Add SSL CA for cloning git repos over HTTPS


#1

We have an internal git server that uses SSL and an internal CA. We are using this to control the deployment of Automate datastores. Even though the initial import was configured not to verify the certificate, refreshes using the /api/automate_domains endpoint fail and don’t appear to respect the SSL verify option. Is there a way I can have ManageIQ trust our internal CA?


#2

Not familiar with this corner of the code, but if you configured not verify and it fails, sounds like a bug, could you file a github issue or bugzilla?

One way that probably works is adding your CA to the machine’s CA bundle — basically add file under /etc/pki/ca-trust/source/anchors/, run sudo update-ca-trust. Then restart ManageIQ to be sure.
(If you have multiple appliances, I recommend doing it on all of them.)

cc @mkanoor


#3

I ended up upgrading our server’s ca bundle and got it to work, but I also had to set SSL_CERT_FILE in /etc/profile.d/evm.sh. I’ll work on filing an issue with it later today as far as the ssl verification failing after it’s configured to skip.


#4

The REST API doesn’t control the ssl_verify option, that value is set when the repository is created for the first time using the UI. After that the REST API just uses the repository object and calls refresh on it.
What kind of errors are you seeing. We have an incorrect password issue which we have a PR for.
https://github.com/ManageIQ/manageiq/pull/14889


#5

The repository was created with the SSL verification checkbox unchecked. When I called the REST endpoint and followed the task_href. I saw that it failed saying that the SSL verification failed. It was also failing when I tried the refresh through the UI.

Here’s some output from evm.log when refreshing a git resource:

[----] I, [2017-05-09T12:26:44.351981 #59375:efb12c]  INFO -- : MIQ(MiqQueue#deliver) Message id: [286852], Delivering...
[----] E, [2017-05-09T12:26:44.458888 #59375:efb12c] ERROR -- : MIQ(MiqQueue#deliver) Message id: [286852], Error: [The SSL certificate is invalid]
[----] I, [2017-05-09T12:26:44.459068 #59375:efb12c]  INFO -- : MIQ(MiqQueue#delivered) Message id: [286852], State: [error], Delivered in [0.107089714] seconds
[----] I, [2017-05-09T12:26:44.460597 #59375:efb12c]  INFO -- : MIQ(MiqQueue#m_callback) Message id: [286852], Invoking Callback with args: ["Finished", "error", "The SSL certificate is invalid", "nil"]
[----] I, [2017-05-09T12:26:44.460802 #59375:efb12c]  INFO -- : MIQ(MiqTask#update_status) Task: [6061] [Finished] [Error] [The SSL certificate is invalid]