Reputation: 85
How to avoid a Conan SSL user authentication error with Jenkins Artifactory plugin?
My company is new to Conan, Artifactory, and Jenkins, but we set up some test pipeline scripts a few months ago and utilized the Jenkins Artifactory plugin to publish some Conan packages to our Artifactory server. These scripts are now failing with an SSL certification failure.
We are using the following packages:
- Jenkins v2.121
- Jenkins Artifactory Plugin v2.16.1
- Artifactory Pro v5.10.3
- Conan v1.3.3
Our "package and publish" stage in our pipline scripts look similar to this when it comes to Artifactory configuration:
stage('Package and Publish') {
def artifactory_name = "MyCompanyArtifactory"
def artifactory_repo = "conan-local"
def server = Artifactory.server artifactory_name
def client = Artifactory.newConanClient()
def serverName = client.remote.add server: server, repo: artifactory_repo
client.run(command: "export-pkg . ci-user/stable -s os=Linux -s arch=x86_64 -s build_type=Debug")
client.run(command: "export-pkg . ci-user/stable -s os=Linux -s arch=x86_64 -s build_type=Release")
String myCmd = "upload MyLib/* --all -r ${serverName} --confirm"
def bInfo = client.run(command: myCmd)
//server.publishBuildInfo bInfo
}
This code was working at one time, but I believe it stopped working when our IT department switched Artifactory over to HTTPS access. Now, Jenkins errors out when attempting to set the Conan user for our repo:
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Package and Publish)
[Pipeline] getArtifactoryServer
[Pipeline] initConanClient
[shared-mylib] $ sh -c 'conan config set log.trace_file=\"/home/builduser/jenkins/workspace/shared-mylib@tmp/conan.tmp261537390058591873/conan_log.log\" '
[Pipeline] conanAddRemote
[shared-mylib] $ sh -c "conan remote add b519966f-f612-4094-b3ea-453a017cf793 https://artifactory.mycompany.com/artifactory/api/conan/conan-local "
WARN: Remotes registry file missing, creating default one in /home/builduser/jenkins/workspace/shared-rtplib@tmp/conan.tmp261537390058591873/.conan/registry.txt
[Pipeline] conanAddUser
Adding conan user 'ci-user', server 'b519966f-f612-4094-b3ea-453a017cf793'
[shared-mylib] $ sh -c ********
ERROR: HTTPSConnectionPool(host='artifactory.mycompany.com', port=443): Max retries exceeded with url: /artifactory/api/conan/conan-local/v1/users/authenticate (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),))
This behavior is not limited to Jenkins access; it is also happening when regular users attempt to access the Artifactory Conan repo, but we can get around it by adding the remote repo with Verify_SSL as False (at the end of the following command):
conan remote add myco-conan-local https://artifactory.mycompany.com/artifactory/api/conan/conan-local False
I believe the Conan documentation indicates we have two options:
- Disable the SSL verification via a
conan remotecommand (above) - Append the server crt file to the cacert.pem file in the conan home directory.
Unfortunately I haven't been able to figure out how to accomplish either solution when it comes to the Jenkins pipeline script. So my questions:
- Is there a way to disable SSL verification with the
client.remote.addcommand (or something similar) in the Jenkins pipeline script? - Is there a way to include the necessary server certificate via the Jenkins pipeline script (so that it gets added to the workspace-specific conan home directory automatically)?
Option #1 is probably preferred for a simpler short-term solution, but I'd like to understand how Option #2 is accomplished as well.
Thanks for reading.
Upvotes: 8
Views: 14359
Answers (1)
Reputation: 5972
The command:
$ conan remote add <remote-name> <remote-url> False -f
forces the overwrite of the existing <remote-name> setting verifyHttps=False
Although the plugin DSL does not contain interface to that argument, it allows to execute arbitrary commands, so you could do something like:
node {
def server = Artifactory.server "artifactory"
def client = Artifactory.newConanClient()
def serverName = client.remote.add server: server, repo: "conan-local"
stage("Setremotehttp"){
String command = "remote add ${serverName} http://localhost:8081/artifactory/api/conan/conan-local False -f"
client.run(command: command)
}
stage("Search"){
String command = "search zlib -r=${serverName}"
client.run(command: command)
}
}
The URL of the remote is needed, which is a bit of duplication, but I have tested and it works, so can be used as a workaround.
Upvotes: 10
Related Questions
- conan user against Jfrog Academy docker Artifactory-CE returns 404
- Jenkins and gradle artifactory integration -- authentication
- The authorization of the Artifactory in Jenkins does not work
- Passing Jenkins credentials to Artifactory without the Artifactory plugin
- Artifactory jfrog cli unable to authenticate
- Newer version Artifactory is having problems with Jenkins Artifactory plugin
- 'Not authorized' errors after switching from vanilla Maven to Jenkins Artifactory Plugin
- How can I resolve a 401 failure when deploying a Maven artifact from Jenkins to Artifactory using the Artifactory Plugin and the Credentials Plugin?
- "peer not authenticated " error in Artifactory plugin - Jenkins
- Why does M2 Release Plugin on Jenkins not authenticate to Artifactory?