Remote Ignition File Error: x509 certificate signed by unknown authority

I am trying to use a remote ignition file to help provision a CoreOS image. However, when it attempts to download the ignition file, it errors out saying:

x509: certificate signed by unknown authority

How do I get around this error? Here is the stanza of the local ignition file that tries to download the remote ignition file:
{
“ignition”: {
“config”: {
“replace”: {
“source”: “https://traefik.myserver.com/ignition.json”,
“verification”: {}
}
},
“security”: {
“tls”: {}
},
“timeouts”: {},
“version”: “3.0.0”
},

You can configure custom CAs in the ignition.security.tls.certificateAuthorities section.

Thanks for the quick response. What does that consist of? I am using a Comodo Certificate, so shouldn’t that certificate supplier already be a recognized authority? If not, then how do I configure it recognize a Comodo SSL certificate?

Also it is not possible to use fcc to create these ign files. For instance when I try to use the exact example for Retrieving a remote Ignition file via http, that I copied verbatim from https://docs.fedoraproject.org/en-US/fedora-coreos/fcct-config/, then I get this error:

$ sudo su -c 'docker run -i --rm quay.io/coreos/fcct:release --pretty --strict < remotereplace.fcc > remotereplace.ign'
Error translating config: yaml: unmarshal errors:
  line 6: cannot unmarshal !!seq into v0_1.ConfigReference
  line 12: cannot unmarshal !!seq into v0_1.Verification

Yup, those examples were just fixed earlier today. Try again with the FCC that’s on the page now?

Ok, the new example can be successfully transpiled into a json file, thanks for updating that. However, I still get an x509 certificate error when I attempt to load the remote ignition file. What do I have to do to get this to work? This is the current fcc file that i used:

variant: fcos
version: 1.0.0
ignition:
  config:
    replace:
      source: https://traefik.mycompany.com/ignition.json
  security:
    tls:
      certificate_authorities:
        - source: https://curl.haxx.se/ca/cacert.pem
          verification:
            hash:

During the boot phase, I can see that it reaches out to haxx.ce to get the PEM file, but it still gives me the x509 error when it goes to retrieve the remote ignition file.

OR, is there a better way to secure the transmission of the config file?
Is there any way to secure it using a key or password or something?

@eightup - is it possible you are hitting this bug? https://github.com/coreos/ignition/issues/931

Looks like there is an option to use a hash for verification when using http as the transport: https://docs.fedoraproject.org/en-US/fedora-coreos/fcct-config/#_examples.

variant: fcos
version: 1.0.0
ignition:
  config:
    replace:
      source: http://example.com/sample.ign
      verification:
        hash: sha512-e2bb19fdbc3604f511b13d66f4c675f011a63dd967b97e2fe4f5d50bf6cb224e902182221ba0f9dd87c0bb4abcbd2ab428eb7965aa7f177eb5630e7a1793e2e6