Skip to content

aznfs mount does not work on Azure China cloud due to cert rejected issue #278

New issue
New issue
Open
Open
aznfs mount does not work on Azure China cloud due to cert rejected issue#278
@andyzhangx

Description

@andyzhangx
andyzhangx
opened on Nov 2, 2025

mount.aznfs version: 0.3.15

I tried to use mount aznfs manually on the following Ubuntu node on Azure China with EncryptionInTransit enabled, but it failed with following error due to cert rejected issue

uname -a

Linux aks-sys-13702987-vmss000000 5.15.0-1096-azure #105-Ubuntu SMP Fri Aug 29 15:44:42 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

mkdir /tmp/test
mount -v -t aznfs -o vers=4,minorversion=1,sec=sys f120618d2aa4140039707e1.file.core.chinacloudapi.cn:/f120618d2aa4140039707e1/pvcn-e1271d79-de32-44c5-a904-475c2ce1393f /tmp/test

Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27186]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27187]: Service [40.73.81.200] accepted connection from 127.0.0.1:41154
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27187]: s_connect: connecting 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27187]: s_connect: connected 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27187]: Service [40.73.81.200] connected remote server from 10.224.0.5:42486
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27187]: SNI: sending servername: 40.73.81.200
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27187]: Peer certificate required
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG4[27187]: CERT: Pre-verification error: unable to get local issuer certificate
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG4[27187]: Rejected by CERT at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Basic RSA CN CA G2
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG3[27187]: SSL_connect: ../ssl/statem/statem_clnt.c:1883: error:0A000086:SSL routines::certificate verify failed
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27187]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27188]: Service [40.73.81.200] accepted connection from 127.0.0.1:41156
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27188]: s_connect: connecting 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27188]: s_connect: connected 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27188]: Service [40.73.81.200] connected remote server from 10.224.0.5:42498
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27188]: SNI: sending servername: 40.73.81.200
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27188]: Peer certificate required
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG4[27188]: CERT: Pre-verification error: unable to get local issuer certificate
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG4[27188]: Rejected by CERT at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Basic RSA CN CA G2
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG3[27188]: SSL_connect: ../ssl/statem/statem_clnt.c:1883: error:0A000086:SSL routines::certificate verify failed
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27188]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27189]: Service [40.73.81.200] accepted connection from 127.0.0.1:41164
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27189]: s_connect: connecting 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27189]: s_connect: connected 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27189]: Service [40.73.81.200] connected remote server from 10.224.0.5:42506
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27189]: SNI: sending servername: 40.73.81.200
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27189]: Peer certificate required
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG4[27189]: CERT: Pre-verification error: unable to get local issuer certificate
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG4[27189]: Rejected by CERT at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Basic RSA CN CA G2
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG3[27189]: SSL_connect: ../ssl/statem/statem_clnt.c:1883: error:0A000086:SSL routines::certificate verify failed
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27189]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27190]: Service [40.73.81.200] accepted connection from 127.0.0.1:41176
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27190]: s_connect: connecting 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27190]: s_connect: connected 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27190]: Service [40.73.81.200] connected remote server from 10.224.0.5:42512
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27190]: SNI: sending servername: 40.73.81.200
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27190]: Peer certificate required
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG4[27190]: CERT: Pre-verification error: unable to get local issuer certificate
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG4[27190]: Rejected by CERT at depth=1: C=US, O=DigiCert Inc, CN=DigiCert Basic RSA CN CA G2
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG3[27190]: SSL_connect: ../ssl/statem/statem_clnt.c:1883: error:0A000086:SSL routines::certificate verify failed
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27190]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27191]: Service [40.73.81.200] accepted connection from 127.0.0.1:41180
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27191]: s_connect: connecting 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27191]: s_connect: connected 40.73.81.200:2049
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG5[27191]: Service [40.73.81.200] connected remote server from 10.224.0.5:42518
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27191]: SNI: sending servername: 40.73.81.200
Nov 2 03:42:18 aks-user-13702987-vmss000000 stunnel: LOG6[27191]: Peer certificate required

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions