juju bootstrap to a maas-cloud with custom ca cert fails with tls error

william-conway · 20 September 2025 19:42

Over the past few days I have been trying to bootstrap my juju controller - I am using maas 3.6 and know that my issues surround the fact that it has custom ca cert. The bootstrap proceeds to a certain point then i see the tls error

ERROR creating MAAS environ: Get “X.X.X.X:5443/MAAS/api/2.0/version/”: tls: failed to verify certificate: x509: certificate signed by unknown authority 2025-09-20 16:43:28 DEBUG cmd supercommand.go:571 error stack: Get “X.X.X.X:5443/MAAS/api/2.0/version/”: tls: failed to verify certificate: x509: certificate signed by unknown authority github.com/juju/gomaasapi/v2.(*controller)._getRaw:887: github.com/juju/gomaasapi/v2.(*controller)._get:863:

Ive gone down several rabbit holes from trying to use preceeds to install the ca cert in trusted store using preceed scripts and curtin scripts - I tried deploying a machine and adding the cert manually - but no matter what I end up with the tls error.

Can anyone advise - granted I am new to Maas so could very likely be missing something simple but just cant see it.

My Maas is also acting as my juju client Both maas and juju are installed using snap

maas 3.6.1-17573-g.bc3a12219 40143 3.6/stable canonical✓ -

juju 3.6.9 32163 3/stable canonical✓ -

So bottom line - need details of how to bootstrap juju with a maas custom ca cert.

Details of the single machine with the maas and juju snap Distributor ID: Ubuntu 24.04.3 LTS Release: 24.04 Codename: noble

Thanks for any help or guidance.

william-conway · 21 September 2025 10:05

My latest attempt with this is using curtin/preceed scripts - I am creating a folder on the maas machine /var/snap/maas/current/preseeds/curtin/scripts Dropping my script in here that should copy the cert from /var/snap/maas/current/preseeds/curtin/my-ca.crt to /usr/local/share/ca-certificates/custom/my-ca.crt Changes permissions to 644 and then runs update-ca-certificates But the script never seems to run - Anyone had to do anything similar with curtin/preceed scripts - the documentation seems to vary but I think i have the right instructions for a snap install

william-conway · 21 September 2025 12:31

After abandoning the preceed/curtin approach I came across this

Show and Tell: New MAAS TLS feature - Development - Canonical MAAS | Discourse

I created my cloud-init.yml to conform to the described in the procedure -

The command I then use is juju bootstrap maas-cloud mycontroller --config=cloud-init.yaml

I still see tls error at the end

No VM guests are running outdated hypervisor (qemu) binaries on this host. Fetching Juju agent version 3.6.9 for amd64 Attempt 1 to download agent binaries from ‘streams.canonical.com/juju/tools/agent/3.6.9/juju-3.6.9-linux-amd64.tgz’…\n Agent binaries downloaded successfully. d62f9dd53f10acc756ea898a8ab29c114d054b6e7c2dc18129873faaf2d615c9 /var/lib/juju/tools/3.6.9-ubuntu-amd64/tools.tar.gz Installing Juju machine agent 2025-09-21 12:05:55 INFO juju.cmd supercommand.go:56 running jujud [3.6.9 8ca5a5ce6d5be058aa99f340ac2d0592c4313d42 gc go1.24.6] ERROR creating MAAS environ: Get “X.X.X.X:5443/MAAS/api/2.0/version/”: tls: failed to verify certificate: x509: certificate signed by unknown authority ERROR failed to bootstrap model: subprocess encountered error code 1

–

I have done a test where i deploy a machine - do the curl to the url X.X.X.X:5443/MAAS/api/2.0/version/ then install the cert and do the curl again - so i know its the trusting of the ca root cert - I just dont seem to be able to find a way to pretrust it

-Pre manual install of ca

ubuntu@ready-gecko:/usr/local/share/ca-certificates$ curl X.X.X.X:5443/MAAS/api/2.0/version/ curl: (60) SSL certificate problem: self-signed certificate in certificate chain

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Post Manual Install of CA

ubuntu@ready-gecko:/usr/local/share/ca-certificates$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs… rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d… done. ubuntu@ready-gecko:/usr/local/share/ca-certificates$ curl X.X.X.X:5443/MAAS/api/2.0/version/ {“capabilities”: [“networks-management”, “static-ipaddresses”, “ipv6-deployment-ubuntu”, “devices-management”, “storage-deployment-ubuntu”, “network-deployment-ubuntu”, “bridging-interface-ubuntu”, “bridging-automatic-ubuntu”, “authenticate-api”], “version”: “3.6.1”, “subversion”: “”}ubuntu@ready-gecko:/usr/local/share/ca-certificates$

How do I properly let juju know to expect an internal ca and pre trust it ?? I have tried several different routes but all have ended up with the same tls error