I am having trouble claiming a node to my netdata cloud. I am running on Ubuntu 16.04. I see that there is a similar problem on CentOS. Although the fix might not be the same for my environment.
Agent is running fine.
I am unable to curl https://app.netdata.cloud due the error: curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
I cannot reproduce the problem, I was able to claim an agent using ubuntu 16.04, could you please share the error message you’re receiving when executing the claming command?
Just as a reminder:
it’s not needed to pass the --claim-url to the script (https://app.netdata.cloud) will be used automatically.
if you want to claim your agent to the “All-nodes” room, then --claim-rooms parameter is not necessary either, it will be claimed to that room automatically.
Part of the problem is that in September 2021, DST Root CA X3 certificate expired (the older root CA that Let’sEncrypt certs were using). Old versions of OpenSSL and maybe other TLS libraries were affected.
There may be something on your system that prevents you from using the latest OpenSSL library. The latest version of the 16.04 backports repo works fine (that’s why I managed to claim an agent from an Ubuntu 16.04 container), but a lot of 16.04 software can’t use it.
I list some options, I think in ascending level of difficulty/risk, that you can try to fix the issue. Try the agent claiming process after trying each of them:
Upgrade all your system packages.
From the screenshot you provided above, it seems not all your packages are using the last version, I suggest to try a system upgrade, to discard any versioning issue on your side. To update the system run:
apt-get update && apt-get upgrade.
Reconfigure the ca-certificates package
Maybe the reason is that some application is still using the old Root CA cert to validate our domain, one option would be to remove the expired CA file from your trusted certificates. In order to do that, you can reconfigure the package ca-certificates running:
dpkg-reconfigure ca-certificates
To the question “Trust new certificates from certificate authorities?” choose “yes”.
On the next screen, avoid selecting DST_Root_CA_X3.pem certificate.
use a static version of netdata
Other option would be to install an static version of netdata, you can find more information at Netdata’s learn site.
Use a more recent Ubuntu version
If after all the above it still doesn’t work, maybe the only option is to use a newer version of Ubuntu.
An alternative option (doable on command line with sed for bootstrap scripts) is to edit /etc/ca-certificates.conf and add a ! before the DST_Root_CA_X3.pem and run update-ca-certificates
The ! tell the program to remove the certificate from the list of authorized CA.
