"Peer's certificate issuer has been marked as not trusted by the user" in Openshift3

Question

If S2I - "Source-to-image" resource in Openshift3 tries to connect to a TLS Gitlab repository shows the following message: "Peer's certificate issuer has been marked as not trusted by the user".

How can I instruct Openshift3 which certificates authorities are able to use there? Is there any config/option to bypass this error?

The command entered was:

oc new-app tomcat~https://gitlab.xxx/test/test.git --name=test --strategy=docker

PhilipGough · Accepted Answer · 2018-07-11T11:38:01.447

12

For security reasons, you should add a trusted CA source secret to the BuildConfig. To answer your question, you can disable TLS verification by setting an environment variable GIT_SSL_NO_VERIFY to false in the BuildConfig. Checks the docs here for more info.

To pass this directly to the oc new-app command run oc new-app --build-env GIT_SSL_NO_VERIFY=false

edited Jul 11 '18 at 11:38

answered Jul 05 '17 at 12:01

PhilipGough

1,709
1
13
18

I read there's the environment variable GIT_SSL_NO_VERIFY. How can I set this in Openshift? – Carlos Alberto Jul 05 '17 at 13:43
You can set that as an environment variable in the buildconfig – PhilipGough Jul 05 '17 at 13:58
Could you help me providing some sample? I tried using the command "oc new-app". I also facing the question how to inform user/password of GIT account. – Carlos Alberto Jul 05 '17 at 14:05
if you run `oc get bc` whats the output from that? – PhilipGough Jul 05 '17 at 14:06
NAME TYPE FROM LATEST test Docker Git 3 – Carlos Alberto Jul 05 '17 at 14:12
Ok try `oc set env bc/test GIT_SSL_NO_VERIFY=false` and restart the build – PhilipGough Jul 05 '17 at 14:18
Yes, it has solved. But in this case I fixed it after receiving the error on "oc new-app". Is there any to instruct new-app at the same time? – Carlos Alberto Jul 05 '17 at 14:21
Untested, but I would try `oc new-app --build-env=[GIT_SSL_NO_VERIFY=false]` – PhilipGough Jul 05 '17 at 14:26
It did not work, see message: "error: invalid parameter assignment in "[GIT_SSL_NO_VERIFY=false]"" – Carlos Alberto Jul 05 '17 at 14:30
Ok try `oc new-app --build-env GIT_SSL_NO_VERIFY=false` – PhilipGough Jul 05 '17 at 14:35
2

That works, tks a lot! I also solve Git credentials issue creating a secret in Openshift and associating to the key "sourceSecret" in my BuildConfig. – Carlos Alberto Jul 05 '17 at 14:39

score 0 · Answer 2 · answered May 22 '18 at 14:48

Alternatively, I'd suggest just importing the root CA such that TLS validation works. Won't attempt to speak to all the reasons why this should be a must, but here's how you'd do it:

1) Grab the root certificate file.

If you're running an internal Gitlab instance, whoever set it up should be able to point you to the root CA they're using.

2) Create a new secret with the certificate file

#oc secrets new [secret name] ca.crt=[local .crt file]
oc secrets new tls-root-ca ca.crt=my-it-ca.crt

3) Attach your newly created secret to the build config

    #oc patch bc/[build config name] --patch '{ "spec": {"source": { "sourceSecret": { "name": "[secret name]" } } } }'
    oc patch bc/my-build --patch '{ "spec": {"source": { "sourceSecret": { "name": "tls-root-ca" } } } }'

In case you're not familiar with the patch command, this is just adding a "sourceSecret" block like this:

  source:
    git:
      uri: https://your.gitlab.org/your-app
    sourceSecret:
      name: tls-root-ca

See also the openshift guide on build input secrets

"Peer's certificate issuer has been marked as not trusted by the user" in Openshift3

2 Answers2

1) Grab the root certificate file.

2) Create a new secret with the certificate file

3) Attach your newly created secret to the build config