SCM HTTPS, unknown CA #1469
Comments
|
Update, I also get the following errors: Using Using Sidenote, running the Looking at the SCM page (where you can configure Import/Export settings), I can now see that it has indeed been configured - just not enabled. Enabling it will render the previous error (with the fingerprint three times), and then saying it couldn't be enabled due to errors: |
|
the SSL trust chain would be the one used by java. |
|
workaround for |
|
For future readers. I added the keys to
|
|
@LordMike I added a toggle to disable "strict" key checking, however it would probably be nice to allow strict mode without doing those manual steps. How could we improve that? A GUI configuration to paste the output of |
|
Would it be possible to have Rundeck itself fetch the equivalent of I imagine that in this config, there could be a button to fetch the host keys. Issue however is that this config page is cluttered already (all options are present, regardless if I want to use git://, https:// or other). The host keys options should only be shown, however, if "Strict Mode" is disabled. I imagine a text box with a placeholder text saying "Paste the servers host keys here. If no host keys are pasted, then host key checking is disabled". Or, a tri-state option, where you chose "Strict", "Specify host key" or "No checking", where the text box appears on the "Specify host key" option. This solution flows well with the current config page, but a better solution could probably be thought up altogether. It'd just take more time to develop (and design). Sidenote. Kudos on covering merge conflicts. I just hit a merge conflict on my first commit, and thought to myself "oh shit, now I have to dig through.. " but nope. Covered already. Certainly explains the better part of the 250+ commits for the scm support :). 👍 |
|
Added benefit of storing host keys (and SSL/TLS thumbprints) in the configuration is that in a distributed or recovered environment, a second host can quickly take over executions, and won't rely on local (cryptic and undocumented) configuration. |
|
thanks. making the config properties fancier (dynamic) may be slightly out of scope right now, definitely a future enhancement. I think adding a textbox is a good idea. the git plugin could run Good point about storing the host keys for secondary environment... one caveat: right now the SCM plugin config is scoped only to the unique UUID of current rundeck server node (if using clusterMode), so that multiple nodes don't all attempt to synch/import/export jobs to the same repo. There needs to be a way to migrate the config from one server UUID to another for failover. I appreciate all of the feedback! |
Hi,
When trying to set up Git-SCM from #1465, I get the following error with HTTPS (was unable to do SSH for some reason):
So, basically my site uses a CACert.org certificate, which is probably what it's complaining about. This will however affect any site/organization using an internal CA or other untrusted CA.
How can I add the CA certificate to my trust chain?
Is it git's trust chain or Java's trust chain? (tool is git, exception is Java)
The text was updated successfully, but these errors were encountered: