OPERATIONAL DEFECT DATABASE
...
...
The following error is encountered when you try to create a backup in Tanzu Mission Control (TMC). The error can be viewed in the velero-xxx-xxx pod running in the velero namespace. error msg="backup failed" controller=backup error="error checking if backup already exists in object storage: rpc error: code = Unknown desc = RequestError: send request failed\caused by: Head https://s3.atlas.hermes/frsel-prd-scal-ab-a04/01FC3RDYFM12PG9WX3QC46ZFRM/backups/test-ang1/velero-backup.json: x509: certificate signed by unknown authority" error.file="/github.com/vmware-tanzu/velero/pkg/controller/backup_controller.go:547" error.function="github.com/vmware-tanzu/velero/pkg/controller.(*backupController).runBackup" key=velero/test-cluster logSource="pkg/controller/backup_controller.go:273"
This article explains how to configure the ‘customer provisioned’ S3 bucket.
User may be using on-prem storage solution, such as MinIO or Scality, which uses self signed certificates. All pods are running fine but you observe the error "x509: certificate signed by unknown authority" for volume backup and the backups fail.
This is a known issue and currently, only the CA Cert from a cluster's proxy configuration is added to the cert store. However, configuration for CA certs for each data protection for the target location is not yet supported.
1. Check for the valid backup storage target locations in TMC. In addition, make sure there should be accessibility between your cluster and your target location. kubectl get backupstoragelocations.velero.io -n velero NAME AGE sample-target-location 5d1h 2. First do one of the following: Provide the caCert: “self signed cert of s3 storage location in base64 encoded”Set insecureSkipTLSVerify: “true” in the backup location configuration file Then restart the velero-xxx pod. kubectl edit backupstoragelocations.velero.io <your-target-location> -n velero running under “velero” namespace.For instance, the following is a sample file: spec: config: bucket: aws-s3 resourceGroup: dp-backup storageAccount: velerobb08xx insecureSkipTLSVerify: "true" subscriptionId: c03f10db-1eed-43d7-xxx objectStorage: bucket: aws-s3 caCert: //self signed cert of s3 storage location in base64 encoded format
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
