Self Signed Certificate is not trusted

[LukasTinnesSajo]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.379 OS: Linux - 5.4.0-132-generic --- Office-365-Connector:4.18.0 ace-editor:1.1 amazon-ecr:1.107.ve50d37906739 ant:481.v7b_09e538fcca antisamy-markup-formatter:155.v795fb_8702324 apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 authentication-tokens:1.4 aws-credentials:191.vcb_f183ce58b_9 aws-java-sdk:1.12.287-357.vf82d85a_6eefd aws-java-sdk-cloudformation:1.12.287-357.vf82d85a_6eefd aws-java-sdk-codebuild:1.12.287-357.vf82d85a_6eefd aws-java-sdk-ec2:1.12.287-357.vf82d85a_6eefd aws-java-sdk-ecr:1.12.287-357.vf82d85a_6eefd aws-java-sdk-ecs:1.12.287-357.vf82d85a_6eefd aws-java-sdk-efs:1.12.287-357.vf82d85a_6eefd aws-java-sdk-elasticbeanstalk:1.12.287-357.vf82d85a_6eefd aws-java-sdk-iam:1.12.287-357.vf82d85a_6eefd aws-java-sdk-logs:1.12.287-357.vf82d85a_6eefd aws-java-sdk-minimal:1.12.287-357.vf82d85a_6eefd aws-java-sdk-sns:1.12.287-357.vf82d85a_6eefd aws-java-sdk-sqs:1.12.287-357.vf82d85a_6eefd aws-java-sdk-ssm:1.12.287-357.vf82d85a_6eefd awseb-deployment-plugin:0.3.21 blueocean-commons:1.26.0 blueocean-core-js:1.26.0 blueocean-dashboard:1.26.0 blueocean-git-pipeline:1.26.0 blueocean-i18n:1.26.0 blueocean-jira:1.26.0 blueocean-jwt:1.26.0 blueocean-personalization:1.26.0 blueocean-pipeline-api-impl:1.26.0 blueocean-pipeline-editor:1.26.0 blueocean-pipeline-scm-api:1.26.0 blueocean-rest:1.26.0 blueocean-rest-impl:1.26.0 blueocean-web:1.26.0 bootstrap4-api:4.6.0-5 bootstrap5-api:5.2.1-3 bouncycastle-api:2.26 branch-api:2.1051.v9985666b_f6cc build-timeout:1.25 built-on-column:1.3 caffeine-api:2.9.3-65.v6a_47d0f4d1fe checks-api:1.8.0 cloudbees-folder:6.800.v71307ca_b_986b codedeploy:1.23 command-launcher:90.v669d7ccb_7c31 commons-httpclient3-api:3.1-3 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-27.vb_fa_3896786a_7 conditional-buildstep:1.4.2 credentials:1214.v1de940103927 credentials-binding:523.vd859a_4b_122e6 data-tables-api:1.12.1-4 dependency-check-jenkins-plugin:5.2.1 display-url-api:2.3.7 docker-build-step:2.9 docker-commons:1.21 docker-compose-build-step:1.0 docker-java-api:3.2.13-37.vf3411c9828b9 docker-plugin:1.2.10 docker-workflow:563.vd5d2e5c4007f durable-task:503.v57154d18d478 echarts-api:5.4.0-1 email-ext:2.92 envinject:2.892.v25453b_80e595 envinject-api:1.199.v3ce31253ed13 external-monitor-job:203.v683c09d993b_9 favorite:2.4.1 font-awesome-api:6.2.1-1 generic-webhook-trigger:1.86.2 git:4.14.3 git-client:3.13.1 git-server:99.va_0826a_b_cdfa_d github:1.36.0 github-api:1.303-400.v35c2d8258028 github-branch-source:1696.v3a_7603564d04 gitlab-api:5.0.1-78.v47a_45b_9f78b_7 gitlab-branch-source:644.va_a_66886e07b_5 gitlab-plugin:1.6.0 gradle:2.1.1 groovy:453.vcdb_a_c5c99890 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 hashicorp-vault-plugin:359.v2da_3b_45f17d5 htmlpublisher:1.31 http_request:1.16 instance-identity:142.v04572ca_5b_265 ionicons-api:31.v4757b_6987003 jackson2-api:2.14.1-313.v504cdd45c18b jacoco:3.3.2 jakarta-activation-api:2.0.1-2 jakarta-mail-api:2.0.1-2 javadoc:226.v71211feb_e7e9 javax-activation-api:1.2.0-5 javax-mail-api:1.6.2-8 jaxb:2.3.7-1 jdk-tool:63.v62d2fd4b_4793 jenkins-design-language:1.26.0 jenkins-multijob-plugin:623.v03401733c9a_9 jersey2-api:2.37-1 jira:3.8 jjwt-api:0.11.5-77.v646c772fddb_0 jquery-detached:1.2.1 jquery3-api:3.6.1-2 jsch:0.1.55.61.va_e9ee26616e7 junit:1166.va_436e268e972 ldap:2.12 lockable-resources:1069.v726298f53f8c mailer:438.v02c7f0a_12fa_4 matrix-auth:3.1.6 matrix-project:785.v06b_7f47b_c631 maven-plugin:3.20 mina-sshd-api-common:2.9.2-50.va_0e1f42659a_a mina-sshd-api-core:2.9.2-50.va_0e1f42659a_a momentjs:1.1.1 nexus-artifact-uploader:2.14 nexus-jenkins-plugin:3.16.465.ve8709b_fa_df42 octopusdeploy:3.1.9 okhttp-api:4.9.3-108.v0feda04578cf pam-auth:1.10 parameterized-trigger:2.45 pipeline-aws:1.43 pipeline-build-step:2.18 pipeline-github-lib:38.v445716ea_edda_ pipeline-graph-analysis:195.v5812d95a_a_2f9 pipeline-groovy-lib:621.vb_44ce045b_582 pipeline-input-step:466.v6d0a_5df34f81 pipeline-milestone-step:101.vd572fef9d926 pipeline-model-api:2.2118.v31fd5b_9944b_5 pipeline-model-definition:2.2118.v31fd5b_9944b_5 pipeline-model-extensions:2.2118.v31fd5b_9944b_5 pipeline-rest-api:2.28 pipeline-stage-step:296.v5f6908f017a_5 pipeline-stage-tags-metadata:2.2118.v31fd5b_9944b_5 pipeline-stage-view:2.28 pipeline-utility-steps:2.14.0 plain-credentials:139.ved2b_9cf7587b plugin-util-api:2.20.0 popper-api:1.16.1-3 popper2-api:2.11.6-2 pubsub-light:1.17 resource-disposer:0.20 run-condition:1.5 scm-api:621.vda_a_b_055e58f7 script-security:1228.vd93135a_2fb_25 snakeyaml-api:1.33-90.v80dcb_3814d35 sonar:2.15 ssh-credentials:305.v8f4381501156 ssh-slaves:2.854.v7fd446b_337c9 sshd:3.270.vb_a_e71e64c287 structs:324.va_f5d6774f3a_d timestamper:1.21 token-macro:321.vd7cc1f2a_52c8 trilead-api:2.84.v72119de229b_7 uno-choice:2.6.4 variant:59.vf075fe829ccb windows-slaves:1.8.1 workflow-aggregator:590.v6a_d052e5a_a_b_5 workflow-api:1200.v8005c684b_a_c6 workflow-basic-steps:994.vd57e3ca_46d24 workflow-cps:3565.v4b_d9b_8c29a_b_3 workflow-cps-global-lib:609.vd95673f149b_b workflow-durable-task-step:1217.v38306d8fa_b_5c workflow-job:1254.v3f64639b_11dd workflow-multibranch:716.vc692a_e52371b_ workflow-scm-step:400.v6b_89a_1317c9a_ workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ws-cleanup:0.44 Result: [Plugin:Office-365-Connector, Plugin:ace-editor, Plugin:amazon-ecr, Plugin:ant, Plugin:antisamy-markup-formatter, Plugin:apache-httpcomponents-client-4-api, Plugin:authentication-tokens, Plugin:aws-credentials, Plugin:aws-java-sdk, Plugin:aws-java-sdk-cloudformation, Plugin:aws-java-sdk-codebuild, Plugin:aws-java-sdk-ec2, Plugin:aws-java-sdk-ecr, Plugin:aws-java-sdk-ecs, Plugin:aws-java-sdk-efs, Plugin:aws-java-sdk-elasticbeanstalk, Plugin:aws-java-sdk-iam, Plugin:aws-java-sdk-logs, Plugin:aws-java-sdk-minimal, Plugin:aws-java-sdk-sns, Plugin:aws-java-sdk-sqs, Plugin:aws-java-sdk-ssm, Plugin:awseb-deployment-plugin, Plugin:blueocean-commons, Plugin:blueocean-core-js, Plugin:blueocean-dashboard, Plugin:blueocean-git-pipeline, Plugin:blueocean-i18n, Plugin:blueocean-jira, Plugin:blueocean-jwt, Plugin:blueocean-personalization, Plugin:blueocean-pipeline-api-impl, Plugin:blueocean-pipeline-editor, Plugin:blueocean-pipeline-scm-api, Plugin:blueocean-rest, Plugin:blueocean-rest-impl, Plugin:blueocean-web, Plugin:bootstrap4-api, Plugin:bootstrap5-api, Plugin:bouncycastle-api, Plugin:branch-api, Plugin:build-timeout, Plugin:built-on-column, Plugin:caffeine-api, Plugin:checks-api, Plugin:cloudbees-folder, Plugin:codedeploy, Plugin:command-launcher, Plugin:commons-httpclient3-api, Plugin:commons-lang3-api, Plugin:commons-text-api, Plugin:conditional-buildstep, Plugin:credentials, Plugin:credentials-binding, Plugin:data-tables-api, Plugin:dependency-check-jenkins-plugin, Plugin:display-url-api, Plugin:docker-build-step, Plugin:docker-commons, Plugin:docker-compose-build-step, Plugin:docker-java-api, Plugin:docker-plugin, Plugin:docker-workflow, Plugin:durable-task, Plugin:echarts-api, Plugin:email-ext, Plugin:envinject, Plugin:envinject-api, Plugin:external-monitor-job, Plugin:favorite, Plugin:font-awesome-api, Plugin:generic-webhook-trigger, Plugin:git, Plugin:git-client, Plugin:git-server, Plugin:github, Plugin:github-api, Plugin:github-branch-source, Plugin:gitlab-api, Plugin:gitlab-branch-source, Plugin:gitlab-plugin, Plugin:gradle, Plugin:groovy, Plugin:handlebars, Plugin:handy-uri-templates-2-api, Plugin:hashicorp-vault-plugin, Plugin:htmlpublisher, Plugin:http_request, Plugin:instance-identity, Plugin:ionicons-api, Plugin:jackson2-api, Plugin:jacoco, Plugin:jakarta-activation-api, Plugin:jakarta-mail-api, Plugin:javadoc, Plugin:javax-activation-api, Plugin:javax-mail-api, Plugin:jaxb, Plugin:jdk-tool, Plugin:jenkins-design-language, Plugin:jenkins-multijob-plugin, Plugin:jersey2-api, Plugin:jira, Plugin:jjwt-api, Plugin:jquery-detached, Plugin:jquery3-api, Plugin:jsch, Plugin:junit, Plugin:ldap, Plugin:lockable-resources, Plugin:mailer, Plugin:matrix-auth, Plugin:matrix-project, Plugin:maven-plugin, Plugin:mina-sshd-api-common, Plugin:mina-sshd-api-core, Plugin:momentjs, Plugin:nexus-artifact-uploader, Plugin:nexus-jenkins-plugin, Plugin:octopusdeploy, Plugin:okhttp-api, Plugin:pam-auth, Plugin:parameterized-trigger, Plugin:pipeline-aws, Plugin:pipeline-build-step, Plugin:pipeline-github-lib, Plugin:pipeline-graph-analysis, Plugin:pipeline-groovy-lib, Plugin:pipeline-input-step, Plugin:pipeline-milestone-step, Plugin:pipeline-model-api, Plugin:pipeline-model-definition, Plugin:pipeline-model-extensions, Plugin:pipeline-rest-api, Plugin:pipeline-stage-step, Plugin:pipeline-stage-tags-metadata, Plugin:pipeline-stage-view, Plugin:pipeline-utility-steps, Plugin:plain-credentials, Plugin:plugin-util-api, Plugin:popper-api, Plugin:popper2-api, Plugin:pubsub-light, Plugin:resource-disposer, Plugin:run-condition, Plugin:scm-api, Plugin:script-security, Plugin:snakeyaml-api, Plugin:sonar, Plugin:ssh-credentials, Plugin:ssh-slaves, Plugin:sshd, Plugin:structs, Plugin:timestamper, Plugin:token-macro, Plugin:trilead-api, Plugin:uno-choice, Plugin:variant, Plugin:windows-slaves, Plugin:workflow-aggregator, Plugin:workflow-api, Plugin:workflow-basic-steps, Plugin:workflow-cps, Plugin:workflow-cps-global-lib, Plugin:workflow-durable-task-step, Plugin:workflow-job, Plugin:workflow-multibranch, Plugin:workflow-scm-step, Plugin:workflow-step-api, Plugin:workflow-support, Plugin:ws-cleanup] ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 20.04.5

Reproduction steps

I don't think I can provide anything reproducible I'm afraid.

Expected Results

After adding a Gitlab Project in a multibranch Pipeline, the Pipelines can be correctly run.

Actual Results

Git can not clone the project in the local workspace. Unfortunately the git Command fails with the following error code.

Caused by: hudson.plugins.git.GitException: Command "/opt/gitlab/embedded/bin/git fetch --no-tags --force --progress -- https://s[URL]/[project].git +refs/heads/development:refs/remotes/origin/development" returned status code 128:
stderr: fatal: unable to access 'https://[URL]/[project].git/': SSL certificate problem: self signed certificate in certificate chain

Anything else?

I can't quite understand on how this might happen.

In my git config, globally as well as locally under /opt/gitlab/embedded/bin/git I checked my git config and found an http.sslcai entry referencing the correct certificate. Also, https.sslverify is false. SSL Verífication should be disabled in any case.

Furthermore, I checked the JVM on which my jenkins and gitlab are running. The self signed certificate is also imported in the cacerts of that JVM.

In any case, it should either ignore ssl altogether and don't throw this error, or trust the connection, since the certificate is in the JVM truststore.

Does the plugin use a custom .gitconfig somewhere on the machine, I am not aware of?

[Turiok]

Hi @LukasTinnesSajo

To have more log, can you add this environment variable in the node: GIT_CURL_VERBOSE=1 It didn't work if variables declared in Jenkinsfile.

Do you use docker installation? And ssh-agent image?

This is my installation and I had the same error. This is because the agent didn't have certificates.

I mount the certificates on my host and it works.