1

We have a Jenkins build job that executed an ANT target that perform a git clone/pull (We are not using the Jenkins Git plugin).

<macrodef name="git">
        <attribute name="command" />
        <attribute name="dir" default="" />
        <element name="args" optional="true" />
        <sequential>
            <echo message="git @{command}" />
            <exec executable="git" dir="@{dir}">
                <arg value="@{command}" />
                <args/>
            </exec>
        </sequential>
</macrodef>
<macrodef name="git-clone-pull">
        <attribute name="repository" />
        <attribute name="dest" />
        <sequential>
            <git command="clone">
                <args>
                    <arg value="@{repository}" />
                    <arg value="@{dest}" />
                </args>
            </git>
            <git command="pull" dir="@{dest}" />
        </sequential>
</macrodef>

<target name="clone-pull-git-repository">
    <echo message="# Cloning '${git.repository}':" />
    <git-clone-pull 
    repository="https://${git.user}:${git.password}@${git.repository.url}/grsbrms/${git.repository}" 
    dest="${git.repository.dir}/${git.repository}" />
</target>

And we are seeing the following error after the recent Bitbucket migration.

[echo] git pull
[exec] fatal: unable to access 'https://TestUser:xyz@bitbucket.somecorp.com/scm/grs-brms-payroll-xom/': SSL certificate problem: unable to get local issuer certificate

We have tried importing the ssl cert from the website to the JVM:

keytool -import -alias SV12345 -keystore %JAVA_HOME%\jre\lib\security\cacerts -file C:\Temp\bitbucket.cer

And also added the certificate to the Jenkins startup script:

-Djavax.net.ssl.trustStore=%JENKINS_HOME%\.cacerts\cacerts
-Djavax.net.ssl.trustStorePassword=changeit

Is it possible to resolve this issue without having to turn off SSL validation for git system wide?

i.e. git config --system http.sslVerify false

Thank you

Tony C
  • 29
  • 2
  • I have also appended the SSL certificate to the "ca-bundle.crt" in "C:\Program Files\Git\mingw64\ssl\certs". And it also doesn't help. – Tony C Jul 05 '19 at 14:46
  • you should look at [here](https://stackoverflow.com/questions/9072376/configure-git-to-accept-a-particular-self-signed-server-certificate-for-a-partic) and [here](https://confluence.atlassian.com/bitbucketserverkb/ssl-certificate-problem-unable-to-get-local-issuer-certificate-816521128.html). your issue is related with git executable and not with java, so placing certificate to java's trust store will have no effect – guleryuz Jul 07 '19 at 13:44
  • Thanks for the response guleryuz. As stated in my previous comment, I have already configure git to trust the certificate, and appended the SSL certificate to "ca-bundle.crt" and have set http.sslcainfo to this file and it still doesn't resolve the issue. (i.e. http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt) – Tony C Jul 08 '19 at 13:58

0 Answers0