Unable to add Conan remote when custom CA cert is used in docker

XMLWordPrintable

      I am currently using a containerized pipeline to build a set of Conan packages

       

      def CONAN_CLIENT = "jenkins"
def CONAN_REMOTE = "example"
def CONAN_REPO = "conan-pkgs"
pipeline {
    agent {
        docker { image 'example.com/registry/ubuntu:focal' }
    } 
    
    parameters {         
       choice(             
          name: 'PROFILE',              
          choices: ['Ubuntu20.04_x64', 'Ubuntu20.04_x86', 'Android_arm' ],                 description: 'Conan host profile'             
        )         
        choice(             
           name: 'BUILD_TYPE',             
           choices: [ 'Debug', 'Release' ],             
           description: 'The optimization level to build for'         
        )         
        string(             
           name: 'SERVER_ID',             
           trim: true,             
           defaultValue: 'EXAMPLE_ARTIFACTORY',             
           description: 'The artifactory instance to use'         
         )     
      }
    stages {
        stage ('Conan configuration') {
            steps {                 
               rtConanClient (                     
                   id: CONAN_CLIENT                 
               )                 
               // Obtain an Artifactory server instance, defined in Jenkins --> Manage Jenkins --> Configure System:                 
               rtConanRemote (                     
                    name: CONAN_REMOTE,                     
                    serverId: params.SERVER_ID,                     
                    repo: CONAN_REPO,                     
                    clientId: CONAN_CLIENT                 
               )             
             }
        }
        stage ('Conan install') {
            steps {
                sh 'mkdir -p build/conan'
                rtConanRun (
                    clientId: CONAN_CLIENT,
                    command: "install . -if build/conan -pr:b=profiles/${BUILD_PROFILE}.jinja -pr:h=profiles/${params.PROFILE}.jinja --build -s build_type=${params.BUILD_TYPE}"
                )
            }
        }
        stage ('Conan upload') {
            steps {
                rtConanRun (
                    clientId: CONAN_CLIENT,
                    command: "upload '*' -r ${CONAN_REMOTE} --all --confirm --parallel"
                )
            }
        }
        stage ('Publish build info') {
            steps {                 
                rtPublishBuildInfo (                     
                     serverId: params.SERVER_ID                 
                )             
            }
        }
    }
}

      The issue is that my Artifactory instance uses a certificate that's not in the default Conan `cacert.pem` file meaning I have to manually add it by doing something like `cat cert.pem >> ~/.conan/cacert.pem`. now the custom Docker image I'm using already does this but for some reason when using the Jenkinsfile-Artifactory dsl it doesn't work, yet using just plain `sh` commands work

      stage('Build and upload dependencies') {
   steps {
       withCredentials([usernamePassword(credentialsId: 'artifactory-key', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
           sh 'conan user "$USERNAME" -r ${params.SERVER_ID} -p "$PASSWORD"'
       } 
       sh 'mkdir -p build/conan'
       sh "conan install . -if build/conan -pr:b=profiles/${BUILD_PROFILE}.jinja -pr:h=profiles/${params.PROFILE}.jinja --build -s build_type=${params.BUILD_TYPE}"
       sh "conan upload '*' -r ${params.SERVER_ID} --all --confirm --parallel"
   }
}

       

      The console output from using the plugin is

      [Conan] $ docker exec --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** db2688ca364f47fc67f153a215874ae6c8699def3f7af001c37850e761fa2419 sh -c "conan remote add example https://artifacts.example.com/artifactory/api/conan/conan-pkgs True "
Error occurred for request GET /artifactory/api/system/version HTTP/1.1: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Failed sending usage report to Artifactory: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
WARN: Remotes registry file missing, creating default one in /home/jenkins/workspace/Conan@tmp/artifactory/conan.tmp4868621642054372388/.conan/remotes.json
Adding conan user 'wbehrens', server 'example'
[Conan] $ docker exec --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** db2688ca364f47fc67f153a215874ae6c8699def3f7af001c37850e761fa2419 sh -c ********
ERROR: HTTPSConnectionPool(host='artifacts.example.com', port=443): Max retries exceeded with url: /artifactory/api/conan/conan-pkgs/v1/ping (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

            Assignee:
            Eyal Ben Moshe
            Reporter:
            William Behrens
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: