When configuring a certificate using set pki ca <NAME> certificate <CERT>, it should be added to the system trust store. Currently, it does not get added. You can see the cert is there:
trae@cr01a-vyos# show pki ca IPA.TRAE32566.ORG certificate MIIEnTCCAwWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFJUEEuVFJBRTMyNTY2Lk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIzMDIxMDE3MTUxOFoXDTQzMDIxMDE3MTUxOFowPDEaMBgGA1UECgwRSVBBLlRSQUUzMjU2Ni5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMNpjUblDFXxeeDufDqIuYg0c+ZxiBm2lJAj/hROBxD3EivXAPhm1H5G6YxlBaB2TjaJVAWGxxtC0rOm96+HpxkNHw9Q99E9b4ERv6/z9Sr3VlPy5eKUtlNqUaQYvtsAUytAMjJsHn1hCHWH3ShE2uGgKQwnX7qCZZ1dAWYwi713ej6HE6WXjd66hbcGOSJp2aY8muSIJcur+Exqn0BWTC023aP0vJ0uq3ma3hH0R/EL0hcRQAgm9bZGf40sSNsNr+61qsUACzIqN/c55BmjDvstG8l+Rqt3jx1PAWrEZWWp3XHsAgmqxvqYBs9uJ0HRTFOxlvmN9sNWi3WrZlaToijkdsAkO05x9Qqna4MI5NPFROBkbHNiVmC0pq8fJs3qlmX0tu8volTv+31QKe/MlUjSj3AB/coWZ3yuHGGEMr2CpXJYMtsCfZbhBgbKXpq2YiSKI9fbOeD2QPDfwuwx975+QcY7v1g4m3hfv6RK0d4bf41qpAqfVaDWd1177UUkfQIDAQABo4GpMIGmMB8GA1UdIwQYMBaAFAxNuQLHzazZ+/6ebYFYiDsHPbR7MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQMTbkCx82s2fv+nm2BWIg7Bz20ezBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9pcGEtY2EuaXBhLnRyYWUzMjU2Ni5vcmcvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAFeDkAjNyIyGGuRZKcww+6Vm7JihevocM3USW4qNiVoItPLIfMVemqveh+x2YGew68ghiDu2y3bcPvCrSWnpimbxaFMR3qX5fOBLPIHETlTMHdWdZUxfIKQ9wCGvMeVaKUkKqMFmCwgvqoyMGQ2x907IG6rCGBwRv4sFI+NNbJMgMqoB+ztjggtudFpIT3NYHOp45Njx+ZkF0IP9Qh/K40A7kwrlCxyyyW027k8WYJbWvYa1YrJqMYm9WHq+pW8UaMLLV6xlJs8nyEGXVRlbRXEnwB2TjfGs1fFvIji2EoPVT+ATi/9NRqsSR55sm+qSX0rZsTuqT3/FvZhlZej89qEbFOrTWKIBaFyeZdnphWCzVVHzSjW4OcL0cP/RhbiNLMPPzdgK9EbE+udDZAXxw034WCMRoqrjbfz9I+UwLnArRU3E1LOmkiVEAUo9FfIfdkct3ooNyicLjYT4Pu9YsccCeWiyeXCePhtodTauT/r57ESLwy93NMzzAtsaXRlXl [edit]
OpenSSL shows the site to be working with this CA certificate (and it validates fine on other platforms):
trae@cr01a-vyos# echo -e '\n' | openssl s_client -connect artifacts.trae32566.org:443 | head -9 depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org verify error:num=21:unable to verify the first certificate verify return:1 depth=0 O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org verify return:1 CONNECTED(00000007) --- Certificate chain DONE 0 s:O = IPA.TRAE32566.ORG, CN = artifacts.trae32566.org i:O = IPA.TRAE32566.ORG, CN = Certificate Authority a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 19 06:29:59 2024 GMT; NotAfter: Aug 20 06:29:59 2026 GMT --- Server certificate
Yet requests to it fail due to the system CA not being updated:
trae@cr01a-vyos# curl https://artifacts.trae32566.org/ curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. [edit]
If I manually add the certificate to /usr/local/share/ca-certificates/<name>/ then run update-ca-certificates, it works fine:
trae@cr01a-vyos# ls -alh /usr/local/share/ca-certificates/ipa.trae32566.org/ total 12K drwxr-xr-x 2 root root 4.0K Oct 23 21:21 . drwxr-xr-x 1 root root 4.0K Oct 23 21:21 .. -rw-r--r-- 1 root root 1.7K Oct 23 21:21 ipa.trae32566.org.crt [edit] trae@cr01a-vyos# curl -I https://artifacts.trae32566.org/ HTTP/2 200 server: nginx date: Thu, 24 Oct 2024 02:30:34 GMT content-type: text/html content-length: 8031 x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block last-modified: Thu, 24 Oct 2024 02:30:34 GMT pragma: no-cache cache-control: no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0 expires: 0 strict-transport-security: max-age=31536000; includeSubDomains; preload
Note: This is critical for services such as NTS, which use SSL to verify NTP requests, and must validate the certificate against the system trust store.