How to pass SSL certificate from GIT


#1

How to mount an SSL from GIT repo to resources.


3.14.1 http[s]_proxy and self-signed certificate
#2

Can you give an example of what you’re trying to do?

You can interact with git repos using the built-in git resource.


#3

Yes so am building a pipeline which uses this for doing sonarqube quality gates.
My Sonarqube site is public exposed (https) and requires my org .pem certificate to be mounted on resource containers.
and am getting the below error

SonarQube server [https://some.ip/projects] can not be reached
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.3.0.603:sonar (default-cli) on project XXX: Unable to execute SonarQube: Fail to get bootstrap index from server: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

How do i resolve or mount my .pem cert ?


#4

The answer here depends on how you’re managing your workers.

If they’re running the concourse binary, you should first install the CA cert on the worker VM (this depends on your Linux distro, but here are the Ubuntu instructions). Next, start the worker with the --certs-dir flag pointing to wherever that is on your machine (typically /etc/ssl/certs).

The Docker flow is similar, but a little awkward since you’ll have to install the certs on the Docker host and then bind-mount the host’s certs volume in to the worker container.

If they’re deployed via BOSH you should set the CA under director.trusted_certs property of your BOSH director. It will then propagate to all your VMs, and Concourse will pick it up automatically.

Once this is wired up, all Concourse containers will have the certs automatically propagated to them.


#5

So the .pem cert has to be installed in wokers node
(Ex: sample.pem must be in /etc/ssl/certs for fedora)
and then we can use the below

volumes: /etc/ssl/certs/:/etc/ssl/certs/
privileged: true
in pipeline?

And we are in v3.8.0 should we upgrade to 3.9 before making this changes?


#6

There’s a bit more to installing the .pem: https://www.happyassassin.net/2015/01/14/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/

Since you’re on Fedora, I believe the path won’t be /etc/ssl/certs on the host - it exists, but it’s a symlink to the real directory to bind-mount.


#7

Thanks team :slight_smile:


#8

In the case of the Docker flow, does the --cert-dir flag get added to the ENTRYPOINT item in the dockerfile ?
eg. ENTRYPOINT ["/usr/local/bin/dumb-init", “/usr/local/bin/concourse”,"–cert-dir","/etc/ssl/certs"]

Thanks.


#9

Did you have success with that approach?

I tried it with 3.14.1 and concourse fails to start because it does not recognize the option.

UPDATE: However, setting it with an environment variable does work: CONCOURSE_CERTS_DIR=/etc/ssl/certs for instance. This can be set in the Dockerfile or at runtime.

–Harley