Support custom CA for SSL communication #30
Comments
|
I have -- unfortunately -- no idea how a custom set of CAs might be handled. I think, Concourse CI itself implemented a bit of dark magic around CAs and resources a while back... Can't remember any details right now, though.... |
|
I played around with this a little bit and I believe taking the CA certificate as an input parameter like nulldriver/maven-resource@26d48ad will help mitigate the SSL issue. I think this will help,
|
|
I think the attempt with the Java Keystore/Truststore might work indeed. But... So... See https://concourse-ci.org/implementing-resources.html#resource-certs for further details. |
|
Hello, We are trying the the same thing but to no avail. &sonar-scan Are we missing something? The needed cert is placed in the jre certs of (nulldriver/mvn) and also on the server itself. |
|
Ok... I understand, that your SonarQube instance uses HTTPS but the certificate is (probably) self-signed. You will have to start your Concourse Worker instances that spawn the concourse-sonarqube-instance with the correct paramteres then. Folloing is an excerpt from If the worker is started with Most likeley, this certificate would have to be converted by the resource itself (thus: put stuff in a key store / cert store which can be read by Java),... (the Docker image that we are using already ships a script called "update-ca-certificates" which would probably have to be called prior to perfoming any other steps in check/in/out...) This solution however is much more robust than extending the input parameters of the resource itself to pass in a custom CA certificate. |
|
Aaah, but we start it with a docker-compose.yml file. We can use an environment property called CONCOURSE_CERTS_DIR=/etc/ssl/certs, but this one is completely ignored i think. concourse: We added the crt to the /etc/ssl/certs of the main machine (host). |
|
Ok. Seems to be an issue with the Just tried the following command: concourse quickstart --help 2>&1 |grep certs-dirThe invocation yields exactly 0 result. :-( |
|
Just got a response from Vito (maintainer of Concourse CI). As far as I can tell, there is no way to set this via environment variable, so you will have to modify your docker-compose unit and add a command line flat. |
|
thanks for the help! will try it now. One question though, how do i add such a arg? If i remember correctly, docker compose only accepts anv properties right? |
|
I added the command --worker-cert-dir=/etc/ssl/certs. Lets see if this works! |
|
Somehow setting this command still does not fix the PKIX issue we have. ' sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target' I also added a script that puts the .der file with the keytool command on the host worker but to no avail. |
|
I suppose, the certificate will still have to be converted into Java Keystore/Truststore format then... I'll try to look into it... |
|
so for now it is not possible to use this certificate? (we do it manually now by running keytool import within a build.sh thats being run by the concourse worker) |
|
aaah, in regards to what @febinrejoe said, does that mean i have to alter the additional proeprties of the runner so thst the keystore points to the host? - &sonar-scan
put: code-analysis
params: &sonar-scan-params
scanner_type: maven
maven_settings_file: /root/.m2/settings.xml
project_key: ###
project_path: ./git
sources:
- src/main
tests:
- src/test
additional_properties: &sonar-scan-properties
sonar.java.binaries: ../build-output/classes
sonar.junit.reportPaths: ../build-output/surefire-reports
sonar.jacoco.reportPaths: ../build-output/jacoco.exec
sonar.projectName: '###'sonar.keystore ### ? |
|
@headcr4sh I have the fix, I just need to clean up the code a little. I can create the PR sometime this week. |
|
@febinrejoe amazing! that would be awesome |
|
is there any update on this issue? |
|
Trying to add Sonarqube into our pipeline and ran into this same issue. Was there a workaround to the issue? Another option that I have seen implemented on resources is to set the insecure flag on the curl requests. |
|
An Anyone willing to submit a patch? |
|
For future people, a possible work around is to create a derivative of this docker image and in a new layer, add your certificate authorities to the java trust store using keytool as well as to the linux store using /usr/sbin/update-ca-certificates. I am doing this now with much success in an enterprise environment. Maybe not the best solution but it gets the job done. |
|
After reading about the CURL_CA_BUNDLE environment variable at https://curl.haxx.se/docs/sslcerts.html I am beginning to noodle a fix for this. It would involve declaring trusted CAs in the source definition and those CAs would be dynamically added to the Java trust store in out and the CURL_CA_BUNDLE set in in and check. With an array of certificates this may be possible to have many. CURL_CAL_BUNDLE should be able to support multiple certificates in the same file. |
|
Any updates on this? |
We are having issues connecting to our sonar and didn't know the best practice for providing our own CA. We have seen the maven resource add support for a custom certificate for a repository: nulldriver/maven-resource@26d48ad We also had in the past followed the work around done when concourse started clobbering the certs that come with a container. Now I wonder if we are presenting a new use case or maybe I am just missing something in order to configure a custom CA.
The text was updated successfully, but these errors were encountered: