Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

how to configure cli trust store #277

Open
torstenstach opened this issue Nov 20, 2018 · 13 comments
Open

how to configure cli trust store #277

torstenstach opened this issue Nov 20, 2018 · 13 comments

Comments

@torstenstach
Copy link

>jfrog rt ping --url=https://artprod.issh.de/artifactory
[Error] Get https://artprod.issh.de/artifactory/api/system/ping: x509: certificate signed by unknown authority
how to configure the jfrog-cli trust store?

  • is there a way to disable the check?
  • where is the trust store?
  • Can i add certificats to the trust store?
@eyalbe4
Copy link
Contributor

eyalbe4 commented Nov 20, 2018

@torstenstach,
Here's you add your self signed certificates.
Disabling the use of SSL certificates is currently not supported, but we're considering add it.
Let us know if this helps.

@torstenstach
Copy link
Author

No this does not help.
under windows cli is unable to check the whole certificate chain.
WORKAROUND:
install the sub-ca certificate also as Trusted Root Certificate

Can you fix this?

image

@eyalbe4
Copy link
Contributor

eyalbe4 commented Nov 22, 2018

@torstenstach,
Are you using the latest JFrog CLI version? (currently the latest version is 1.22.0).
I'm asking because you may be affected by golang/go#18609.
The latest JFrog CLI release is built with Go 1.11, which should include this fix.

@torstenstach
Copy link
Author

I have the same problem with version 1.22.0

@eyalbe4
Copy link
Contributor

eyalbe4 commented Nov 22, 2018

@torstenstach,
Actually, we need to wait for this issue to be fixed - golang/go#16736
I'm not sure there's anything we can do before it is fixed by go...
We have tried to fix this in the past by adding https://github.com/jfrog/jfrog-client-go/blob/master/artifactory/auth/cert/sslutils_windows.go (runs for Windows only), but there's a chance this code is not perfect.
I see no other option but waiting for the above issue to be fixed.

@moeHaydar
Copy link

I have the same problem, any news about this ?

@vdsbenoit
Copy link

+1

@kenden
Copy link

kenden commented Apr 16, 2020

About:
"is there a way to disable the check?"
The option --insecure-tls was added recently:
https://github.com/jfrog/jfrog-cli/blob/master/RELEASE.md#1351-mar-18-2020

@kenyon
Copy link

kenyon commented Aug 3, 2023

This link from #277 (comment) is now broken and I'm really having a hard time finding the current location of documentation on using JFrog CLI with internal certificate authorities: https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-UsingSelf-signedSSLCertificates

@emveee
Copy link

emveee commented Sep 7, 2023

This link from #277 (comment) is now broken and I'm really having a hard time finding the current location of documentation on using JFrog CLI with internal certificate authorities: https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-UsingSelf-signedSSLCertificates

https://web.archive.org/web/20191007071125/https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory

@larkoie
Copy link

larkoie commented Feb 15, 2024

FYI the issue is still existing in jfrog cli 2.52.9 (latest at the time of my comment).
The bug golang/go#16736 looks fixed (closed completed in november 2021)

Can somebody take a look at this now?
Thanks

@mathieugouin
Copy link

I have version 2.71.0 of the cli.

I have exactly the same problem. To add more info, SSL works with curl -UseBasicParsing "https://artifactory.example.com/artifactory/api/system/ping" but not with jfrog rt ping.

I have installed my root CA certificate in my Docker image using:

  • Import-Certificate -FilePath C:\my_cert.crt -CertStoreLocation Cert:\LocalMachine\Root
  • manual copy to: ~/.jfrog/security. In my case it was: C:\Users\ContainerAdministrator\.jfrog\security

Any other clue?

@tjohnston-cd
Copy link

tjohnston-cd commented Dec 2, 2024

I believe I am having the same issue with Windows CLI versions 2.51.0 and 2.72.2 (the latest)

My internal root and issuing CA certs are in the standard system store locations the same as shown here: #277 (comment)

Adding the certificates in the chain to the HOME\.jfrog\security path as described here does not seem to make a difference.

It does not seem to recognize --insecure-tls on the jf login command I use for my test.
edit: Ah, but it is available on jf rt upload so I can use it to work around my issue for now. Still not ideal.

Any suggestions @eyalbe4 or others? How can I confirm this is the issue I'm having?

More importantly - what's involved in fixing this? This ticket is 6 years old. Is the root cause still one of the referenced golang library threads?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants