Imported CA "add to trust store" not working (TrueNAS-SCALE-22.12.4.2)

[Perry The Cynic]

On TrueNAS-SCALE-22.12.4.2, when I check the "add to trust store" checkbox in the import-a-CA UI workflow, the import succeeds but the CA is not, in fact, added to the trust store of the system. The root certificate shows up in /etc/certificates/CA but not in /etc/ssl/certs. As a result, TrueNAS cannot pull an image from a private registry certified by that CA (which happens to run on that very box, in case that matters). Pulls from outside (macOS with the root added to its trust store) work fine.

The obvious work-around (soft-linking the certificate into /etc/ssl/certs) works after restarting docker, but that reaches beneath the API surface and thus can't be a good answer.

Is this a bug or am I holding it wrong?

Cheers
-- perry

 

[Perry The Cynic]

This seems to have gotten fixed in Cobia, suggesting that the previous behavior was a bug. It's still pretty brittle, though. If you run into this, the "add to trust store" checkbox seems to be working in Cobia, but upgrading to Cobia doesn't magically heal the problem; I had to delete and recreate the CA for this to take effect. Also note that after adding the CA, you need to bounce the k3s system before it accepts the new root as trusted. I don't know if there's a UI affordance or API for this; I just rebooted the box and that worked.

Cheers
-- perry

 

[disgustipated]

Hey bud, thanks for posting this. it pointed me in the right direction when i was trying to add replication jobs and i was getting "unable to get local issuer certificate" I didnt think i had to add the CA in the CA section of the TN ui, but theres the check box there to add to trusted store.