Closed rrileyca closed 2 years ago
I have resolved this.
As per Concourse documentation, certificate propagation is done by default in the BOSH deployment but not in the helm chart.
The helm chart must include (assuming the worker.certsPath
is /etc/ssl/certs
):
worker:
certsPath: /etc/ssl/certs
env:
- name: CONCOURSE_CERTS_DIR
value: /etc/ssl/certs
Edit: Added link to documentation
Question: How can you use a Git Resource through a TLS MITM/proxy?
We have a corporate firewall that does TLS inspection (
github.com
is effectively signed by a custom CA). Any task with agit-resource
fails with the error (redacted repo/project name):I have tried:
secrets.githubCaCert
secrets.workerAdditionalCerts
/etc/ssl/certs
by using a volume mount and a secret/usr/local/share/ca-certificates
by using a volume mount and a secret/etc/ssl/certs/ca-certificates.crt
file while the container is runningI have verified the certificate signature I am adding is valid with using the CA bundle from the log and also the certificate as a standalone:
openssl s_client -connect github.com:443 -servername github.com -CAfile /etc/ssl/certs/ca-certificates.crt
openssl s_client -connect github.com:443 -servername github.com -CAfile /etc/ssl/certs/my-custom-cert.pem
Curiously, without specifiying a
-CAfile
theopenssl s_client -connect
fails withVerify return code: 21 (unable to verify the first certificate)
error.Additionally, if I look inside the
/concourse-work-dir/volumes/live/${UUID}/volume/etc/ssl/certs/
folders, none of my certs are in here including the ones provided in thesecrets.workerAdditionalCerts
value.