search

jfrog / jenkins-jfrog-plugin

Easy integration between Jenkins and the JFrog Platform.
https://github.com/jfrog/jenkins-jfrog-plugin
Apache License 2.0
39 stars 17 forks source link

Add Support for Self-Signed SSL Certificates #51

Open RRHex opened 1 year ago

RRHex commented 1 year ago

Is your feature request related to a problem? Please describe.

In the normal JFrog CLI, you can use a self-signed SSL certificate for authenticating to the server by adding the cert to the '.jfrog/security/certs' folder (Documentation here)

In the old artifactory plugin, it used the 'cacerts' file from Java, where we could add our cert. Using this plugin, there is no way to specify our certificate, and we can't authenticate with our server:

The following error was received while trying to encrypt your password: Get "<SERVER_URL>/artifactory/api/security/encryptedPassword": x509: certificate signed by unknown authority

Describe the solution you'd like to see

I would like to see a configuration option for adding our self-signed certificate, or the ability to manually add it to a location on our nodes where it could be read.

Describe alternatives you've considered

No response

Additional context

No response

harbulot commented 1 year ago

Have you tried to install you custom CA certificate as a trusted certificate on your system (and on the JRE running Jenkins)?

For example, on Debian/Ubuntu systems, copy your cert (with .crt extension) under /usr/local/share/ca-certificates and run update-ca-certificates (as root or with sudo). You'll need the ca-certificates and ca-certificates-java packages.

CentOS has a very similar system: https://unix.stackexchange.com/questions/456475/adding-a-root-certification-authority-to-a-java-application

RRHex commented 1 year ago

In this instance, we're running on a Windows 10 node.

But yes, the certificate has been added to the system and the JRE running Jenkins. For the Artifactory plugin, the JRE worked, but that's not the case here.

For user installations of the JFrog CLI, certs are required to be added to the '.jfrog/security/certs' folder. In this case, the CLI install path is put in a temporary directory at runtime, so that doesn't seem to work.

alexkara86 commented 9 months ago

@harbulot We have the same issue with our jenkins nodes running on macos.

Environment jenkins server version: 2.401.3 jfrog plugin for jenkins version: 1.5.0 osx version: Ventura 13.4 jdk version: openjdk version "11.0.20" 2023-07-18

Error The following error was received while trying to encrypt your password: Get "<SERVER_URL>/artifactory/api/security/encryptedPassword": x509: certificate signed by unknown authority

I have added Artifactory server's internally signed certificate in the machines keychain, in the keystore of the JDK used by the jenkins node and also in ~/.jfrog/security/certs as its documented by jfrog.

When I run the jf command directly from the node's terminal I face no problem. When I run the same command from a jenkins pipeline using the plugin I get the error I copied above.

Can you please let me know if this plugin as is supports certificates signed by an internal CA ? Its interesting that for us its working fine for windows and ubuntu nodes but not for macOS. Is it a limitation that only affects macOS nodes?