Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build-collect-env reports 'x509: cannot validate certificate' when insecure-tls option is set #1592

Open
jainvikas8 opened this issue Jul 5, 2022 · 7 comments
Open

build-collect-env reports 'x509: cannot validate certificate' when insecure-tls option is set #1592

jainvikas8 opened this issue Jul 5, 2022 · 7 comments
Labels
bug Something isn't working

Comments

@jainvikas8
Copy link

jfrog rt build-collect-env reports the following

15:55:17 [🔵[34mInfo[0m] Collecting environment variables...
15:55:17 [🔵[34mInfo[0m] Collected environment variables for <build_name>.
15:55:20 [🟠[33mWarn[0m] (Attempt 1) - Failure occurred while sending GET request to https:///<ip_address>:443/artifactory/api/system/version: Get \"https://<ip_address>:443/artifactory/api/system/version\": x509: cannot validate certificate for <ip_address> because it doesn't contain any IP SANs
15:55:22 [🟠[33mWarn[0m] (Attempt 2) - Failure occurred while sending GET request to https:///<ip_address>:443/artifactory/api/system/version: Get \"https://<ip_address>:443/artifactory/api/system/version\": x509: cannot validate certificate for <ip_address> because it doesn't contain any IP SANs
15:55:25 [🟠[33mWarn[0m] (Attempt 3) - Failure occurred while sending GET request to https:///<ip_address>:443/artifactory/api/system/version: Get \"https://<ip_address>:443/artifactory/api/system/version\": x509: cannot validate certificate for <ip_address> because it doesn't contain any IP SANs
15:55:28 [🟠[33mWarn[0m] (Attempt 4) - Failure occurred while sending GET request to https:///<ip_address>:443/artifactory/api/system/version: Get \"https://<ip_address>:443/artifactory/api/system/version\": x509: cannot validate certificate for <ip_address> because it doesn't contain any IP SANs

To Reproduce

  • Config add with insecure-tls
jfrog config add '--insecure-tls=true' <artifactory> '--interactive=false' '--artifactory-url=<address>' '--user=<user> '--access-token=<token>'
  • Upload
jfrog rt upload '--insecure-tls=true' '--spec=upload_spec.json' '--build-name=<build_name>' '--build-number=<build_number>'

The output is successful

{
  \"status\": \"success\",
  \"totals\": {
    \"success\": 2,
    \"failure\": 0
  }
}
  • Build-collect-env
jfrog rt build-collect-env <build_name> <build_number>

this fails to collect all the info for publishing

  • Build-publish
jfrog rt build-publish '--insecure-tls=true' <build_name> '--build-url=<url>'

Unable to publish it properly and artifacts can't be downloaded.

Expected behavior
Is to collect-env without any warnings

Versions

Would it be possible to have a workaround or option of --insecure-tls=true for jfrog rt build-collect-env ?
@jainvikas8 jainvikas8 added the bug Something isn't working label Jul 5, 2022
@jainvikas8
Copy link
Author

eyalbe4 Is there anyone that I could tag to take a look at this issue, please?

@michal-kaciuba
Copy link

I'm getting the same error inconsistently when running jf rt u.

@ememarar
Copy link

We're having the same issue with jfrog-cli as well. Could you please take a look at this?

@jainvikas8
Copy link
Author

Any update on this, please?

@SebastienTolron
Copy link

Hey ,

Seems to have the same issue here.

Someone found a workaroud ?

@sverdlov93
Copy link
Contributor

Hi @jainvikas8 @Stolr @ememarar @MKaciuba ,
Thanks for reporting this issue.
Our apologies for the inconvenience caused by this.

Can you please provide more info regarding the issue?
Are you getting the above warning when running jf rt build-collect-env or jf build-publish?
I am asking because Collected environment variables for.... is the last line on the build-collect-env command and also build-collect-env should not connect to artifactory at all.

Does it still happen on latest CLI versions?
Also, can you please add JFROG_CLI_LOG_LEVEL=DEBUG as an environment variable upon running the command and share the logs?

@fourpastmidnight
Copy link

One of the requirements for using a private CA certificate with Artifactory is that its Common Name (or Subject Name) CN field must have the server's IP address as its value. but when validating an X509 certificate, it's required that the "domain name" used in a URL request is present in the Subject Alternative Name (SAN) field.

When validating a certificate, a browser will check the SAN field first. If it finds the name it's looking for in the SAN, then it will use that entry and perform additional validation checks, e.g. chain of trust validity, etc. It used to be, many years ago, that if the value is not found in the SAN field, then and only then will validation attempt to find the name in the CN field. However, this has been deprecated for quite some time and most modern browsers, utilities (e.g. curl, wget), and SDKs no longer make this additional CN check, always looking for the "domain name" of the URL in the SAN field of an X509 certificate.

In short, you need a certificate that includes the server's IP address in the SAN field, in addition to any other values that you want in there (e.g., DNS entries); and Jfrog requires the IP address to be the value of the CN field for their own reasons. (It's not really required to validate an X509 certificate, but Jfrog won't use it if the CN field is not the server's IP address (or the value of artifactory.shared.node.ip (if memory serves me correctly) in the system.yaml file 😕 , per their Artifactory Access private CA certificate requirements.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@SebastienTolron @fourpastmidnight @michal-kaciuba @sverdlov93 @jainvikas8 @ememarar