K
Q

Jenkins on Kubernetes & Git: SSL Certificate Problem with Self Signed Certificates

5/28/2021

I'm having problems with Jenkins when trying to access a self-hosted Bitbucket-Repository with self-signed certificates: 

   Started by user unknown or anonymous
[Fri May 28 13:38:25 UTC 2021] Starting branch indexing...
 > git rev-parse --is-inside-work-tree # timeout=10
Setting origin to https://<companyurl>/testjenkinssslproject.git
 > git config remote.origin.url https://<companyurl>/testjenkinssslproject.git # timeout=10
Fetching & pruning origin...
Listing remote references...
 > git config --get remote.origin.url # timeout=10
 > git --version # timeout=10
 > git --version # 'git version 2.11.0'
using GIT_ASKPASS to set credentials 
 > git ls-remote -h -- https://<companyurl>/testjenkinssslproject.git # timeout=10
ERROR: [Fri May 28 13:38:25 UTC 2021] Could not fetch branches from source 13b4c498-1311-4123-932f-7af6df217cc2
hudson.plugins.git.GitException: Command "git ls-remote -h -- https://<companyurl>/testjenkinssslproject.git" returned status code 128:
stdout: 
stderr: fatal: unable to access 'https://<companyurl>/testjenkinssslproject.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

What I already tried:

  • Adding Certificate to Jenkins KeyStore in Helm Chart 
values.yaml:     
master:
  httpsKeyStore:
    jenkinsHttpsJksSecretName: ''
    enable: true
    httpPort: 8081
    path: "/var/jenkins_keystore"
    fileName: "keystore.jks"
    password: "changeit"
    # Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here
    jenkinsKeyStoreBase64Encoded: |
base64valueofmykeystorewithselfsignedcerts
  • Add crt directly into the Jenkins Docker Images (like https://github.com/jenkinsci/docker/issues/901), but I'm just getting the same error as in this github issue: "rm: cannot remove 'ca-certificates.crt': Permission denied"
  • Use Kubernetes JVM_OPTS Annotation to use my custom Jenkins-KeyStore (solved 50% of the errors, but not the errors thrown when "git clone" is called)

Does anybody have experiences how to add self-signed-certificates to jenkins & the jenkins agents?

-- Arol
git
jenkins
kubernetes
ssl
ssl-certificate

Similar Questions

ServiceAccount secrets are mounted with restrictive permissions in OpenTelekomCloud's ClusterContainerEngine
windows 2016 kubectl.exe :No connection could be made because the target machine actively refused it
eks cluster - adding worker nodes - how does applying a configmap makes my nodes visible to the k8s cluster?
How to initialize a dynamically provisioned persistent disk
Using cert-manager on AKS with LetsEncrypt and multiple certs

1 Answer

5/28/2021

The answers to this question describe how to make git itself trust a self-signed certificate: https://stackoverflow.com/questions/9072376/configure-git-to-accept-a-particular-self-signed-server-certificate-for-a-partic

As this solution does not require root access, it should work for your use case.

-- maweil
Source: StackOverflow