Proxy Setting in Teamcity - ssl-certificate

We have teamcity 10 running as a service behind a corporate network and we need to configure it to connect to a proxy so we can access an external issue tracker (Jira).
When we attempt a test connection we get
Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am assuming that is because the proxy isn't setup properly? Other links seem to suggest its a certificate issue for Jira Cloud? Alternative theory based on this https://confluence.jetbrains.com/display/TCD7/JIRA and https://developer.atlassian.com/jiradev/latest-updates/soap-and-xml-rpc-api-deprecation-notice suggest that xml-rpc is required for the integration however that is deprecated?
We have added
TEAMCITY_SERVER_OPTS in environment settings with the following
-Dproxyset=true;-Dhttp.proxyHost=xxx;-Dhttp.proxyPort=xxx
Is there anything else? Or a simpler way?
Thanks for reading

Most probably the HTTPS certificate of your Jira is self-signed, so you will need to configure TeamCity server JVM by adding the root certificate of your organization into JVM keystore as trusted.

Related

Does my private server hosting GitLab need a valid CA certificate to register a runner on a separate server?

I've been at this for a few days now with no luck. After traversing a plethora of GitLab documentation, whenever I try to register a runner on a server in my network (besides the server hosting GitLab), I receive this error:
ERROR: Registering runner... failed
runner=xxxxxxxx status=couldn't execute POST against https://gitlab_instance_url.com/api/v4/runners:
Post https://gitlab_instance_url.com/api/v4/runners: x509: certificate signed by unknown authority
PANIC: Failed to register the runner. You may be having network problems.
I have tried:
Creating private and public keys, a CSR, and getting a CA-signed certificate for the server I'm trying to register my runner on
Registering the runner using --tls-ca-file=path/to/cert
Creating a new server from scratch to register the runner
Creating a runner on the server GitLab is hosted on (this is the only one that works, but it defeats the purpose because I need to connect my CI/CD pipeline with a server other than the one hosting GitLab)
Other important detail:
I am not using Docker or Kubernetes, just vanilla GitLab Runner
Resources used:
gitlab-runner x509: certificate signed by unknown authority
https://docs.gitlab.com/runner/register/index.html
https://docs.gitlab.com/ee/api/runners.html#register-a-new-runner
https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/81#note_252326958
https://docs.gitlab.com/runner/configuration/tls-self-signed.html
https://docs.gitlab.com/runner/install/linux-repository.html
https://docs.gitlab.com/runner/install/linux-manually.html#using-debrpm-package
The only thing I can think of is that the server hosting GitLab has an expired CA certificate, even though the GitLab URL does have a valid certificate. Perhaps the reason I keep getting x509: certificate signed by unknown authority is because the server taking the requests has an expired certificate, and it halts the registration there. Does anyone know if this is the case, or could it be something else? I'm seriously running out of ideas.
Edit: The problem is not fixed, but it turns out I was mistaken and the server hosting GitLab did have a valid certificate, and I was able to create a runner with no issues on a different server, but not the server I spun up and added a CA certificate to. This leads me to believe that the server I spun up has some issue with certificate configuration. Currently investigating this.

Jenkins Jira Plugin SSL Authentication issue

Good day.
I'm trying to realize integration Jenkis/Bitbucket Server/Jira Server.
All servers are working under SSL (Private PKI) with Peer authentication enabled.
So first step is to connect to BitBucket and it was successfull.
Everything i've done is added JVM_ARGS to jenkins
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStore=/ssl/jenkins.p12
-Djavax.net.ssl.trustStore=/ssl/cacerts
-Djavax.net.ssl.keyStorePassword=JenkinsPassword1
-Djavax.net.ssl.trustStorePassword=changeit
So Jenkins authenticated on BitBucket.
After that i tried to connect Jenkins to JIRA. And without a success.
Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_certificate
All servers have certificates deployed under same CA chain.
All servers have that chain in trust store.
So i wonder what i'm doing wrong?
I've enbled SSL debug (javax.net.debug=ssl).
And saw follwing strings during jira site configuration validation:
Found trusted certificate: //So there is no problem with truststore.
....
....
Warning: no suitable certificate found - continuing without client authentication // WHY??
*** Certificate chain
<Empty>
***
But with bitbucket server it picks right certificate.
Double cheked everything, moreover, bitbucket server is working good.
Some dig in code i found that JIRA Plugins uses Attlasians Library, which is uses Apache HTTP Client. And i could not understand why HTTP Client not initializing keystore for JIRA Connection.
May be someone faced same problem? Any solution without rfactoring Plugin or libraries?
Any suggestions are welcome.
I'm using Jenkins 2.89.2 with Jira Plugin 2.5 /Bitbucket Server 5.3/ Jira 7.63
Jenkins running in docker.
PS: Skip Certificate Verification Plugin not an option. Peer authentication is mandatory.

Using Self-Signed Certificates with REST connector in Cloud Connect

I am working on integrating Cloud Connect with our platform's REST APIs. I am receiving an error when trying to connect to our development servers using the REST connector:
Component [REST Connector:REST_CONNECTOR] finished with status ERROR.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Our development environment uses a self-signed SSL certificate, which I suspect is at the heart of the issue. How might I go about resolving this issue?
I am afraid that when running the graphs on GoodData servers, there is no way you could configure them to trust your self-signed certificates.
If you would be running the graph locally however (which should be OK for development), adding that certificates (or certification authority) to trusted certificates on your local machine should do the trick (and restarting CloudConnect after it, just to be sure it is reflected).

Modify trusted CAs under Jelastic

I'm trying to setup a CAS-based echosystem on the Jelastic infrastructure. I was able to setup both the server and a client under the same Tomcat 7 instance, using the example web application described here. The SSL certificates (CA and server's) I'm using are self signed.
When asking for a protected resource, the webapp correctly redirects to the CAS login page, and the authentication is done well at server level. However, in the return flow something goes bad and the browser shows an exception that has the following root cause:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
This is because the CAS protocol has an additional client-server verification dialogue that is done immediately after the authentication, and during this dialogue the client has to trust the server again. This time, it doesn't use Tomcat's SSL settings but the ones of the JVM (see here)
The problem is that on Jelastic there's no way to access the JAVA_HOME/jre/lib/security folder, as far I know.
Any hint? Thanks.
UPDATE:
I've found the solution. On Jelastic, since v.1.8.5, Tomcat apps have write rights on the the JAVA_HOME/jre/lib/security folder. This IMHO opens a security issue, but for this specific case was good. I've been able to write a simple servlet that added my certificate to the JVM cacerts file, and I've solved the problem.
If I understood correctly, you need exactly the same certificate installed on Tomcat AND on the JVM itself?
Currently the Jelastic SSL install option only installs the certificate onto the application/web server (in this case, Tomcat). To install it on the JVM as well you need to seek assistance from your hosting provider.
You should also ask them to raise a feature request for this functionality with the development team; I suppose it would be useful to install the certificate to both places (Tomcat and JVM) by default?
(are there cases you can see where it would be useful to have different certificates for each?)

WSO2 - Server's certificate is not trusted

I'm setting up my development environment using the binary files that I have downloaded from WSO2's website.
I'm getting an issue related to the SSL certificate which prevents me to call some URI's from my Ruby script. How can I can fix this kind of problem?
Have you tried installing the SSL Certificate into the client-truststore in repository/resources/security?