I use NS8 (latest) and was not able to generate a request or upload a cert. The msg was something went wrong…
P.S. it would be nice to have the ability to find out the NS8 version (core, …) for maintenance and debug errors.
?? Software Center / Core Apps
2 Likes
When a Task fails, you can find additional information in the notification details
I think the TLS Certificates page some UI improvements, but you’d already find the missing information in the notification details.
3 Likes
Not possible, the error msg disappears after a second and ther is no notification…
You should also find the error in the traefik logs.
2025-03-19T20:15:32+01:00 [1:traefik1:agent@traefik1] task/module/traefik1/0d17885b-770b-41db-b9eb-eb340dfd03f2: upload-certificate/21validate_certificates is starting
2025-03-19T20:15:33+01:00 [1:traefik1:traefik] 10.0.8.6 - - [19/Mar/2025:19:15:33 +0000] “GET /cluster-admin/api/module/traefik1/task/0d17885b-770b-41db-b9eb-eb340dfd03f2/context HTTP/2.0” 200 4010 “-” “-” 1157 “cluster-admin-https@file” “http://127.0.0.1:9311” 28ms
2025-03-19T20:15:33+01:00 [1:traefik1:agent@traefik1] error 20 at 0 depth lookup: unable to get local issuer certificate
2025-03-19T20:15:33+01:00 [1:traefik1:agent@traefik1] error uploaded_cert: verification failed
You need to upload a certificate including the chain of certificates:
A few weeks ago it worked perfectly well for me:
I generated a CSR on the NS8 OS (Debian 12) and signed it on my Windows RootCA. The last step was to upload the certs for each app…
The “toast notifications” disappear after a few seconds, then they can be found under the menu with Bell icon 
If you want to use a custom CA be prepared: you’re entering a world of exceptions! In the Traefik README you can find how to disable the certificate chain validation. GitHub - NethServer/ns8-traefik: NS8 Traefik configuration
2 Likes
You could add the Windows CA root/intermediate certs to the trusted cert store on the host. This is the preferred way IMO as you can just upload the certs as you did before without disabling any verification in ns8-traefik.
Export the CA certs, see also Export Root Certification Authority Certificate - Windows Server | Microsoft Learn
Save the cert(s) to /etc/pki/ca-trust/source/anchors/ (Rocky) or /usr/local/share/ca-certificates/ (Debian)
Update the trusted certs on Rocky
update-ca-trust
or Debian:
update-ca-certificates
The other methods to upload a self-signed certificate is to allow self-signed certs or disable verification completely to not need the full certificate chain.
Allow self-signed certs:
Add the certificate chain to the cert by exporting the CA certs and put them together to a cert file as explained here: Export trusted client CA certificate chain for client authentication - Azure Application Gateway | Microsoft Learn
Edit the environment file
runagent -m traefik1 nano environment
UPLOAD_CERTIFICATE_VERIFY_TYPE=selfsign
Now it should be possible to upload the self-signed-cert including the root/intermediate certs.
Disable verification: (NOT recommended)
To be able upload certs without verification and need of the full certificate chain set it to “none”.
UPLOAD_CERTIFICATE_VERIFY_TYPE=none
1 Like
Yes, that was the solution for me, thank you!
1 Like