Allowing custom certificates in okteto cli

Support
1

Hi, I’m going over Getting Started on Okteto Cloud with PHP tutorial and getting the “certificate signed by unknown authority” error when running “okteto init”. I believe it’s related to the custom zscaler CA that our company defines.
How can I have okteto cli to trust custom CA?
Thanks in advance

➜ php-getting-started git:(main) okteto init
i Using … @ cloud.okteto.com as context
✓ Okteto manifest (okteto.yml) deploy and build configured successfully
? Do you want to launch your development environment? [Y/n]: y
i Building ‘Dockerfile’ in tcp://buildkit.cloud.okteto.net:443…
[+] Building 0.0s (0/0)
x Error building service ‘hello-world’: error building image ‘registry.cloud.okteto.net/.../php-hello-world:1.0.0’: build failed: failed to dial gRPC: rpc error: code = Unavailable desc = connection error: desc = “transport: authentication handshake failed: x509: certificate signed by unknown authority”

2

Hello! Thank you for reaching out. With the release of CLI 2.17 expected on June 21st, we are adding the feature for Okteto CLI to be able to use system trusted CAs.

3

Thanks @jona
Is there any workaround in the meanwhile? June 21st is a long time from now and it prevents us from evaluating the tool

4

Maybe there’s a beta version we can try that has it fixed?

5

I am currently talking with the team internally to see what are the best options as a workaround and will update you soon. Thank you!

6

Hello, you will be able to make use of this feature by using out Dev Release Channel as explained here: okteto/RELEASE.md at master · okteto/okteto · GitHub

The feature was merged into our master branch today and will be released at 4am UTC and should be available starting tomorrow. Please let us know if you need additional help or if you have other questions, thank you!

7

Actually, we were able to manually publish the feature in our Dev channel so if you would like to try before tomorrow you should be able to do so. Let us know if you run into any issues!

export OKTETO_CHANNEL=dev
curl https://get.okteto.com -sSfL | sh
1 Like
8

Hi @jona ,
Sorry for resurrecting this thread but seems like the problem is still there and the workaround no longer works, can you please check?


➜  php-getting-started git:(main) okteto version
okteto version 2.16.3 
➜  php-getting-started git:(main) okteto version update
 ✓  The latest okteto version is already installed
➜  php-getting-started git:(main) okteto deploy --build
 i  Using harley84 @ cloud.okteto.com as context
..
[+] Building 0.0s (0/0)                                                                                                                                           
 x  Error building service 'hello-world-dev': error building image 'registry.cloud.okteto.net/harley84/php-getting-started-hello-world-dev:okteto': build failed: failed to dial gRPC: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority"

➜  ~ export OKTETO_CHANNEL=dev
curl https://get.okteto.com -sSfL | sh

> Using Release Channel: dev
> Using Version: 2.16.4-beta.1
> Downloading .../2.16.4-beta.1/okteto-Darwin-arm64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 74.9M  100 74.9M    0     0  9068k      0  0:00:08  0:00:08 --:--:-- 14.9M
> Installing /usr/local/bin/okteto
> Okteto successfully installed!
➜  ~ okteto deploy --build    
 i  Using harley84 @ cloud.okteto.com as context
 x  Couldn't detect any manifest (okteto manifest, pipeline, compose, helm chart, k8s manifest)
➜  ~ cd ~/Desktop/okteto/php-getting-started 
➜  php-getting-started git:(main) okteto deploy --build                  
 i  Using harley84 @ cloud.okteto.com as context
 i  Building 'Dockerfile' in...
[+] Building 0.0s (0/0)                                                                                                                                                                                                                       
 x  Error building service 'hello-world': error building image 'registry.cloud.okteto.net/harley84/php-hello-world:1.0.0': build failed: failed to get status: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority"
➜  php-getting-started git:(main) okteto version  
okteto version 2.16.4-beta.1
9

Hi @harley84,

from the logs shared I can see you have tried using 2.16.3 which still does not include the fix - which will make it into the 2.17.0 release.

You correctly tried to use the dev channel again, however yesterday we created a new beta release for 2.16.4 which ends up in the same release channel (dev). That version doesn’t include the fix you need.

As the time I am posting this, if you try again downloading the dev channel again, you should get the latest build from the master branch which includes the fix you need.

However, because we don’t know when you will see and try this, and we might create new beta releases in the meantime, I would suggest downloading a specific build, equivalent to the current latest dev build: ebe5d55

You can download this binary, directly using these links, depending on your OS:

If you use Linux, just use the suffix: “okteto-Linux-x86_64”

I hope this helps. Don’t hesitate to reach out again if you experience any issue.

Andrea

10

Hi @harley84,

The Okteto CLI 2.17.0 has been released today, if you want to update, just run:

curl https://get.okteto.com -sSfL | sh

or

brew upgrade okteto

Let us know how it goes!

Andrea