Hi! I'm are setting up gocd to work with a custom x509 certificate for a beach project with a community partner, where@. We followed these isntructions to use our wildcard cert on our go-server instance, and as a result, are able to successfully reach the server at https://go.whereat.io. BUT: now our go-agent can't complete the SSL handshake with the go-server. Previously (with the go-provided self-signed certs), initiating the go-agent and pointing to the go-server worked fine. We'd spin up the agent, and it would show up in the list of agents as described in the docs. Now (with the new cert), it doesn't show up in the docs, and we get the following error in the go-agent.logs:
shell 2016-04-13 18:55:41,057 [loopThread] ERROR thoughtworks.go.agent.AgentController:192 - There has been a problem with one of Go's SSL certificates. This can be caused by a man-in-the-middle attack, or by pointing the agent to a new server, or by deleting and re-installing Go Server. Go will ask for a new certificate. If this fails to solve the problem, try deleting config/trust.jks in Go Agent's home directory. javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
Our hypothesis is that the cause of the problem is that the go-agent can't find the CA certs (from Gandi, cross-signed by Comodo) that are signing our x509 certificate. But we can't figure out how to ensure that these certs get picked up by go-agent. We've tried checking to make sure that these certs are available in both /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts and /etc/ssl/certs. We also attempted to inspect /var/lib/go-agent/trust.jks (on the theory that it might be useful to try to add the CA certs directly there), but were unable to access it because we don't have the keystore password for trust.jks. Lastly, we also tried deleting trust.jks as prompted by the error message, and upgrading nss (as suggested in this thread) but all of these produced no results.
At this point we're a little hard pressed to figure out what to try next. Any suggestions?
Have you seen the instructions at https://docs.go.cd/current/installation/ssl_tls_config.html?
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sorry I meant this link https://docs.go.cd/current/installation/ssl_tls/custom_certificate.html
You received this message because you are subscribed to a topic in the Google Groups "go-cd" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-cd/ltUom6DYVoc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-cd+un...@googlegroups.com.