GitHub Resource through TLS MITM proxy

[rrileyca]

Question: How can you use a Git Resource through a TLS MITM/proxy?

We have a corporate firewall that does TLS inspection (github.com is effectively signed by a custom CA). Any task with a git-resource fails with the error (redacted repo/project name):

fatal: unable to access 'https://github.com/myrepo/myproject': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I have tried:

• secrets.githubCaCert
• secrets.workerAdditionalCerts
• Adding certificates to /etc/ssl/certs by using a volume mount and a secret
• Adding certificates to /usr/local/share/ca-certificates by using a volume mount and a secret
• Manually adding a certificate to the end of the /etc/ssl/certs/ca-certificates.crt file while the container is running

I have verified the certificate signature I am adding is valid with using the CA bundle from the log and also the certificate as a standalone:

• openssl s_client -connect github.com:443 -servername github.com -CAfile /etc/ssl/certs/ca-certificates.crt
• openssl s_client -connect github.com:443 -servername github.com -CAfile /etc/ssl/certs/my-custom-cert.pem

Curiously, without specifiying a -CAfile the openssl s_client -connect fails with Verify return code: 21 (unable to verify the first certificate) error.

Additionally, if I look inside the /concourse-work-dir/volumes/live/${UUID}/volume/etc/ssl/certs/ folders, none of my certs are in here including the ones provided in the secrets.workerAdditionalCerts value.

[rrileyca]

I have resolved this.

As per Concourse documentation, certificate propagation is done by default in the BOSH deployment but not in the helm chart.

The helm chart must include (assuming the worker.certsPath is /etc/ssl/certs):

worker:
  certsPath: /etc/ssl/certs
  env:
    - name: CONCOURSE_CERTS_DIR
      value: /etc/ssl/certs

Edit: Added link to documentation