importer pod x509: certificate signed by unknown authority #3989
Description
What happened:
When I use VMExporter to export a VM to another cluster, the cdi-importer pod throws an error.
[root@FHCSY-POD1-P0F0-PM-OS01-CUBE-M-001 ~]# kubectl logs importer-mk-test-root-volume -nkonveyor-forklift
I1223 07:39:30.267347 1 importer.go:104] Starting importer
I1223 07:39:30.268168 1 importer.go:171] begin import process
I1223 07:39:30.279408 1 http-datasource.go:239] Attempting to get certs from /certs/ca.pem
E1223 07:39:30.284837 1 importer.go:324] Get "https://virt-exportproxy.kubevirt/api/export.kubevirt.io/v1beta1/namespaces/test-mk/virtualmachineexports/mk-test/volumes/mk-test-root-volume/disk.img.gz": x509: certificate signed by unknown authority
HTTP request errored
kubevirt.io/containerized-data-importer/pkg/importer.createHTTPReader
pkg/importer/http-datasource.go:326
kubevirt.io/containerized-data-importer/pkg/importer.NewHTTPDataSource
pkg/importer/http-datasource.go:100
main.newDataSource
cmd/cdi-importer/importer.go:255
main.handleImport
cmd/cdi-importer/importer.go:173
main.main
cmd/cdi-importer/importer.go:143
runtime.main
GOROOT/src/runtime/proc.go:250
runtime.goexit
GOROOT/src/runtime/asm_amd64.s:1571
What you expected to happen:
I created a secret as a self-signed certificate for the virt-exportproxy.kubevirt domain in the source cluster, and then attached it to Ingress. There shouldn't be any problem.
How to reproduce it (as minimally and precisely as possible):
[root@FHCSY-POD1-P0F0-PM-OS01-EIS-M-001 secret]# kubectl get virtualmachineexport -ntest-mk -oyaml
apiVersion: v1
items:
- apiVersion: export.kubevirt.io/v1beta1
kind: VirtualMachineExport
metadata:
creationTimestamp: "2025-12-23T07:37:25Z"
generation: 1
name: mk-test
namespace: test-mk
resourceVersion: "49398724"
uid: 47066463-ba45-4673-861c-f4627bcc0278
spec:
source:
apiGroup: kubevirt.io
kind: VirtualMachine
name: mk-test
ttlDuration: 12h0m0s
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2025-12-23T07:37:38Z"
reason: PodReady
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2025-12-23T07:37:25Z"
reason: Unknown
status: "False"
type: PVCReady
links:
external:
cert: |-
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIUDDFJXfyzhRcw3I77UXY9nGqR3y8wDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAwwRTWlncmF0aW9uLVJvb3QtQ0EwHhcNMjUxMjIzMDczMTA2
WhcNMjYxMjIzMDczMTA2WjAkMSIwIAYDVQQDDBl2aXJ0LWV4cG9ydHByb3h5Lmt1
YmV2aXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyvgQcipq1/3l
1ARcPLqxqHnzSC/3ZqS/ZK67I2EBybSloN8hHYZbwV2ZSJ7pgQVZ88BCEzuHS+AW
wPZPFs2POM7hFGeNnwwVLCgf5AezickwkWfb0uPaYOgL9v0Td63plw0mpV98gS02
I8Jrmi/Vcrzv2NRYmLYRu+RYqCcUWQVV7FUCXSnxxKQgrUshAObNCuEObrgwdlq0
InZmugliyE2X28XGjirP9Oh/K7owEIPiwuKC3i1DtzywdxTZu75B6vIL97zj5aeI
4wghB/cmpqtyZfZ107746N3Iji65ifivNPThjmCnXxumJO6CGzt3s8XKONei5Npn
p82JLodzhwIDAQABo1UwUzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDATBgNVHSUE
DDAKBggrBgEFBQcDATAkBgNVHREEHTAbghl2aXJ0LWV4cG9ydHByb3h5Lmt1YmV2
aXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAYFjNq3yrHhgnvWtTfBv1WV2tMrA/rrFNm
i2LlWVRuln8imFJYQWSonsX6cYL9ltDDcBrBHYU5PCDej7a1K9BYhwkQVeftCnVz
HZTMFgUrM3L45/c9z7oqQ3VVM6okNozdO69KnkVWT3xZ1i0ggaLQ6aYMVmxTlEuF
Ty55DfJ6bFs3DMD02MRKWG5Of1VsHnVu3cCh8SaeQb+X1h0wc7pJk5G2mcJ4qgKn
82nMAEfR25TQYuWFuKFBHCAZU7k+ObHQ9Rt4RE6EUhf/1/a/wkegcyNmh0Ctgc7M
0GETLF5WSGKbXRvc5jqpa7F/J2WQth8NJxjPg1PFSsM+quPZUTVU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIUDDFJXfyzhRcw3I77UXY9nGqR3y8wDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAwwRTWlncmF0aW9uLVJvb3QtQ0EwHhcNMjUxMjIzMDczMTA2
WhcNMjYxMjIzMDczMTA2WjAkMSIwIAYDVQQDDBl2aXJ0LWV4cG9ydHByb3h5Lmt1
YmV2aXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyvgQcipq1/3l
1ARcPLqxqHnzSC/3ZqS/ZK67I2EBybSloN8hHYZbwV2ZSJ7pgQVZ88BCEzuHS+AW
wPZPFs2POM7hFGeNnwwVLCgf5AezickwkWfb0uPaYOgL9v0Td63plw0mpV98gS02
I8Jrmi/Vcrzv2NRYmLYRu+RYqCcUWQVV7FUCXSnxxKQgrUshAObNCuEObrgwdlq0
InZmugliyE2X28XGjirP9Oh/K7owEIPiwuKC3i1DtzywdxTZu75B6vIL97zj5aeI
4wghB/cmpqtyZfZ107746N3Iji65ifivNPThjmCnXxumJO6CGzt3s8XKONei5Npn
p82JLodzhwIDAQABo1UwUzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDATBgNVHSUE
DDAKBggrBgEFBQcDATAkBgNVHREEHTAbghl2aXJ0LWV4cG9ydHByb3h5Lmt1YmV2
aXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAYFjNq3yrHhgnvWtTfBv1WV2tMrA/rrFNm
i2LlWVRuln8imFJYQWSonsX6cYL9ltDDcBrBHYU5PCDej7a1K9BYhwkQVeftCnVz
HZTMFgUrM3L45/c9z7oqQ3VVM6okNozdO69KnkVWT3xZ1i0ggaLQ6aYMVmxTlEuF
Ty55DfJ6bFs3DMD02MRKWG5Of1VsHnVu3cCh8SaeQb+X1h0wc7pJk5G2mcJ4qgKn
82nMAEfR25TQYuWFuKFBHCAZU7k+ObHQ9Rt4RE6EUhf/1/a/wkegcyNmh0Ctgc7M
0GETLF5WSGKbXRvc5jqpa7F/J2WQth8NJxjPg1PFSsM+quPZUTVU
-----END CERTIFICATE-----
manifests:
- type: all
url: https://virt-exportproxy.kubevirt/api/export.kubevirt.io/v1beta1/namespaces/test-mk/virtualmachineexports/mk-test/external/manifests/all
- type: auth-header-secret
url: https://virt-exportproxy.kubevirt/api/export.kubevirt.io/v1beta1/namespaces/test-mk/virtualmachineexports/mk-test/external/manifests/secret
volumes:
- formats:
- format: raw
url: https://virt-exportproxy.kubevirt/api/export.kubevirt.io/v1beta1/namespaces/test-mk/virtualmachineexports/mk-test/volumes/mk-test-root-volume/disk.img
- format: gzip
url: https://virt-exportproxy.kubevirt/api/export.kubevirt.io/v1beta1/namespaces/test-mk/virtualmachineexports/mk-test/volumes/mk-test-root-volume/disk.img.gz
name: mk-test-root-volume
internal:
cert: |-
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIIAhefFh9aIqkwCgYIKoZIzj0EAwIwKDEmMCQGA1UEAwwd
ZXhwb3J0Lmt1YmV2aXJ0LmlvQDE3NjYzOTAwNzEwHhcNMjUxMjIyMDc1NDMxWhcN
MjUxMjI5MDc1NDMxWjAoMSYwJAYDVQQDDB1leHBvcnQua3ViZXZpcnQuaW9AMTc2
NjM5MDA3MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABO3X9sYkYZabk9FD0DhR
qYb/ShThy11SjMUunZ4HfJeQC23rC+VPtiQeWQERO/P4/E/qJidPUswWcs+U4Z/s
2gejQjBAMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRsbCthCSuU4fnPH9Ay9cCjWkStXTAKBggqhkjOPQQDAgNHADBEAiBPEWVgoWkG
sEDL/rJBH8KIC/UMiIe/vJEBFaGOr4plHwIgYAWh1w2sFssNkN6H6IbZCv1YDrQK
nMbiNxwbVb8VmpQ=
-----END CERTIFICATE-----
manifests:
- type: all
url: https://virt-export-mk-test.test-mk.svc/internal/manifests/all
- type: auth-header-secret
url: https://virt-export-mk-test.test-mk.svc/internal/manifests/secret
volumes:
- formats:
- format: raw
url: https://virt-export-mk-test.test-mk.svc/volumes/mk-test-root-volume/disk.img
- format: gzip
url: https://virt-export-mk-test.test-mk.svc/volumes/mk-test-root-volume/disk.img.gz
name: mk-test-root-volume
phase: Ready
serviceName: virt-export-mk-test
tokenSecretRef: export-token-mk-test
ttlExpirationTime: "2025-12-23T19:37:25Z"
virtualMachineName: mk-test
kind: List
metadata:
resourceVersion: ""
And the pod's configmap:
[root@FHCSY-POD1-P0F0-PM-OS01-CUBE-M-001 ~]# kubectl get cm -nkonveyor-forklift plan-migration-test-vm1-e21d3aaa-7fdf-4e7a-b97e-ab3292b213twq2z -oyaml
apiVersion: v1
data:
ca.pem: |-
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIUDDFJXfyzhRcw3I77UXY9nGqR3y8wDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAwwRTWlncmF0aW9uLVJvb3QtQ0EwHhcNMjUxMjIzMDczMTA2
WhcNMjYxMjIzMDczMTA2WjAkMSIwIAYDVQQDDBl2aXJ0LWV4cG9ydHByb3h5Lmt1
YmV2aXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyvgQcipq1/3l
1ARcPLqxqHnzSC/3ZqS/ZK67I2EBybSloN8hHYZbwV2ZSJ7pgQVZ88BCEzuHS+AW
wPZPFs2POM7hFGeNnwwVLCgf5AezickwkWfb0uPaYOgL9v0Td63plw0mpV98gS02
I8Jrmi/Vcrzv2NRYmLYRu+RYqCcUWQVV7FUCXSnxxKQgrUshAObNCuEObrgwdlq0
InZmugliyE2X28XGjirP9Oh/K7owEIPiwuKC3i1DtzywdxTZu75B6vIL97zj5aeI
4wghB/cmpqtyZfZ107746N3Iji65ifivNPThjmCnXxumJO6CGzt3s8XKONei5Npn
p82JLodzhwIDAQABo1UwUzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDATBgNVHSUE
DDAKBggrBgEFBQcDATAkBgNVHREEHTAbghl2aXJ0LWV4cG9ydHByb3h5Lmt1YmV2
aXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAYFjNq3yrHhgnvWtTfBv1WV2tMrA/rrFNm
i2LlWVRuln8imFJYQWSonsX6cYL9ltDDcBrBHYU5PCDej7a1K9BYhwkQVeftCnVz
HZTMFgUrM3L45/c9z7oqQ3VVM6okNozdO69KnkVWT3xZ1i0ggaLQ6aYMVmxTlEuF
Ty55DfJ6bFs3DMD02MRKWG5Of1VsHnVu3cCh8SaeQb+X1h0wc7pJk5G2mcJ4qgKn
82nMAEfR25TQYuWFuKFBHCAZU7k+ObHQ9Rt4RE6EUhf/1/a/wkegcyNmh0Ctgc7M
0GETLF5WSGKbXRvc5jqpa7F/J2WQth8NJxjPg1PFSsM+quPZUTVU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIUDDFJXfyzhRcw3I77UXY9nGqR3y8wDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAwwRTWlncmF0aW9uLVJvb3QtQ0EwHhcNMjUxMjIzMDczMTA2
WhcNMjYxMjIzMDczMTA2WjAkMSIwIAYDVQQDDBl2aXJ0LWV4cG9ydHByb3h5Lmt1
YmV2aXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyvgQcipq1/3l
1ARcPLqxqHnzSC/3ZqS/ZK67I2EBybSloN8hHYZbwV2ZSJ7pgQVZ88BCEzuHS+AW
wPZPFs2POM7hFGeNnwwVLCgf5AezickwkWfb0uPaYOgL9v0Td63plw0mpV98gS02
I8Jrmi/Vcrzv2NRYmLYRu+RYqCcUWQVV7FUCXSnxxKQgrUshAObNCuEObrgwdlq0
InZmugliyE2X28XGjirP9Oh/K7owEIPiwuKC3i1DtzywdxTZu75B6vIL97zj5aeI
4wghB/cmpqtyZfZ107746N3Iji65ifivNPThjmCnXxumJO6CGzt3s8XKONei5Npn
p82JLodzhwIDAQABo1UwUzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDATBgNVHSUE
DDAKBggrBgEFBQcDATAkBgNVHREEHTAbghl2aXJ0LWV4cG9ydHByb3h5Lmt1YmV2
aXJ0MA0GCSqGSIb3DQEBCwUAA4IBAQAYFjNq3yrHhgnvWtTfBv1WV2tMrA/rrFNm
i2LlWVRuln8imFJYQWSonsX6cYL9ltDDcBrBHYU5PCDej7a1K9BYhwkQVeftCnVz
HZTMFgUrM3L45/c9z7oqQ3VVM6okNozdO69KnkVWT3xZ1i0ggaLQ6aYMVmxTlEuF
Ty55DfJ6bFs3DMD02MRKWG5Of1VsHnVu3cCh8SaeQb+X1h0wc7pJk5G2mcJ4qgKn
82nMAEfR25TQYuWFuKFBHCAZU7k+ObHQ9Rt4RE6EUhf/1/a/wkegcyNmh0Ctgc7M
0GETLF5WSGKbXRvc5jqpa7F/J2WQth8NJxjPg1PFSsM+quPZUTVU
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
creationTimestamp: "2025-12-23T07:38:57Z"
generateName: plan-migration-test-vm1-e21d3aaa-7fdf-4e7a-b97e-ab3292b213a9-
labels:
migration: 02988d03-5f9c-4877-99e3-bc0db94a1750
plan: 1bf1756d-e652-4318-9e3b-8da143d5606f
resource: vm-config
vmID: e21d3aaa-7fdf-4e7a-b97e-ab3292b213a9
name: plan-migration-test-vm1-e21d3aaa-7fdf-4e7a-b97e-ab3292b213twq2z
namespace: konveyor-forklift
resourceVersion: "35189551"
uid: fb30840d-731d-481a-8914-80c4b6b9f28e
[root@FHCSY-POD1-P0F0-PM-OS01-CUBE-M-001 ~]# kubectl get dv -nkonveyor-forklift -oyaml
apiVersion: v1
items:
- apiVersion: cdi.kubevirt.io/v1beta1
kind: DataVolume
metadata:
annotations:
cdi.kubevirt.io/storage.bind.immediate.requested: "true"
cdi.kubevirt.io/storage.deleteAfterCompletion: "false"
forklift.konveyor.io/disk-source: test-mk/mk-test-root-volume
migration: 02988d03-5f9c-4877-99e3-bc0db94a1750
plan: 1bf1756d-e652-4318-9e3b-8da143d5606f
resource: vm-config
vmID: e21d3aaa-7fdf-4e7a-b97e-ab3292b213a9
creationTimestamp: "2025-12-23T07:38:57Z"
generation: 26
labels:
migration: 02988d03-5f9c-4877-99e3-bc0db94a1750
plan: 1bf1756d-e652-4318-9e3b-8da143d5606f
resource: vm-config
vmID: e21d3aaa-7fdf-4e7a-b97e-ab3292b213a9
name: mk-test-root-volume
namespace: konveyor-forklift
resourceVersion: "35198085"
uid: 4eb3bc9a-674a-415e-80cb-b5bd84e2ba4a
spec:
source:
http:
certConfigMap: plan-migration-test-vm1-e21d3aaa-7fdf-4e7a-b97e-ab3292b213twq2z
secretExtraHeaders:
- plan-migration-test-vm1-e21d3aaa-7fdf-4e7a-b97e-ab3292b213bfxr4
url: https://virt-exportproxy.kubevirt/api/export.kubevirt.io/v1beta1/namespaces/test-mk/virtualmachineexports/mk-test/volumes/mk-test-root-volume/disk.img.gz
storage:
resources:
requests:
storage: 20Gi
storageClassName: rbd-ssd
status:
claimName: mk-test-root-volume
conditions:
- lastHeartbeatTime: "2025-12-23T07:39:02Z"
lastTransitionTime: "2025-12-23T07:39:02Z"
message: PVC mk-test-root-volume Bound
reason: Bound
status: "True"
type: Bound
- lastHeartbeatTime: "2025-12-23T07:55:22Z"
lastTransitionTime: "2025-12-23T07:38:57Z"
status: "False"
type: Ready
- lastHeartbeatTime: "2025-12-23T07:55:22Z"
lastTransitionTime: "2025-12-23T07:55:22Z"
message: "Unable to connect to http data source: Get "https://virt-exportproxy.kubevirt/api/export.kubevirt.io/v1beta1/namespaces/test-mk/virtualmachineexports/mk-test/volumes/mk-test-root-volume/disk.img.gz\":
x509: certificate signed by unknown authority HTTP request errored kubevirt.io/containerized-data-importer/pkg/importer.createHTTPReader
\tpkg/importer/http-datasource.go:326 kubevirt.io/containerized-data-importer/pkg/importer.NewHTTPDataSource
\tpkg/importer/http-datasource.go:100 main.newDataSource \tcmd/cdi-importer/importer.go:255
main.handleImport \tcmd/cdi-importer/importer.go:173 main.main \tcmd/cdi-importer/importer.go:143
runtime.main \tGOROOT/src/runtime/proc.go:250 runtime.goexit \tGOROOT/src/runtime/asm_amd64.s:1571"
reason: Error
status: "False"
type: Running
phase: ImportInProgress
progress: N/A
restartCount: 8
kind: List
metadata:
resourceVersion: ""
Additional context:
Furthermore, it also has requirements regarding domain names.
[root@FHCSY-POD1-P0F0-PM-OS01-CUBE-M-001 ~]# kubectl logs importer-mk-test-root-volume -nkonveyor-forklift
I1223 07:16:35.180382 1 importer.go:104] Starting importer
I1223 07:16:35.181270 1 importer.go:171] begin import process
I1223 07:16:35.232621 1 http-datasource.go:239] Attempting to get certs from /certs/ca.pem
E1223 07:16:40.253996 1 importer.go:324] Get "https://vmexport-proxy.test.com/api/export.kubevirt.io/v1beta1/namespaces/test-mk/virtualmachineexports/mk-test/volumes/mk-test-root-volume/disk.img.gz": x509: certificate is valid for virt-exportproxy, virt-exportproxy.kubevirt, virt-exportproxy.kubevirt.svc, virt-exportproxy.kubevirt.svc.cluster.local, not vmexport-proxy.test.com
HTTP request errored
kubevirt.io/containerized-data-importer/pkg/importer.createHTTPReader
pkg/importer/http-datasource.go:326
kubevirt.io/containerized-data-importer/pkg/importer.NewHTTPDataSource
pkg/importer/http-datasource.go:100
main.newDataSource
cmd/cdi-importer/importer.go:255
main.handleImport
cmd/cdi-importer/importer.go:173
main.main
cmd/cdi-importer/importer.go:143
runtime.main
GOROOT/src/runtime/proc.go:250
runtime.goexit
GOROOT/src/runtime/asm_amd64.s:1571
Environment:
- CDI version (use
kubectl get deployments cdi-deployment -o yaml): N/A - Kubernetes version (use
kubectl version): N/A - DV specification: N/A
- Cloud provider or hardware configuration: N/A
- OS (e.g. from /etc/os-release): N/A
- Kernel (e.g.
uname -a): N/A - Install tools: N/A
- Others: N/A