Error During Project Setup

[nci-snow-cicd]

An Error is being encountered related to certificate validation at project setup - Error logs shown below:

[18:27:36.164] [ERROR] [2664] [/worker#Fh0RJQ1ejjKBQFxzAAAB] PROMISE JOB ERROR: Job 'projectSetup' { type: 'exe', name: 'projectSetup', options: { build: { requestor: [Object] }, atf: { updateSetOnly: false }, updateSet: '1db3fd101b41281494edddb6bc4bcb6a', application: { id: 'bfb3a72c1b94641094edddb6bc4bcb2a', name: 'MyCICDTestApp', organization: 'company' }, git: { repository: 'x_g_nci_mycicdtest', remoteUrl: null, enabled: true, pullRequestEnabled: true }, host: { name: 'https://service-sandbox.xxx.xxx/' } }, host: 'ncias-d2371-c', id: 'bb5861f3-4db6-4fe8-b3b8-fd0dfb8df731', emitter: { _events: {}, _eventsCount: 2 }, created: 1607470055957, completed: null, workerId: '/worker#Fh0RJQ1ejjKBQFxzAAAB', result: undefined, error: undefined } { Error: unable to verify the first certificate at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34) at TLSSocket.emit (events.js:198:13) at TLSSocket._finishInit (_tls_wrap.js:636:8) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' } [18:27:36.217] [LOG] [5464] /worker#Fh0RJQ1ejjKBQFxzAAAB is done (/worker/done) with job: bb5861f3-4db6-4fe8-b3b8-fd0dfb8df731 Type: exe [18:27:36.217] [ERROR] [5464] Job failed on worker { id: 'bb5861f3-4db6-4fe8-b3b8-fd0dfb8df731', type: 'exe', host: 'ncias-d2371-c', platform: 'win32', background: undefined } %j { name: 'RequestError', message: 'Error: unable to verify the first certificate', cause: { stack: 'Error: unable to verify the first certificate\n at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)\n at TLSSocket.emit (events.js:198:13)\n at TLSSocket._finishInit (_tls_wrap.js:636:8)', message: 'unable to verify the first certificate',

[bmoers]

is the CICD server running behind a company firewall (e.g. with a custom root certificate) and what is the host on which the cert issue occurs?

[nci-snow-cicd]

the CICD server is running on an EC2 instance in a private cloud and yes there is a network firewall in place before hitting the private cloud environment. It has been always running on it for the all this time; I started to see this issue yesterday and was wondering which certificate could be causing the issue or if there is a cert that already expired on the host running the CICD server; or if a new cert is needed to be deployed. the host running the CICD server (ncias-d2371-c) is having the problem - When I click build the application, the call is being made to the CICD server and it fails right there at project setup with the cert issue.

[bmoers]

is the issue during calls made from projectSetup to servicenow? eg. during getUpdateSetDetails()? please share more details from the logs before the error occurs. the certs used within the CICD server for the event bus or the web ui are valid till "Jun 20 07:43:29 2292 GMT" so this should not be the problem. try to curl to the servicenow host from the cmd line to debug

[nci-snow-cicd]

To answer the first question; I believe that is the case; it is failing at the very initial step when the call made from projectSetup to servicenow getUpdateSetDetails()

$ curl https://service-sandbox.xxx.xxx.xxx % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

however if I curl an https site like https://www.amazon.com or https://www.google.com i don't get the certificate error. are we missing an updated ca cert for the instance to be downloaded onto the CICD sever; didn't have to to any of that before; and if it's required to be loaded; where shall this be loaded if the CICD server is running of a Windows host?

[bmoers]

would be interesting go know why that cert is invalid. do you know the CA of the cert of https://service-sandbox.xxx.xxx.xxx ? the ca root cert must be either officially supported or, if custom, imported. (google e.g. "install custom certificate windows 10")