github enterprise self signed certs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

github enterprise self signed certs

Ryan Golhar
Hi all - I'm trying to set up Jenkins with our enterprise github install.  We're using https with self-signed certificates.   I've added the CA PEM to /etc/pki/tls/certs/ca-bundle.crt, and can verify this works by using 'curl https://our.enterprise.github.com/api/v3/'

Now, in Jenkins -> Manage Jenkins, under 'GitHub Enterprise Servers', I enter the same API endpoint but get the message "The endpoint does not look like a GitHub Enterprise (verify network and/or try again later)".  My Jenkins log file shows:
Feb 10, 2017 7:18:57 PM org.jenkinsci.plugins.github_branch_source.Endpoint$DesciptorImpl doCheckApiUri
WARNING: Server returned HTTP response code: -1, message: 'null' for URL: https://our.enterprise.github.com/api/v3/

I'm not really sure how to proceed as this point.   Has anyone run into this before?   

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/00e16733-3778-42ab-be7c-74887e421f71%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: github enterprise self signed certs

Tobias Breuer
Hi,

I'm currently running into the same issue. Did you find any answer to this yet?

Am Freitag, 10. Februar 2017 20:26:21 UTC+1 schrieb Ryan Golhar:
Hi all - I'm trying to set up Jenkins with our enterprise github install.  We're using https with self-signed certificates.   I've added the CA PEM to /etc/pki/tls/certs/ca-bundle.crt, and can verify this works by using 'curl <a href="https://our.enterprise.github.com/api/v3/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Four.enterprise.github.com%2Fapi%2Fv3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHXFeibfAIH5BsUIfYKU4O0a1HJVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Four.enterprise.github.com%2Fapi%2Fv3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHXFeibfAIH5BsUIfYKU4O0a1HJVA&#39;;return true;">https://our.enterprise.github.com/api/v3/'

Now, in Jenkins -> Manage Jenkins, under 'GitHub Enterprise Servers', I enter the same API endpoint but get the message "The endpoint does not look like a GitHub Enterprise (verify network and/or try again later)".  My Jenkins log file shows:
Feb 10, 2017 7:18:57 PM org.jenkinsci.plugins.github_branch_source.Endpoint$DesciptorImpl doCheckApiUri
WARNING: Server returned HTTP response code: -1, message: 'null' for URL: <a href="https://our.enterprise.github.com/api/v3/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Four.enterprise.github.com%2Fapi%2Fv3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHXFeibfAIH5BsUIfYKU4O0a1HJVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Four.enterprise.github.com%2Fapi%2Fv3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHXFeibfAIH5BsUIfYKU4O0a1HJVA&#39;;return true;">https://our.enterprise.github.com/api/v3/

I'm not really sure how to proceed as this point.   Has anyone run into this before?   

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/9b118db6-4494-4ff9-91ef-860411231a1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: github enterprise self signed certs

Tobias Breuer
Hi, for anyone else having similar issues. I've finally solved it for my scenario.

Originally I've added the PEM information about our self signed certificate to the keystore of the java installation on my machine.
After having a second look at the jenkins config, it turned out, that jenkins was using its own jre version which is located in the installation dir of jenkins itself (I'm running on Windows).
So I had to adapt the keystore within this particular jre and not the one installed in "Program Files". Now jenkins can successfully communicate with our GitHub enterprise server using a self signed certificate.

Now I only have to figure out why the git plugin cannot checkout even though git itself can do it via command line. 
Step by Step...

Am Donnerstag, 2. November 2017 17:24:24 UTC+1 schrieb Tobias Breuer:
Hi,

I'm currently running into the same issue. Did you find any answer to this yet?

Am Freitag, 10. Februar 2017 20:26:21 UTC+1 schrieb Ryan Golhar:
Hi all - I'm trying to set up Jenkins with our enterprise github install.  We're using https with self-signed certificates.   I've added the CA PEM to /etc/pki/tls/certs/ca-bundle.crt, and can verify this works by using 'curl <a href="https://our.enterprise.github.com/api/v3/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Four.enterprise.github.com%2Fapi%2Fv3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHXFeibfAIH5BsUIfYKU4O0a1HJVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Four.enterprise.github.com%2Fapi%2Fv3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHXFeibfAIH5BsUIfYKU4O0a1HJVA&#39;;return true;">https://our.enterprise.github.com/api/v3/'

Now, in Jenkins -> Manage Jenkins, under 'GitHub Enterprise Servers', I enter the same API endpoint but get the message "The endpoint does not look like a GitHub Enterprise (verify network and/or try again later)".  My Jenkins log file shows:
Feb 10, 2017 7:18:57 PM org.jenkinsci.plugins.github_branch_source.Endpoint$DesciptorImpl doCheckApiUri
WARNING: Server returned HTTP response code: -1, message: 'null' for URL: <a href="https://our.enterprise.github.com/api/v3/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Four.enterprise.github.com%2Fapi%2Fv3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHXFeibfAIH5BsUIfYKU4O0a1HJVA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Four.enterprise.github.com%2Fapi%2Fv3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHXFeibfAIH5BsUIfYKU4O0a1HJVA&#39;;return true;">https://our.enterprise.github.com/api/v3/

I'm not really sure how to proceed as this point.   Has anyone run into this before?   

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/679f7362-dfe7-4c8e-abad-c9da2f433abb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: github enterprise self signed certs

Mark Waite-2


On Fri, Nov 3, 2017 at 1:58 AM Tobias Breuer <[hidden email]> wrote:
Hi, for anyone else having similar issues. I've finally solved it for my scenario.

Originally I've added the PEM information about our self signed certificate to the keystore of the java installation on my machine.
After having a second look at the jenkins config, it turned out, that jenkins was using its own jre version which is located in the installation dir of jenkins itself (I'm running on Windows).
So I had to adapt the keystore within this particular jre and not the one installed in "Program Files". Now jenkins can successfully communicate with our GitHub enterprise server using a self signed certificate.

Now I only have to figure out why the git plugin cannot checkout even though git itself can do it via command line. 
Step by Step...


Tobias,

Can you help me understand the use case for self-signed certificates on a commercially purchased product?

Your organization has paid to install, configure, and use GitHub Enterprise.  It seems like you would also choose to purchase a certificate from a certificate authority.  What are the barriers that prevent you from installing a certificate from a certificate authority, rather than generating one yourselves?

Thanks,
Mark Waite (I don't test the git plugin with self-signed certificates)
 
Am Donnerstag, 2. November 2017 17:24:24 UTC+1 schrieb Tobias Breuer:
Hi,

I'm currently running into the same issue. Did you find any answer to this yet?

Am Freitag, 10. Februar 2017 20:26:21 UTC+1 schrieb Ryan Golhar:
Hi all - I'm trying to set up Jenkins with our enterprise github install.  We're using https with self-signed certificates.   I've added the CA PEM to /etc/pki/tls/certs/ca-bundle.crt, and can verify this works by using 'curl https://our.enterprise.github.com/api/v3/'

Now, in Jenkins -> Manage Jenkins, under 'GitHub Enterprise Servers', I enter the same API endpoint but get the message "The endpoint does not look like a GitHub Enterprise (verify network and/or try again later)".  My Jenkins log file shows:
Feb 10, 2017 7:18:57 PM org.jenkinsci.plugins.github_branch_source.Endpoint$DesciptorImpl doCheckApiUri
WARNING: Server returned HTTP response code: -1, message: 'null' for URL: https://our.enterprise.github.com/api/v3/

I'm not really sure how to proceed as this point.   Has anyone run into this before?   

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/679f7362-dfe7-4c8e-abad-c9da2f433abb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGZcZMk2-iq1U7%2BLJKAY5U67RGJZXNt%2BYj3CoBC%2BS2JMA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: github enterprise self signed certs

itchymuzzle
Free ones

https://letsencrypt.org/

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/998feca5-4676-4295-9fd8-a4df11d38a7b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: github enterprise self signed certs

Richard Bywater-2
In reply to this post by Mark Waite-2
Just to throw my 2 cents in, I guess it depends on what is meant by self-signed - is that self-signed as in I've created a cert on my machine and that's what I'm using, or is it "self-signed" in that its signed by a CA that is internal to the organisation.

The former seems a bit of a strange case but the latter is pretty common.

Having said that though this really isn't a Git plugin or even a Jenkins issue - its purely CA Cert Handling 101 for whenever you are trying to use Java with the two cases given above (where, of course in the second case, this involves installing the CA cert from your internal CA setup)

Richard.

On Sat, 4 Nov 2017 at 01:37 Mark Waite <[hidden email]> wrote:
On Fri, Nov 3, 2017 at 1:58 AM Tobias Breuer <[hidden email]> wrote:
Hi, for anyone else having similar issues. I've finally solved it for my scenario.

Originally I've added the PEM information about our self signed certificate to the keystore of the java installation on my machine.
After having a second look at the jenkins config, it turned out, that jenkins was using its own jre version which is located in the installation dir of jenkins itself (I'm running on Windows).
So I had to adapt the keystore within this particular jre and not the one installed in "Program Files". Now jenkins can successfully communicate with our GitHub enterprise server using a self signed certificate.

Now I only have to figure out why the git plugin cannot checkout even though git itself can do it via command line. 
Step by Step...


Tobias,

Can you help me understand the use case for self-signed certificates on a commercially purchased product?

Your organization has paid to install, configure, and use GitHub Enterprise.  It seems like you would also choose to purchase a certificate from a certificate authority.  What are the barriers that prevent you from installing a certificate from a certificate authority, rather than generating one yourselves?

Thanks,
Mark Waite (I don't test the git plugin with self-signed certificates)
 
Am Donnerstag, 2. November 2017 17:24:24 UTC+1 schrieb Tobias Breuer:
Hi,

I'm currently running into the same issue. Did you find any answer to this yet?

Am Freitag, 10. Februar 2017 20:26:21 UTC+1 schrieb Ryan Golhar:
Hi all - I'm trying to set up Jenkins with our enterprise github install.  We're using https with self-signed certificates.   I've added the CA PEM to /etc/pki/tls/certs/ca-bundle.crt, and can verify this works by using 'curl https://our.enterprise.github.com/api/v3/'

Now, in Jenkins -> Manage Jenkins, under 'GitHub Enterprise Servers', I enter the same API endpoint but get the message "The endpoint does not look like a GitHub Enterprise (verify network and/or try again later)".  My Jenkins log file shows:
Feb 10, 2017 7:18:57 PM org.jenkinsci.plugins.github_branch_source.Endpoint$DesciptorImpl doCheckApiUri
WARNING: Server returned HTTP response code: -1, message: 'null' for URL: https://our.enterprise.github.com/api/v3/

I'm not really sure how to proceed as this point.   Has anyone run into this before?   

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/679f7362-dfe7-4c8e-abad-c9da2f433abb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGZcZMk2-iq1U7%2BLJKAY5U67RGJZXNt%2BYj3CoBC%2BS2JMA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAMui945Oc2J5%2Bh_zh4G%3DjRnYrfUfrMhm8vps3gT7i-Ovi8_Fbg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.