Rancher 2.6.5 RKE2 private registry image pull error x509: certificate signed by unknown authority

Question

I have deployed a private registry with Harbor with a self signed certificates. Importing images to harbor works pulling images works. On the worker nodes i have added certificates into OS as trusted and i can pull images successfully in the OS from worker nodes in cli running ctr images pull harbor.mylab.com:9091/mylab/acid1

The problem is when i create a pod and it tries to pull an image from the private registry i am seeing a certificate error: x509: certificate signed by unknown authority

After googling and reading more documentation on Rancher RKE2 i found out that you have to add registries.yml file, well in my case, the file exists but i am not sure how to edit it because once the rke2 agent is restarted on the node the file is overwritten.

I want to have something like this as i understand it from the docs(https://docs.rke2.io/install/containerd_registry_configuration/)

mirrors:
  docker.io:
    endpoint:
      - “harbor.mylab.com:9091:"
configs:
  “harbor.mylab.com:9091:":
    tls:
      cert_file:  /opt/harbor/certs/harbor_registry.crt
      key_file:  /opt/harbor/certs/harbor_registry.key
      ca_file:   /opt/harbor/certs/harbor_registry.csr

Answer 1

Ok for me personally and this may not work for the others the solution was to add certs in /usr/local/share/ca-certificates and in /etc/ssl/certs/ and then run the update-ca-certificates and restart relevant rancher services. If the service restart does not help try rebooting a node.

Answer 2

So i also need the registries.yaml as you mentioned?

  tls:
    cert_file:  /opt/harbor/certs/harbor_registry.crt
    key_file:  /opt/harbor/certs/harbor_registry.key
    ca_file:   /opt/harbor/certs/harbor_registry.csr

and place those 3 files inside /etc/ssl/certs/ ?

Sorry for posting another answer, i cannot add a comment yet :)