X509: certificate signed by unknown authority

Noticed on the Internet that there seems to be a new satellite available. Restarted node. It seems there are no new satellites available.

I get this error upon every startup, don’t see anything on the forum about it, does it have anything to do with it? Why does it happen?

WARN trust Failed to fetch URLs from source; used cache {"source": "https://tardigrade.io/trusted-satellites", "error": "HTTP source: Get https://tardigrade.io/trusted-satellites: x509: certificate signed by unknown authority", "errorVerbose": "HTTP source: Get https://tardigrade.io/trusted-satellites: x509: certificate signed by unknown authority\n\tstorj.io/storj/storagenode/trust.(*HTTPSource).FetchEntries:63\n\tstorj.io/storj/storagenode/trust.(*List).fetchEntries:90\n\tstorj.io/storj/storagenode/trust.(*List).FetchURLs:49\n\tstorj.io/storj/storagenode/trust.(*Pool).fetchURLs:240\n\tstorj.io/storj/storagenode/trust.(*Pool).Refresh:177\n\tstorj.io/storj/storagenode.(*Peer).Run:696\n\tmain.cmdRun:200\n\tstorj.io/private/process.cleanup.func1.4:343\n\tstorj.io/private/process.cleanup.func1:361\n\tgithub.com/spf13/cobra.(*Command).execute:840\n\tgithub.com/spf13/cobra.(*Command).ExecuteC:945\n\tgithub.com/spf13/cobra.(*Command).Execute:885\n\tstorj.io/private/process.ExecWithCustomConfig:86\n\tstorj.io/private/process.ExecCustomDebug:68\n\tmain.main:320\n\truntime.main:203"}

In case this has nothing to do with it, why do I not see the new satellite on the SNOBoard?

Check if your identity folder has 6 files and your node has the correct path to it.

This isn’t about the identity, but rather the certificate used on the https://tardigrade.io/trusted-satellites page. It uses the let’s encrypt certificate authority. It might be that your certificate store doesn’t include it. I guess this is a relatively new CA.

I don’t know what OS you use, but I’d google how to update the trusted CA list on your OS.


Let’s Encrypt is fairly old now… it came out with the Snowden information dump. It should be included in all certificate stores for all updated OSes…

Let’s Encrypt certs are free and are all domain validated which renew automatically every 3 months in the default configuration.

I use Let’s Encrypt on all my non-business domains. Business domains might require a higher level cert depending on the services being processed. Banking domains typically deploy EV certs, and browsers display the “green” bar…

However, the “green” bar is only as useful as the weakest CA on the planet… Thus, enter in the sometimes controversial DNSSEC… but few browsers check DNSSEC…

In short, the CA system is broken by design, long live CAs.

For further reading:

All very true, though slightly off topic.

Can you think of any other reason the CA would be unknown though?


But, the Let’s Encrypt root certs can be manually added to the OSs cert store…

Just download them here

And find the instructions for whichever OS the OP is using…

1 Like

Ah (Stor)geez, looks like I’ll be fiddling with certificates again. Nothing ever works as it should. It’s a complete system, FreeNAS, it should have these things included by default.

Thanks for the tip.

I had to use pkg install ca_root_nss, that got it working.

You want to add this to the FreeNAS instructions, for others, after the FreeNAS instructions become available.