I am trying to connect Jenkins(version 2.121.2) running on AWS to an on-premise Atlassian Crowd Server (version 3.1.2) using Jenkin's crowd 2 Plugin. The Crowd server requires two-way SSL authentication.
Steps followed:
Import the Certificate chain of the Crowd server in to Java Trust store located at $JAVA_HOME/jre/lib/security/cacerts, so Jenkins trusts Crowd Server.
Create a keystore(JKS) with the private key and certificate for Client authentication in jenkins.
Modify jenkins startup parameters (/etc/default/jenkins) to use the Trust store and Keystore. I have tried both the variations as below.
Variation 1:
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.keyStore=/var/lib/jenkins/identity.jks
-Djavax.net.ssl.keyStorePassword=changeit"
Variation 2:
# JVM Arguments
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit"
# Jenkins arguments
JENKINS_ARGS="--webroot=/var/cache/$NAME/war
--httpPort=$HTTPS_PORT
--httpsKeyStore=/var/lib/jenkins/identity.jks
--httpsKeyStorePassword=changeit"
After filling up the details in the plugin configuration section in jenkins and trying to establish a connection, I receive a hand_shake failure in jenkins log. Information from the log,
The Server Hello passes, and provides a list of CA's that it trusts which shows the Atlassian crowd server. During jenkins startup, I can also see that it adds the certificate as trusted.
But when jenkins is responding to the verification from Crowd, it is not sending the client key/certificate from keystore. An excerpt of the log can be seen below.
CN=cloud.company.com, OU=OUnit, O=Org, L=City, ST=State, C=Country
ServerHelloDone
Warning: no suitable certificate found - continuing
without client authentication
Certificate chain <Empty>
I am not sure if this is possible using the Crowd2 Plugin or If I am doing something wrong. I had a look at this issue , but there is no definitive answer if this is possible or not.
Any help/direction is greatly appreciated.
So, The problem was due to Crowd 2 Jenkins Plugin. Version 2 of the plugin was recently released 3 months ago and I was using this. But, after downgrading the plugin to version 1.8, I was able to authenticate with the Crowd Server.
Related
I've been at this for a few days now with no luck. After traversing a plethora of GitLab documentation, whenever I try to register a runner on a server in my network (besides the server hosting GitLab), I receive this error:
ERROR: Registering runner... failed
runner=xxxxxxxx status=couldn't execute POST against https://gitlab_instance_url.com/api/v4/runners:
Post https://gitlab_instance_url.com/api/v4/runners: x509: certificate signed by unknown authority
PANIC: Failed to register the runner. You may be having network problems.
I have tried:
Creating private and public keys, a CSR, and getting a CA-signed certificate for the server I'm trying to register my runner on
Registering the runner using --tls-ca-file=path/to/cert
Creating a new server from scratch to register the runner
Creating a runner on the server GitLab is hosted on (this is the only one that works, but it defeats the purpose because I need to connect my CI/CD pipeline with a server other than the one hosting GitLab)
Other important detail:
I am not using Docker or Kubernetes, just vanilla GitLab Runner
Resources used:
gitlab-runner x509: certificate signed by unknown authority
https://docs.gitlab.com/runner/register/index.html
https://docs.gitlab.com/ee/api/runners.html#register-a-new-runner
https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/81#note_252326958
https://docs.gitlab.com/runner/configuration/tls-self-signed.html
https://docs.gitlab.com/runner/install/linux-repository.html
https://docs.gitlab.com/runner/install/linux-manually.html#using-debrpm-package
The only thing I can think of is that the server hosting GitLab has an expired CA certificate, even though the GitLab URL does have a valid certificate. Perhaps the reason I keep getting x509: certificate signed by unknown authority is because the server taking the requests has an expired certificate, and it halts the registration there. Does anyone know if this is the case, or could it be something else? I'm seriously running out of ideas.
Edit: The problem is not fixed, but it turns out I was mistaken and the server hosting GitLab did have a valid certificate, and I was able to create a runner with no issues on a different server, but not the server I spun up and added a CA certificate to. This leads me to believe that the server I spun up has some issue with certificate configuration. Currently investigating this.
Is it possible to use Kafka with SSL encryption but with no server verification nor client authentication?
I know that by default the latter is disabled, but is it possible to also disable the former?
I encountered the similar problem. Since kafka is a java process, it will load the default jdk certs when running, which is under /usr/local/jdk/jre/lib/security/cacerts. if your server is trusted there, (in my scenario, my kakfa server is MSK, and is trusted already), then you don't have to config all the keys and certs.
So all in all, I only added kafka config of security.protocol=SSL and it worked.
Good day.
I'm trying to realize integration Jenkis/Bitbucket Server/Jira Server.
All servers are working under SSL (Private PKI) with Peer authentication enabled.
So first step is to connect to BitBucket and it was successfull.
Everything i've done is added JVM_ARGS to jenkins
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStore=/ssl/jenkins.p12
-Djavax.net.ssl.trustStore=/ssl/cacerts
-Djavax.net.ssl.keyStorePassword=JenkinsPassword1
-Djavax.net.ssl.trustStorePassword=changeit
So Jenkins authenticated on BitBucket.
After that i tried to connect Jenkins to JIRA. And without a success.
Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_certificate
All servers have certificates deployed under same CA chain.
All servers have that chain in trust store.
So i wonder what i'm doing wrong?
I've enbled SSL debug (javax.net.debug=ssl).
And saw follwing strings during jira site configuration validation:
Found trusted certificate: //So there is no problem with truststore.
....
....
Warning: no suitable certificate found - continuing without client authentication // WHY??
*** Certificate chain
<Empty>
***
But with bitbucket server it picks right certificate.
Double cheked everything, moreover, bitbucket server is working good.
Some dig in code i found that JIRA Plugins uses Attlasians Library, which is uses Apache HTTP Client. And i could not understand why HTTP Client not initializing keystore for JIRA Connection.
May be someone faced same problem? Any solution without rfactoring Plugin or libraries?
Any suggestions are welcome.
I'm using Jenkins 2.89.2 with Jira Plugin 2.5 /Bitbucket Server 5.3/ Jira 7.63
Jenkins running in docker.
PS: Skip Certificate Verification Plugin not an option. Peer authentication is mandatory.
I've setup and been managing a Puppet (enterprise 2016.1) instance with over 50 nodes. PE console uses self-signed certificate (https://<fully-qualified-domain-name>/) which is starting to get flagged down by the security audits and forcing me to update the cert. I'm trying to overwrite the self-signed certificate with a CA cert and also do a DNS binding so the URL is more user-friendly. I tried to follow Puppet article here (https://docs.puppet.com/pe/latest/custom_console_cert.html) but it broke my environment and made the console inaccessible. It's since been recovered using Azure backup.
If anybody ever carried out this activity, please would you let me know how I can go about it? Thanks.
We are running WebSphere Application Server v8.5 on AIX 7, which we configured to use ldap security. Everything is working fine, but project went halt for some time and our WAS was down. Now we see that ldap cerficates were expired, hence we are unable to connect to dmgr & admin console. Can somebody help to resolve it?
We know how to configure ldap on WAS, but dont no how to change expired ldap cerficate with new cerficates. (We received new non-expiry certificates from ldap team but dont no how to configure it on WAS).
You need to disable security, restart dmgr, replace certificates and reenable security.
To disable security:
stop/kill the dmgr
run the following from the dmgr\bin folder:
wsadmin -conntype NONE
At the wsadmin prompt, type securityoff and then type exit.
Restart your dmgr.
UPDATE
Do you have Federated or Standalone Ldap configured? You should have in LDAP configuration link to SSL configuration. There you will need to add your new certificate to the Signers store (this is very simplified description as I'm not sure which repository you are using).