Prisma Cloud Compute: X509 Certificate error for Registry Scanning on Openshift Container Platform

• Errors when attempting registry scanning of images located in AWS Cloud Elastic Container Registry (ECR) repository.

  • x509: certificate signed by unknown authority

  • Error:  Failed to pull image XXX

• Prisma Cloud Compute Edition
  • Self-hosted on OpenShift Container Platform
• AWS Cloud
  • Elastic Container Registry (ECR) repository
  • AWS service account provides full access to the ECR repository (using the AmazonEC2ContainerRegistryFullAccess permission policy)

• To ensure trust between parties in a secure communication session, Prisma Cloud compute uses digital certificates. Each certificate includes a digital signature to authenticate the identity of the issuer.
  • The issuer must be in the list of trusted certificate authorities (CAs) of the authenticating party.
  • If certificates cannot be found, the platform is unable to validate the session and is unable to pull images from the repository.
  • Example of the error noticed:

     Error pinging docker registry default-route-openshift-image-registry.$domain.com: Get https://default-route-openshift-image-registry.apps.$domain.com/v2/: x509: certificate signed by unknown authority

$ oc create configmap registry-cas -n openshift-config \
--from-file=myregistry.corp.com..5000=/etc/docker/certs.d/myregistry.corp.com:5000/ca.crt \
--from-file=otherregistry.com=/etc/docker/certs.d/otherregistry.com/ca.crt

$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

• Usually a hostname /ca.crt file located in the /etc/docker/certs.d/ directory.

• Prisma Cloud Certificates
• Prisma Certificate Management
• Knowledge Base for similar issue ('x509: certificate signed by unknown authority' when scanning registry image) in Containerd / CRI environment
• RedHat Article