how to configure cli trust store

[torstenstach]

>jfrog rt ping --url=https://artprod.issh.de/artifactory
[Error] Get https://artprod.issh.de/artifactory/api/system/ping: x509: certificate signed by unknown authority
how to configure the jfrog-cli trust store?

• is there a way to disable the check?
• where is the trust store?
• Can i add certificats to the trust store?

[eyalbe4]

@torstenstach,
Here's you add your self signed certificates.
Disabling the use of SSL certificates is currently not supported, but we're considering add it.
Let us know if this helps.

[torstenstach]

No this does not help.
under windows cli is unable to check the whole certificate chain.
WORKAROUND:
install the sub-ca certificate also as Trusted Root Certificate

Can you fix this?

[eyalbe4]

@torstenstach,
Are you using the latest JFrog CLI version? (currently the latest version is 1.22.0).
I'm asking because you may be affected by golang/go#18609.
The latest JFrog CLI release is built with Go 1.11, which should include this fix.

[torstenstach]

I have the same problem with version 1.22.0

[eyalbe4]

@torstenstach,
Actually, we need to wait for this issue to be fixed - golang/go#16736
I'm not sure there's anything we can do before it is fixed by go...
We have tried to fix this in the past by adding https://github.com/jfrog/jfrog-client-go/blob/master/artifactory/auth/cert/sslutils_windows.go (runs for Windows only), but there's a chance this code is not perfect.
I see no other option but waiting for the above issue to be fixed.

[moeHaydar]

I have the same problem, any news about this ?

[vdsbenoit]

+1

[kenden]

About:
"is there a way to disable the check?"
The option --insecure-tls was added recently:
https://github.com/jfrog/jfrog-cli/blob/master/RELEASE.md#1351-mar-18-2020

[kenyon]

This link from #277 (comment) is now broken and I'm really having a hard time finding the current location of documentation on using JFrog CLI with internal certificate authorities: https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-UsingSelf-signedSSLCertificates

[emveee]

This link from #277 (comment) is now broken and I'm really having a hard time finding the current location of documentation on using JFrog CLI with internal certificate authorities: https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-UsingSelf-signedSSLCertificates

https://web.archive.org/web/20191007071125/https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory

[larkoie]

FYI the issue is still existing in jfrog cli 2.52.9 (latest at the time of my comment).
The bug golang/go#16736 looks fixed (closed completed in november 2021)

Can somebody take a look at this now?
Thanks

[mathieugouin]

I have version 2.71.0 of the cli.

I have exactly the same problem. To add more info, SSL works with curl -UseBasicParsing "https://artifactory.example.com/artifactory/api/system/ping" but not with jfrog rt ping.

I have installed my root CA certificate in my Docker image using:

• Import-Certificate -FilePath C:\my_cert.crt -CertStoreLocation Cert:\LocalMachine\Root
• manual copy to: ~/.jfrog/security. In my case it was: C:\Users\ContainerAdministrator\.jfrog\security

Any other clue?

[tjohnston-cd]

I believe I am having the same issue with Windows CLI versions 2.51.0 and 2.72.2 (the latest)

My internal root and issuing CA certs are in the standard system store locations the same as shown here: #277 (comment)

Adding the certificates in the chain to the HOME\.jfrog\security path as described here does not seem to make a difference.

It does not seem to recognize --insecure-tls on the jf login command I use for my test.
edit: Ah, but it is available on jf rt upload so I can use it to work around my issue for now. Still not ideal.

Any suggestions @eyalbe4 or others? How can I confirm this is the issue I'm having?

More importantly - what's involved in fixing this? This ticket is 6 years old. Is the root cause still one of the referenced golang library threads?