SSL certificate

Follow

Comments

7 comments

  • Avatar
    Anandha Krishnan

    Hi Grummle,


    Can you try the following steps:


    1. stop go server
    2. move the keystore to an alternate name (keystore-with-wrong-hostname etc).
    3. set machine hostname to the same hostname that you want to use to access go from browsers(build.ourcompany.com)
    4. restart the go server
    5. hit the ssl port using browser and verify the the certificate offered is generated with the correct hostname.


    Please let us know if this does not work.


    Regards,
    Jake/JJ


    Go Dev team.

  • Avatar
    Grummle

    I don't think that work around is going to work. The machine is part of a AD Domain and our internal domain name is not the same as the domiain we are using externally to access it. There is no way to dictate what cert it should use?

  • Avatar
    Anandha Krishnan

    We can suggest an alternate work around, which involves some effort. You can get a temp box (laptop/VM), setup it up fresh with the hostname you need (dont add this box to the AD Domain). Get a copy of the Go server to start on this box. That you have the keystore generate the correct certificate for you.


    You can then copy this keystore and use it on the real go server you need. Do remember to stop the Go server before you replace the keystore.

  • Avatar
    Mike O'Brien

    Yeah, this is a little ridiculous. There should be an easy way to set the cert on the go server. Any go server that is accessible to the web will have this problem. Can you suggest a simpler way to do this or perhaps add this capibiliity to the next version?

  • Avatar
    Anandha Krishnan

    Hi Mike,


    We hear you, it is currently not configurable, but we'll add a card to our backlog to expose this as a configurable parameter. This will be made available in one of the future releases.


    If you feel the cerificate generating on a different machine is too ugly, the other way you can fix the certificate for users is by ssl-terminating on the reverse proxy(the hostname of which you want to use as CN on the go-server's cert). This way you will also avoid ssl-termination burden on the go server side. Besides, since you'd in this case control the certificate that reverse proxy uses, you can choose all the certificate attributes accordingly.


    However, Mingle-Go integration uses oauth-2 hence can only work over ssl. For those requests, ssl-termination can not be done outside of Go. Which means you will have to access the go-server directly(bypassing the reverse proxy) to get to oauth related pages.


    Regards,
    Jake/JJ

  • Avatar
    Adam Johnson

    I would just like to clarify the answer that the hostname is not configurable.

     

    There's no way to apply a new certificate to Go's keystore, and change the "SSL Site URL" value in Go Admin?  This would seem to be the primary use of such a feature.

  • Avatar
    Damien Laureaux

    Hi Jake,

    I have also an issue with the self-signed certificate of Go Server...

    - GO Server in a cloud Linux instance with Nginx as a reverse proxy

    - SSL certificate installed on Nginx (443) for the public access

    - Keystore created automatically by the Go Server (rpm)

    - 4x Mac Mini with Go Agent on the same cloud with a private network with the Go Server (port 8153/8154)

    I can access to the GO server with the public IP and private IP from the Go Agent. I can register the Go Agents but I can't upload anything from Go agents...

    [WARN] The md5checksum property file was not found on the server. Hence, Go can not verify the integrity of the artifacts.

     

    On the GO Agent, I have this result with Curl:

    curl: (60) SSL certificate problem: Invalid certificate chain

     

    When I try to verify the local SSL certificate of Go Server with this command:

    openssl s_client -connect xxx.xxx.xxx.xxx:8154 | openssl x509 -text

    I have this result:

    depth=0 /CN=go.xxx.com/OU=Cruise server web server certificate
    verify eror:num18:self signed certificate
    verify return:1

     

    I have re-installed Go Server, try another hostname (remove the keystore and reinstall Go Agent after), try to use custom SSL certificate on the Keystore (found on your blog), etc... but impossible to have the right connection from Go Agents to the Go Server...

    Your documentation is not really clear about the process of authentication though the Server and Agents....

    Please, I need help :)

    Damien 

Please sign in to leave a comment.