Trusting a Self-Signed Certificate or a New CA
To trust a new certificate, you can do one of the following:
- Add the certificate to the application's KeyStore. For example, to add a certificate into the JFrog Artifactory KeyStore, you can add it directly to the host's JVM's trusted KeyStore.
- Add the certificate to the
$JFROG_HOME/<product>/var/etc/security/keys/trusteddirectory of every service that needs to trust it.
- If you are trying to connect a database over SSL, place the SSL certificates in the
/etc/ssl/certs/path to load the certificates during the startup by Metadata service.
- For JFrog Xray, you will need to place the self-signed certificates under /etc/ssl/certs/ of each Xray instance.
For HA setup, you need to add the certificate to every node's trusted directory or KeyStore. The Certificates are not propagated between HA nodes automatically.
Trusting a Self-Signed Certificate in Xray Instances/Nodes
When an Xray instance/node is configured to go through an SSL proxy that uses a self-signed certificate, you may encounter the following issue when performing tasks such as an online database sync:
2021-07-20T14:47:47.500Z [33m[jfxr ][0m [1m[31m[ERROR][0m [c080f44e606d159 ] [samplers:91 ] [main ] Failed to read response from jxrayUrl. Error: Get "https://jxray.jfrog.io/api/v1/system/ping": x509: certificate signed by unknown authority
- To overcome this issue, you will need to import the Proxy certificate into each Xray instance/pod by placing it under the following path within the Xray machine/container/pods:
- Next, you will need to restart Xray.
The path shown above is the default directory used by Go applications (such as Xray) when importing SSL certificates.
Downloading a Certificate
To download/acquire the certificate(s) of the SSL secured server, use the following command:
openssl s_client -connect <secure authentication server IP and port> -showcerts < /dev/null > server.crt
openssl s_client -connect cdn.redhat.com:443 -showcerts < /dev/null > server.crt
openssl s_client -connect the.ldap.server.net:636 -showcerts < /dev/null > server.crt
openssl s_client -connect github.com:443 -showcerts < /dev/null > server.crt