Artifactory jfrog cli: x509: certificate signed by unknown authority

Question

Environment: Windows Server 2019

Attempting to use the jfrog cli to integrate with an Artifactory server, when I get this error

jfrog rt config example-company --url=$ARTIFACTORY_URL --user=$ARTIFACTORY_USER --password=$ARTIFACTORY_PASS
[Info] Encrypting password...
[Error] Get https://artifactory.example.com/api/security/encryptedPassword: x509: certificate signed by unknown authority

Navigating to https://artifactory.example.com/api/security/encryptedPassword in a browser shows that the TLS certificate is valid, however I get a different error:

{
  "errors" : [ {
    "status" : 404,
    "message" : "User not found: anonymous"
  } ]
}

ping commands also return TLS errors

jfrog rt ping --url=https://artifactory.example.com
[Error] Get https://artifactory.example.com/artifactory/api/system/ping: x509: certificate signed by unknown authority

Looking at the jfrog github issues, others have reported similar issues

https://github.com/jfrog/jfrog-cli/issues/277

I found a similar Stack Overflow question: Artifactory jfrog cli unable to authenticate but it does not describe the procedure to debug and how the solution was found so I do not know if it applies to my situation.

We are not using self-signed certificates. According to the Certificate Viewer in Google Chrome, the cert comes from Sectigo RSA Domain Validation Secure Server CA.

How can I get the jfrog cli to connect to the Artifactory server?

score 2 · Answer 1 · answered Dec 24 '20 at 10:34

2

The issue and the fix is the same as what's described on https://writeabout.net/2020/03/25/x509-certificate-signed-by-unknown-authority/

The issue is, that Windows Server 2019 has less Root CAs installed then Windows 10 or Linux and it can be fixed by installing the Root CA certificates on the Windows Server 2019. In your case the Root CA certificate of Sectigo.

answered Dec 24 '20 at 10:34

Marco Andries

111
7

I can confirm this works. This should be the accepted solution. – Étienne Mar 25 '21 at 12:44

score 1 · Answer 2 · answered Dec 18 '20 at 11:48

1

I assume that you are using the Artifactory with self-signed certificates. You should add these certs in the JFrog CLI, kindly refer to this JFrog wiki for more insights. Place the certificates inside the security/certs directory, which is under JFrog CLI's home directory

answered Dec 18 '20 at 11:48

Muhammed Kashif

1,421
3
6

You assume wrong. The cert is purchased from our hosting company, and comes from Sectigo RSA Domain Validation Secure Server CA, according to the Certificate Viewer in Google Chrome. – Amedee Van Gasse Dec 18 '20 at 12:06

Artifactory jfrog cli: x509: certificate signed by unknown authority

2 Answers2