search

vmware-archive / pcfdev

This is the depricated version of PCF Dev - please visit the current Github repository https://github.com/cloudfoundry-incubator/cfdev for the latest updates
Apache License 2.0
273 stars 67 forks source link

x509: certificate signed by unknown authority #373

Closed guptaavi closed 5 years ago

guptaavi commented 5 years ago

Running PCFDev 1.2.0 on Windows 10 under Hyper-V.

cf dev start -f C:\pcfdev-v1.2.0-windows.tgz

Able to start successfully and login. However, the app manager is not running.

I verified using 'cf a' but the apps-manager-js-green app is in the 'stopped' state.

Looking at the logs, I see the following error:

cf logs --recent apps-manager-js-green

   2019-05-14T19:01:26.68-0700 [STG/0] OUT -----> Staticfile Buildpack version 1.4.39
   2019-05-14T19:01:26.68-0700 [STG/0] OUT -----> Installing nginx
   2019-05-14T19:01:26.68-0700 [STG/0] OUT        Using nginx version 1.15.8
   2019-05-14T19:01:26.68-0700 [STG/0] OUT -----> Installing nginx 1.15.8
   2019-05-14T19:01:26.68-0700 [STG/0] OUT        Download [https://buildpacks.cloudfoundry.org/dependencies/nginx-static/nginx-1.15.8-linux-x64-cflinuxfs3-6f865593.tgz]
   2019-05-14T19:01:26.88-0700 [STG/0] OUT        **ERROR** Unable to install nginx: Get https://buildpacks.cloudfoundry.org/dependencies/nginx-static/nginx-1.15.8-linux-x64-cflinuxfs3-6f865593.tgz: x509: certificate signed by unknown authority
   2019-05-14T19:01:26.88-0700 [STG/0] ERR Failed to compile droplet: Failed to run all supply scripts: exit status 14
   2019-05-14T19:01:26.89-0700 [STG/0] OUT Exit status 223

This error only happens if I am logged into our corporate network. If I disconnect from the company network then everything works fine.

Where do I add my firewall certificate files (.pem, .crt) to get rid of this error? I tried adding them to the Hyper-V VM under /usr/share/ca-certificates but this error still shows up.

Any help would be appreciated.

Thanks!

cf-gitbot commented 5 years ago

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

aemengo commented 5 years ago

@guptaavi The process is fairly involved and requires understanding of the BOSH ecosystem.

If you'd like to append a certificate to the certificate store inside of the application container, the canonical way to modify the cflinuxfs3-rootfs.trusted_certs property of the cflinuxfs3-rootfs-setup job in the Cloud Foundry manifest. You could perform the operation in the following way:

$ cf dev bosh env | Invoke-Expression # Login to BOSH
$ bosh deployments # Find the deployment name of CF (should look like 'cf-123abd....')
$ bosh -d <cf-deployment-name> manifest > cf.yml # Output the configuration to a new file 'cf.yml'

# insert the contents of the appended ca.crt file to cflinuxfs3-rootfs.trusted_certs

$ bosh -d <cf-deployment-name> deploy cf.yml

For more information on the process you can look here: https://docs.cloudfoundry.org/running/trusted-system-certificates.html. For more information on BOSH you can look here: https://bosh.io/docs/

guptaavi commented 5 years ago

@aemengo Thank you so much for the tips. It worked! Finally I can start using PCFDev :) Just one more question...is there any way to make this permanent? Or will I have to perform these steps every time I do a cf dev start/stop? Thank you!

aemengo commented 5 years ago

@guptaavi Unfortunately, there's no way to make this permanent. You will have to perform these steps every time you do a cf dev start/stop? This is by design to allow users to return back to a "working" state no matter how much experimentation has been done, as was done in your case.