SSL Inspection - Custom Certificate

Hey everyone, I am setting up CKF behind a strict firewall and deep ssl packet inspection. When deploying kubeflow on the microk8s cluster with juju:

juju deploy kubeflow --trust  --channel=1.7/stable

I get the following Issue:

ERROR resolving with preferred channel: Post “https://api.charmhub.io/v2/charms/refresh”: tls: failed to verify certificate: x509: certificate signed by unknown authority

I assume this is due the SSL inspection which replaces the original certificate with the one used by packet inspection. I deployed the custom certificate on the node i run juju on and also ran update-ca-certificates. Nevertheless this error still does occurs. How can I can point juju to the right ca certificate?

Hey @lukas, the TLS error seems to be unrelated to the Kubeflow installation but has to do with your machine being able to initiate TLS with https://api.charmhub.io

Looks like it can’t verify the certificate of charmhub api

Hey, thanks for the reply. Yes this is the problem, all traffic goes through SSL Packet Inspection hence my machine does not get to see the the original certificate. How can I can whitelist the dummy certificate that is being used by the inspection tool. update-ca-certifcates did not solve this.

Hey everyone, where are the CA certificates that are checked against udring the deployment process stored?

My Ubuntu machine does not have this error when using e.g. curl to access https://api.charmhub.io. But the juju deployment process appears not to be using the CA certificate from my system.