We Keep Coding

Does my private server hosting GitLab need a valid CA certificate to register a runner on a separate server?

I've been at this for a few days now with no luck. After traversing a plethora of GitLab documentation, whenever I try to register a runner on a server in my network (besides the server hosting GitLab), I receive this error:
ERROR: Registering runner... failed
runner=xxxxxxxx status=couldn't execute POST against https://gitlab_instance_url.com/api/v4/runners:
Post https://gitlab_instance_url.com/api/v4/runners: x509: certificate signed by unknown authority
PANIC: Failed to register the runner. You may be having network problems.
I have tried:
Creating private and public keys, a CSR, and getting a CA-signed certificate for the server I'm trying to register my runner on
Registering the runner using --tls-ca-file=path/to/cert
Creating a new server from scratch to register the runner
Creating a runner on the server GitLab is hosted on (this is the only one that works, but it defeats the purpose because I need to connect my CI/CD pipeline with a server other than the one hosting GitLab)
Other important detail:
I am not using Docker or Kubernetes, just vanilla GitLab Runner
Resources used:
gitlab-runner x509: certificate signed by unknown authority
https://docs.gitlab.com/runner/register/index.html
https://docs.gitlab.com/ee/api/runners.html#register-a-new-runner
https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/81#note_252326958
https://docs.gitlab.com/runner/configuration/tls-self-signed.html
https://docs.gitlab.com/runner/install/linux-repository.html
https://docs.gitlab.com/runner/install/linux-manually.html#using-debrpm-package
The only thing I can think of is that the server hosting GitLab has an expired CA certificate, even though the GitLab URL does have a valid certificate. Perhaps the reason I keep getting x509: certificate signed by unknown authority is because the server taking the requests has an expired certificate, and it halts the registration there. Does anyone know if this is the case, or could it be something else? I'm seriously running out of ideas.
Edit: The problem is not fixed, but it turns out I was mistaken and the server hosting GitLab did have a valid certificate, and I was able to create a runner with no issues on a different server, but not the server I spun up and added a CA certificate to. This leads me to believe that the server I spun up has some issue with certificate configuration. Currently investigating this.

Jenkins 2 and Atlassian Crowd (crowd2 Plugin) Integration with two-way SSL

I am trying to connect Jenkins(version 2.121.2) running on AWS to an on-premise Atlassian Crowd Server (version 3.1.2) using Jenkin's crowd 2 Plugin. The Crowd server requires two-way SSL authentication.
Steps followed:
Import the Certificate chain of the Crowd server in to Java Trust store located at $JAVA_HOME/jre/lib/security/cacerts, so Jenkins trusts Crowd Server.
Create a keystore(JKS) with the private key and certificate for Client authentication in jenkins.
Modify jenkins startup parameters (/etc/default/jenkins) to use the Trust store and Keystore. I have tried both the variations as below.
Variation 1:
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.keyStore=/var/lib/jenkins/identity.jks
-Djavax.net.ssl.keyStorePassword=changeit"
Variation 2:
# JVM Arguments
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit"
# Jenkins arguments
JENKINS_ARGS="--webroot=/var/cache/$NAME/war
--httpPort=$HTTPS_PORT
--httpsKeyStore=/var/lib/jenkins/identity.jks
--httpsKeyStorePassword=changeit"
After filling up the details in the plugin configuration section in jenkins and trying to establish a connection, I receive a hand_shake failure in jenkins log. Information from the log,
The Server Hello passes, and provides a list of CA's that it trusts which shows the Atlassian crowd server. During jenkins startup, I can also see that it adds the certificate as trusted.
But when jenkins is responding to the verification from Crowd, it is not sending the client key/certificate from keystore. An excerpt of the log can be seen below.
CN=cloud.company.com, OU=OUnit, O=Org, L=City, ST=State, C=Country
ServerHelloDone
Warning: no suitable certificate found - continuing
without client authentication
Certificate chain <Empty>
I am not sure if this is possible using the Crowd2 Plugin or If I am doing something wrong. I had a look at this issue , but there is no definitive answer if this is possible or not.
Any help/direction is greatly appreciated.

So, The problem was due to Crowd 2 Jenkins Plugin. Version 2 of the plugin was recently released 3 months ago and I was using this. But, after downgrading the plugin to version 1.8, I was able to authenticate with the Crowd Server.

Spring Boot calling HTTPS endpoint

I've created a Spring Boot application that I'm running as a poor man's daemon to call another Java service on another tomcat instance. I'm getting an SSL error when connecting to the other Java service but if I hit the other service with something like SoapUi(or Postman) using the same URL and headers I get an OK response. So something must be wrong with my Spring Boot configuration.
I'm using the same JKS for Spring Boot and SoapUI. I've tried using the cert in the application.properties as well as specifying it on the command line using -Djavax.net.ssl.keyStore as well as the related password parameter.
When I run the other service locally without SSL I can connect just fine via my Spring Boot application.
The SSL error I'm getting is: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
Best I can think is that SoapUI(or Postman) identify's itself as a client application and my Spring Boot identifies itself as a server? So I think I'm asking how can I make Spring Boot identify itself as a client but I'm still not sure I understand the SSL error to begin with.

You have a multitude of problems. First off, soapui doesn't do verification of the server SSL certificate when it connects, java by default does not. You can however configure java client to also ignore server cert verification.
How to ignore depends on what client you use, apache httpclient is the most common one and you can find details on that in this thread.
Now, you should not really do that. Instead, you should have a trust store that contains the certificates that would validate the server cert. In that case you would be interested in truststore configuration, not a keystore - keystore is for other way around, when you're identifying yourself to some other party. You'd need to import the root CA and intermediate certificates to your trust store, then point to that in your configuration.

- CA SSL config issues with RESTCOMM

First to explain our application, its as follows...
1)We have one UBUNTU server where we are running Apache Tomcat and also RESTCOMM.
2) We have two application war files. One is the main application and another is a customized OLYMPUS Application to facilitate WebRTC calls. Now our Main application has a menu option which when clicked will load customized OLYMPUS Application into the browser and facilitates the WEBRTC for users.
3) We have tested this properly by using Self Signed Certficate and all is working well. But now we want to use CA apporved SSL Cert.
4) for this we have bout SSL CERT from GODADDY and for this the CSR was generated for Apache and then by using that CSR we downloaded the SSL CERT for Apache and configured by following the same process of how we configured Self Signed Cert.
5) Our main application is working well with the newly installed CA SSL Certificate. But when we try to load the customized OLYMPUS application we are getting the following error ...Web socket connection to ‘wss://>:/’ failed: WebSocket opening handshake was canelled.
We are able to get all working with self signed cert, but we are stuck with this problem when we use CA Approved SSL Cert from GO DADDY.
Request your suggestions pls.
Thanks in advance
Ias M

You need to configure Restcomm to use SSL Cert as well since the Websokets secure connection goes directly to Restcomm. Which method are you using for runnning Restcomm, using the zip file or the docker image ? Also which version of Restcomm are you running ?

Using Self-Signed Certificates with REST connector in Cloud Connect

I am working on integrating Cloud Connect with our platform's REST APIs. I am receiving an error when trying to connect to our development servers using the REST connector:
Component [REST Connector:REST_CONNECTOR] finished with status ERROR.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Our development environment uses a self-signed SSL certificate, which I suspect is at the heart of the issue. How might I go about resolving this issue?

I am afraid that when running the graphs on GoodData servers, there is no way you could configure them to trust your self-signed certificates.
If you would be running the graph locally however (which should be OK for development), adding that certificates (or certification authority) to trusted certificates on your local machine should do the trick (and restarting CloudConnect after it, just to be sure it is reflected).