Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-69216

Unable to add Conan remote when custom CA cert is used in docker

      I am currently using a containerized pipeline to build a set of Conan packages

       

      def CONAN_CLIENT = "jenkins"
      def CONAN_REMOTE = "example"
      def CONAN_REPO = "conan-pkgs"
      pipeline {
          agent {
              docker { image 'example.com/registry/ubuntu:focal' }
          } 
          
          parameters {         
             choice(             
                name: 'PROFILE',              
                choices: ['Ubuntu20.04_x64', 'Ubuntu20.04_x86', 'Android_arm' ],                 description: 'Conan host profile'             
              )         
              choice(             
                 name: 'BUILD_TYPE',             
                 choices: [ 'Debug', 'Release' ],             
                 description: 'The optimization level to build for'         
              )         
              string(             
                 name: 'SERVER_ID',             
                 trim: true,             
                 defaultValue: 'EXAMPLE_ARTIFACTORY',             
                 description: 'The artifactory instance to use'         
               )     
            }
          stages {
              stage ('Conan configuration') {
                  steps {                 
                     rtConanClient (                     
                         id: CONAN_CLIENT                 
                     )                 
                     // Obtain an Artifactory server instance, defined in Jenkins --> Manage Jenkins --> Configure System:                 
                     rtConanRemote (                     
                          name: CONAN_REMOTE,                     
                          serverId: params.SERVER_ID,                     
                          repo: CONAN_REPO,                     
                          clientId: CONAN_CLIENT                 
                     )             
                   }
              }
              stage ('Conan install') {
                  steps {
                      sh 'mkdir -p build/conan'
                      rtConanRun (
                          clientId: CONAN_CLIENT,
                          command: "install . -if build/conan -pr:b=profiles/${BUILD_PROFILE}.jinja -pr:h=profiles/${params.PROFILE}.jinja --build -s build_type=${params.BUILD_TYPE}"
                      )
                  }
              }
              stage ('Conan upload') {
                  steps {
                      rtConanRun (
                          clientId: CONAN_CLIENT,
                          command: "upload '*' -r ${CONAN_REMOTE} --all --confirm --parallel"
                      )
                  }
              }
              stage ('Publish build info') {
                  steps {                 
                      rtPublishBuildInfo (                     
                           serverId: params.SERVER_ID                 
                      )             
                  }
              }
          }
      }
      

      The issue is that my Artifactory instance uses a certificate that's not in the default Conan `cacert.pem` file meaning I have to manually add it by doing something like `cat cert.pem >> ~/.conan/cacert.pem`. now the custom Docker image I'm using already does this but for some reason when using the Jenkinsfile-Artifactory dsl it doesn't work, yet using just plain `sh` commands work

      stage('Build and upload dependencies') {
         steps {
             withCredentials([usernamePassword(credentialsId: 'artifactory-key', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                 sh 'conan user "$USERNAME" -r ${params.SERVER_ID} -p "$PASSWORD"'
             } 
             sh 'mkdir -p build/conan'
             sh "conan install . -if build/conan -pr:b=profiles/${BUILD_PROFILE}.jinja -pr:h=profiles/${params.PROFILE}.jinja --build -s build_type=${params.BUILD_TYPE}"
             sh "conan upload '*' -r ${params.SERVER_ID} --all --confirm --parallel"
         }
      }
      

       

      The console output from using the plugin is

      [Conan] $ docker exec --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** db2688ca364f47fc67f153a215874ae6c8699def3f7af001c37850e761fa2419 sh -c "conan remote add example https://artifacts.example.com/artifactory/api/conan/conan-pkgs True "
      Error occurred for request GET /artifactory/api/system/version HTTP/1.1: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
      Failed sending usage report to Artifactory: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      WARN: Remotes registry file missing, creating default one in /home/jenkins/workspace/Conan@tmp/artifactory/conan.tmp4868621642054372388/.conan/remotes.json
      Adding conan user 'wbehrens', server 'example'
      [Conan] $ docker exec --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** db2688ca364f47fc67f153a215874ae6c8699def3f7af001c37850e761fa2419 sh -c ********
      ERROR: HTTPSConnectionPool(host='artifacts.example.com', port=443): Max retries exceeded with url: /artifactory/api/conan/conan-pkgs/v1/ping (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

          [JENKINS-69216] Unable to add Conan remote when custom CA cert is used in docker

          William Behrens created issue -
          William Behrens made changes -
          Description Original: I am currently using a containerized pipeline to build a set of Conan packages

          ```jenkinsfile


          def CONAN_CLIENT = "jenkins"
          def CONAN_REMOTE = "example"
          def CONAN_REPO = "conan-pkgs"


          pipeline {
              agent {
                  docker { image 'example.com/registry/ubuntu:focal' }
              } 
              
              parameters {
                  choice(
                      name: 'PROFILE', 
                      choices: [
                          'Ubuntu20.04_x64',
                          'Ubuntu20.04_x86',
                          'Android_arm'
                      ],
                      description: 'Conan host profile'    
                  )
                  choice(
                      name: 'BUILD_TYPE',
                      choices: [
                          'Debug',
                          'Release'
                      ],
                      description: 'The optimization level to build for'
                  )
                  string(
                      name: 'SERVER_ID',
                      trim: true,
                      defaultValue: 'EXAMPLE_ARTIFACTORY',
                      description: 'The artifactory instance to use'
                  )
              }

              stages {
                  stage ('Conan configuration') {
                      steps {
                          rtConanClient (
                              id: CONAN_CLIENT
                          )

                          // Obtain an Artifactory server instance, defined in Jenkins --> Manage Jenkins --> Configure System:
                          rtConanRemote (
                              name: CONAN_REMOTE,
                              serverId: params.SERVER_ID,
                              repo: CONAN_REPO,
                              clientId: CONAN_CLIENT
                          )
                      }
                  }

                  stage ('Conan install') {
                      steps {
                          sh 'mkdir -p build/conan'

                          rtConanRun (
                              clientId: CONAN_CLIENT,
                              command: "install . -if build/conan -pr:b=profiles/${BUILD_PROFILE}.jinja -pr:h=profiles/${params.PROFILE}.jinja --build -s build_type=${params.BUILD_TYPE}"
                          )
                      }
                  }

                  stage ('Conan upload') {
                      steps {
                          rtConanRun (
                              clientId: CONAN_CLIENT,
                              command: "upload '*' -r ${CONAN_REMOTE} --all --confirm --parallel"
                          )
                      }
                  }

                  stage ('Publish build info') {
                      steps {
                          rtPublishBuildInfo (
                              serverId: params.SERVER_ID
                          )
                      }
                  }
              }
          }

          ```

          The issue is that my Artifactory instance uses a certificate that's not in the default Conan `cacert.pem` file meaning I have to manually add it by doing something like `cat cert.pem >> ~/.conan/cacert.pem`. now the custom Docker image I'm using already does this but for some reason when using the Jenkinsfile-Artifactory dsl it doesn't work, yet using just plain `sh` commands work
          ```jenkinsfile
           stage('Build and upload dependencies') {
                      steps {
                          withCredentials([usernamePassword(credentialsId: 'artifactory-key', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                              sh 'conan user "$USERNAME" -r ${params.SERVER_ID} -p "$PASSWORD"'
                          }
                          
                          sh 'mkdir -p build/conan'
                          
                          sh "conan install . -if build/conan -pr:b=profiles/${BUILD_PROFILE}.jinja -pr:h=profiles/${params.PROFILE}.jinja --build -s build_type=${params.BUILD_TYPE}"

                          sh "conan upload '*' -r ${params.SERVER_ID} --all --confirm --parallel"
                      }
                  }

          ```
          The console output from using the plugin is
          ```
          [Conan] $ docker exec --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** db2688ca364f47fc67f153a215874ae6c8699def3f7af001c37850e761fa2419 sh -c "conan remote add example https://artifacts.example.com/artifactory/api/conan/conan-pkgs True "
          Error occurred for request GET /artifactory/api/system/version HTTP/1.1: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
          Failed sending usage report to Artifactory: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          WARN: Remotes registry file missing, creating default one in /home/jenkins/workspace/Conan@tmp/artifactory/conan.tmp4868621642054372388/.conan/remotes.json
          Adding conan user 'wbehrens', server 'example'
          [Conan] $ docker exec --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** db2688ca364f47fc67f153a215874ae6c8699def3f7af001c37850e761fa2419 sh -c ********
          ERROR: HTTPSConnectionPool(host='artifacts.example.com', port=443): Max retries exceeded with url: /artifactory/api/conan/conan-pkgs/v1/ping (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
          ```
          New: I am currently using a containerized pipeline to build a set of Conan packages

           
          {code:java}
          def CONAN_CLIENT = "jenkins"
          def CONAN_REMOTE = "example"
          def CONAN_REPO = "conan-pkgs"
          pipeline {
              agent {
                  docker { image 'example.com/registry/ubuntu:focal' }
              } 
              
              parameters {        
                 choice(            
                    name: 'PROFILE',             
                    choices: ['Ubuntu20.04_x64', 'Ubuntu20.04_x86', 'Android_arm' ],             description: 'Conan host profile'            
                  )        
                  choice(            
                     name: 'BUILD_TYPE',            
                     choices: [ 'Debug', 'Release' ],            
                     description: 'The optimization level to build for'        
                  )        
                  string(            
                     name: 'SERVER_ID',            
                     trim: true,            
                     defaultValue: 'EXAMPLE_ARTIFACTORY',            
                     description: 'The artifactory instance to use'        
                   )    
                }
              stages {
                  stage ('Conan configuration') {
                      steps {                
                         rtConanClient (                    
                             id: CONAN_CLIENT                
                         )                
                         // Obtain an Artifactory server instance, defined in Jenkins --> Manage Jenkins --> Configure System:                
                         rtConanRemote (                    
                              name: CONAN_REMOTE,                    
                              serverId: params.SERVER_ID,                    
                              repo: CONAN_REPO,                    
                              clientId: CONAN_CLIENT                
                         )            
                       }
                  }
                  stage ('Conan install') {
                      steps {
                          sh 'mkdir -p build/conan'
                          rtConanRun (
                              clientId: CONAN_CLIENT,
                              command: "install . -if build/conan -pr:b=profiles/${BUILD_PROFILE}.jinja -pr:h=profiles/${params.PROFILE}.jinja --build -s build_type=${params.BUILD_TYPE}"
                          )
                      }
                  }
                  stage ('Conan upload') {
                      steps {
                          rtConanRun (
                              clientId: CONAN_CLIENT,
                              command: "upload '*' -r ${CONAN_REMOTE} --all --confirm --parallel"
                          )
                      }
                  }
                  stage ('Publish build info') {
                      steps {                
                          rtPublishBuildInfo (                    
                               serverId: params.SERVER_ID                
                          )            
                      }
                  }
              }
          }
          {code}
          The issue is that my Artifactory instance uses a certificate that's not in the default Conan `cacert.pem` file meaning I have to manually add it by doing something like `cat cert.pem >> ~/.conan/cacert.pem`. now the custom Docker image I'm using already does this but for some reason when using the Jenkinsfile-Artifactory dsl it doesn't work, yet using just plain `sh` commands work


          {code:java}
          stage('Build and upload dependencies') {
             steps {
                 withCredentials([usernamePassword(credentialsId: 'artifactory-key', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
                     sh 'conan user "$USERNAME" -r ${params.SERVER_ID} -p "$PASSWORD"'
                 }
                 sh 'mkdir -p build/conan'
                 sh "conan install . -if build/conan -pr:b=profiles/${BUILD_PROFILE}.jinja -pr:h=profiles/${params.PROFILE}.jinja --build -s build_type=${params.BUILD_TYPE}"
                 sh "conan upload '*' -r ${params.SERVER_ID} --all --confirm --parallel"
             }
          }
          {code}
           


          The console output from using the plugin is


          {code:java}
          [Conan] $ docker exec --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** db2688ca364f47fc67f153a215874ae6c8699def3f7af001c37850e761fa2419 sh -c "conan remote add example https://artifacts.example.com/artifactory/api/conan/conan-pkgs True "
          Error occurred for request GET /artifactory/api/system/version HTTP/1.1: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
          Failed sending usage report to Artifactory: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          WARN: Remotes registry file missing, creating default one in /home/jenkins/workspace/Conan@tmp/artifactory/conan.tmp4868621642054372388/.conan/remotes.json
          Adding conan user 'wbehrens', server 'example'
          [Conan] $ docker exec --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** --env ******** db2688ca364f47fc67f153a215874ae6c8699def3f7af001c37850e761fa2419 sh -c ********
          ERROR: HTTPSConnectionPool(host='artifacts.example.com', port=443): Max retries exceeded with url: /artifactory/api/conan/conan-pkgs/v1/ping (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))){code}

            eyalbe Eyal Ben Moshe
            williambehrens William Behrens
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: