Problem
Cert-Manager upgrade may fail in NetBackup CloudScale setup due to private proxy server modifying the certificate chain recieved from quay.io with internal self signed certificate
Error Message
Error in cert-manager pod events:
Events:
Type Reason Age From Message
--- ---- -- -- ------
Normal Scheduled 6m56s default-scheduler Successfully assigned cert-manager/cert-manager-7dd8c669df-lnjd6 to aks-testpool
Normal Pulling 3m54s (x5 over 6m56s) kubelet Pulling image "quay.io/jetstack/cert-manager-controller:v1.13.3"
Warning Failed 3m54s (x5 over 6m55s) kubelet Failed to pull image "quay.io/jetstack/cert-manager-controller:v1.13.3": failed to pull and unpack image "quay.io/jetstack/cert-manager-controller:v1.13.3": failed to resolve reference "quay.io/jetstack/cert-manager-controller:v1.13.3": failed to do request: Head "https://quay.io/v2/jetstack/cert-manager-controller/manifests/v1.13.3": tls: failed to verify certificate: x509: certificate signed by unknown authority
Warning Failed 3m54s (x5 over 6m55s) kubelet Error: ErrImagePull
Normal BackOff 107s (x21 over 6m54s) kubelet Back-off pulling image "quay.io/jetstack/cert-manager-controller:v1.13.3"
Warning Failed 107s (x21 over 6m54s) kubelet Error: ImagePullBackOff
Error while trying to download cert-manager-controller packages from quay.io from withing the Azure Managed System Node
# wget https://quay.io/jetstack/cert-manager-controller:v1.13.3
-2025-10-28 03:49:40- https://quay.io/jetstack/cert-manager-controller:v1.13.3
Resolving quay.io (quay.io)... 54.165.14.67, 3.91.111.150, 54.85.152.241, ...
Connecting to quay.io (quay.io)|54.165.14.67|:443... connected.
ERROR: cannot verify quay.io's certificate, issued by 'CN=Internal-CA-Issuer,O=MyCompany Name,ST=Some-State,C=XX':
Self-signed certificate encountered.
To connect to quay.io insecurely, use `--no-check-certificate'.
Cause
The error occurs because your Azure Kubernetes node is behind a corporate proxy or firewall that performs TLS inspection (man-in-the-middle). It terminates the TLS connection to quay.io and re-encrypts it using an internal CA (Internal-CA-Issuer).
wget (and any tool using system trust store) rejects the connection because the internal CA is not trusted by default.
Azure managed nodes aks-mgmsysmpool-xxxxxxxx-vmss00000* are connecting to internet via a Proxy which is modifying the certificate chain recieved from quay.io with an internal self signed CA certificate
Solution
Nodes on which cert-manager is deployed, should have direct connectivity to quay.io, bypassing the internal proxy.
If the proxy cannot be bypassed, please contact Cohesity Technical Support.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.