLS handshake error from remote error: tls: unknown certificate authority"

So it looks a lot like libcurl inside cvmfs_server is missing the CA certificates. I tried to set X509_CERT_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt in /etc/cvmfs/repositories.d/my.repo/server.conf but that didn’t help.

I’m sure the general setup is correct since I can interact with the gateway api using curl from the publisher machine, and curl is using the /etc/pki/tls/certs/ca-bundle.crt bundle. So I’d say it’s a CVMFS configuration issue, but I can’t figure out what’s wrong in the above described setup. Any help is greatly appreciated, thanks.

Connecting to the gateway through HTTPS is unfortunately not supported at the moment. I think it is a quick fix. The cvmfs HTTP code distinguishes between the default CA location and grid certificates. I think we would only need to turn system CAs on for the connection to the gateway. Could you open an issue on github?

@jakob Issue created:

Add HTTPS support for connecting to gateway · Issue #3060 · cvmfs/cvmfs · GitHub

I guess there’s no ETA for the implementation of this feature, but since I badly need it (it is a blocker for my prototyping work) I’d be available to implement and test it if you tell me what should I modify and where (never coped with cvmfs codebase so I’m completely lost at the moment)|.

Thanks for creating the issue! We’d be happy to let you help us with this. Let’s continue the discussion on Github.