8

My company is new to Conan, Artifactory, and Jenkins, but we set up some test pipeline scripts a few months ago and utilized the Jenkins Artifactory plugin to publish some Conan packages to our Artifactory server. These scripts are now failing with an SSL certification failure.

We are using the following packages:

  • Jenkins v2.121
  • Jenkins Artifactory Plugin v2.16.1
  • Artifactory Pro v5.10.3
  • Conan v1.3.3

Our "package and publish" stage in our pipline scripts look similar to this when it comes to Artifactory configuration:

stage('Package and Publish') {
    def artifactory_name = "MyCompanyArtifactory"
    def artifactory_repo = "conan-local"

    def server = Artifactory.server artifactory_name
    def client = Artifactory.newConanClient()
    def serverName = client.remote.add server: server, repo: artifactory_repo

    client.run(command: "export-pkg . ci-user/stable -s os=Linux -s arch=x86_64 -s build_type=Debug")
    client.run(command: "export-pkg . ci-user/stable -s os=Linux -s arch=x86_64 -s build_type=Release")
    String myCmd = "upload MyLib/* --all -r ${serverName} --confirm"
    def bInfo = client.run(command: myCmd)
    //server.publishBuildInfo bInfo
}

This code was working at one time, but I believe it stopped working when our IT department switched Artifactory over to HTTPS access. Now, Jenkins errors out when attempting to set the Conan user for our repo:

[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Package and Publish)
[Pipeline] getArtifactoryServer
[Pipeline] initConanClient
[shared-mylib] $ sh -c 'conan config set log.trace_file=\"/home/builduser/jenkins/workspace/shared-mylib@tmp/conan.tmp261537390058591873/conan_log.log\" '
[Pipeline] conanAddRemote
[shared-mylib] $ sh -c "conan remote add b519966f-f612-4094-b3ea-453a017cf793 https://artifactory.mycompany.com/artifactory/api/conan/conan-local "
WARN: Remotes registry file missing, creating default one in /home/builduser/jenkins/workspace/shared-rtplib@tmp/conan.tmp261537390058591873/.conan/registry.txt
[Pipeline] conanAddUser
Adding conan user 'ci-user', server 'b519966f-f612-4094-b3ea-453a017cf793'
[shared-mylib] $ sh -c ********
ERROR: HTTPSConnectionPool(host='artifactory.mycompany.com', port=443): Max retries exceeded with url: /artifactory/api/conan/conan-local/v1/users/authenticate (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),))

This behavior is not limited to Jenkins access; it is also happening when regular users attempt to access the Artifactory Conan repo, but we can get around it by adding the remote repo with Verify_SSL as False (at the end of the following command):

conan remote add myco-conan-local https://artifactory.mycompany.com/artifactory/api/conan/conan-local False

I believe the Conan documentation indicates we have two options:

  • Disable the SSL verification via a conan remote command (above)
  • Append the server crt file to the cacert.pem file in the conan home directory.

Unfortunately I haven't been able to figure out how to accomplish either solution when it comes to the Jenkins pipeline script. So my questions:

  1. Is there a way to disable SSL verification with the client.remote.add command (or something similar) in the Jenkins pipeline script?
  2. Is there a way to include the necessary server certificate via the Jenkins pipeline script (so that it gets added to the workspace-specific conan home directory automatically)?

Option #1 is probably preferred for a simpler short-term solution, but I'd like to understand how Option #2 is accomplished as well.

Thanks for reading.

Chris S.
  • 85
  • 1
  • 1
  • 6

1 Answers1

10

The command:

$ conan remote add <remote-name> <remote-url> False -f

forces the overwrite of the existing <remote-name> setting verifyHttps=False

Although the plugin DSL does not contain interface to that argument, it allows to execute arbitrary commands, so you could do something like:

node {
    def server = Artifactory.server "artifactory"
    def client = Artifactory.newConanClient()
    def serverName = client.remote.add server: server, repo: "conan-local" 

    stage("Setremotehttp"){
        String command = "remote add ${serverName} http://localhost:8081/artifactory/api/conan/conan-local False -f"          
        client.run(command: command)
    }
    stage("Search"){
        String command = "search zlib -r=${serverName}"          
        client.run(command: command) 
    } 
}

The URL of the remote is needed, which is a bit of duplication, but I have tested and it works, so can be used as a workaround.

drodri
  • 5,157
  • 15
  • 21
  • Unfortunately this doesn't work for me. The `client.remote.add` line is performing both the `conan remote add` and `conan user` commands behind the scenes, and it's the `conan user` call that's failing. So the new `remote add ... False -f` command never gets executed. – Chris S. May 29 '18 at 11:49
  • 1
    Have you tried to skip the ``client.remote.add`` call and directly excute the "remote add" as I did in the ``Setremotehttp`` stage, then call ``user -p -r=myremote`` after that? – drodri May 30 '18 at 13:55
  • Yes, avoiding the `client.remote.add` line altogether and using `client.run` to manually issue the commands is successful. Conan is complaining about unverified HTTPS requests all over the place in the build log files, but I suppose that's understandable. And: this solution means we'll have to put Artifactory user credentials in Jenkinsfiles. The password is encrypted, but it's still not an ideal solution. Marking this question as answered, but I think I'll continue to pursue the certificate solution as well. That seems to be the preferred path. – Chris S. May 31 '18 at 12:12
  • It is the underlying "requests" library the one complaining about non-verified calls, not conan, I am not sure if it can be disabled. And yes, definitely, the preferred solution should be to use https, not disable it, so please try with the different alternatives for certificates (like https://docs.conan.io/en/latest/reference/config_files/client_certificates.html?highlight=certificate), and ask again if needed, here or in github issues. – drodri Jun 02 '18 at 11:26
  • it worked for me – gorn Oct 27 '21 at 19:39
  • if you add the certificates here `~/.conan/cacert.pem` and it still doesn't work you might have the wrong certificates. Also make sure the `conan` looks there and not to a different path that might have been specified with `CONAN_USER_HOME` variable. Also, you might want to use `CONAN_CACERT_PATH` to point `conan` use the `cacert.pem` in a different directory. – Valentin Dumitru Jul 22 '22 at 08:09