FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

Could not reconcile component versions. Get \"https://[DNS]/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority.

sankey5
Dynatrace Contributor
Dynatrace Contributor

‎26 Mar 2024 11:16 PM - edited ‎27 Mar 2024 03:35 PM

With the introduction of later Dynatrace operator versions (such as Operator 0.14.0 and 0.15.0), the operator now performs more checks to ensure your deployment does not crash or see errors when deploying your dynakube.yaml custom resource. One of these checks is to reach out to the image repository where the operator is to reach out and pull the necessary images from and confirm the version of the image is correct. In doing so, it checks the certificate authority of the image repository to ensure it can trust the connection. If you are using a custom Certificate Authority (CA) certificate in your network, are using a custom CA certificate for a managed cluster, or you are using an image repository that has it's own CA certificate, you will likely receive the following error shown in your Dynatrace Operator pod:

 

 

{"level":"info","ts":"2024-02-26T21:06:49.315Z","logger":"dynakube-version","msg":"updating image version info for tenant registry image","image":"[DNS]/linux/activegate:latest","oldImageID":"","oldVersion":""}
{"level":"info","ts":"2024-02-26T21:06:49.379Z","logger":"dynakube-version","msg":"failed to determine image version"}
{"level":"info","ts":"2024-02-26T21:06:49.379Z","logger":"dynakube","msg":"could not reconcile component versions"}
getting reference \"[DNS]/linux/activegate:latest\"","ts":"2024-02-26T21:06:46.721Z"}{"error":"getting reference \"[DNS]/linux/activegate:latest\": Get \"https://[DNS]/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
...

 

 

Please note that "[DNS]" is the DNS of the image repository or Dynatrace cluster where the image is stored.This error is created because the Dynatrace operator does not have a CA certificate who's name matches an expected CA certificate. This is typically because the CA certificates do not match. To resolve this, you will need to provide the trusted CA certificate of the URL it is attempting to reach out to, to the Dynatrace operator. This can be done by using the following dynakube parameter trustedCAs. This parameter is documented here: DynaKube parameters for Dynatrace Operator.

The value for the trustedCAs parameter should be the name of a secret in the same namespace as the Dynatrace Operator. The contents of the secret should be as follows:

 

 

data:
  certs: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

 

 

Please note the following:

  • The key of the secret is named "certs"
  • If you need multiple CA certificates, they can be appended together.

Finally, please note this issue is separate from an already known common issue defined here: https://community.dynatrace.com/t5/Troubleshooting/Internal-error-occurred-failed-calling-webhook-x5....

Version history
Last update:
‎27 Mar 2024 03:35 PM
Updated by:
Dynatrace Contributor