Pact Broker SSL Certificates for Webhooks

[davidkgp]

Pre issue-raising checklist

I have already (please mark the applicable with an x):

• [x ] Confirmed this is the right place to raise the issue - issues for the Pact Broker application itself should be raised in the Pact Broker project.
• [x ] Upgraded to the latest Pact Broker Docker image OR
• [ x] Checked the CHANGELOG to see if the issue I am about to raise has been fixed
• [ X] Read the Troubleshooting page

I am facing issues with triggering webhooks from inside the broker.Currently the weebhook link has a corporate certificate,so if I try with config config.disable_ssl_verification = true it gives me HTTP 400.

and if I try to trigger the webhook with config.disable_ssl_verification = false Error executing webhook OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=error: certificate verify failed.

I have the corporate certificates,But I am not sure where should I add the certificates.

A curl from inside the docker to the webhook is successful,but when triggered from within the pact broker fails on pact publish

[mefellows]

In the first scenario (verification disabled), an HTTP 400 is unrelated to certificates, are you sure it's not another issue? What does the response contain?

Also see the section in https://github.com/pact-foundation/pact_broker/wiki/Configuration#webhook-whitelists for how to add custom certs to the system.

[bethesque]

Closing due to lack of response - please feel free to reopen with more information if you are still facing this issue @davidkgp

[davidkgp]

@bethesque the issue is solved.The script was not working for me,but would work for a lot of people as I was lacking in few dependencies for the script.But I would like to point out for few users who may have faced a similar issue,the certificate chain(PEM format) for the webhook(in case using a corporate CI) have to be put into the content column of the certificates table in the pact broker database. Before execution of the webhook these certificates are loaded into the trust store by the broker and the webhook executed.It would be really nice if this can be part of the documentation because most people will be working in a corporate SSL env.

[bethesque]

Thanks @davidkgp. I assume the script did not work for you because you ran it on an environment that did not have ruby or mysql?

I will update the docs to make this clearer, and explain how to add it without the script.

I really need to create an endpoint for adding the certificates - it just hasn't gotten to the top of the priority list yet.

[bethesque]

I've just added a brief section here @davidkgp https://github.com/pact-foundation/pact_broker/wiki/Configuration#webhook-ssl-certificates

[davidkgp]

Two points I like to be highlighted in the documentation if possible

• Please do not use 'self signed certificate' term as it sometimes misleads,Normally if you are working in a corporate environment,your CI's or gitlabs will have certificates provided by corporate pki.
• At the very core of this approach is that the certificate content has to be in the certificates table,some people may use the script(mostly it will work) or others may go to the data base and do it old school way.Because I was stuck in this for few weeks and don't want others to have the same pain

[bethesque]

What is a better term for the type of certificate @davidkgp? I will add the info about the table.

[mefellows]

That's the very definition of a self-signed certificate. You have your own CA, which you use to sign and then issue your own certificates.