go-cd agent can't connect to server with custom ssl cert. "trustAnchors parameter must be non-empty"

990 views
Skip to first unread message

alma...@thoughtworks.com

unread,
Apr 13, 2016, 4:37:37 PM4/13/16
to go-cd

Hi! I'm are setting up gocd to work with a custom x509 certificate for a beach project with a community partner, where@. We followed these isntructions to use our wildcard cert on our go-server instance, and as a result, are able to successfully reach the server at https://go.whereat.io. BUT: now our go-agent can't complete the SSL handshake with the go-server. Previously (with the go-provided self-signed certs), initiating the go-agent and pointing to the go-server worked fine. We'd spin up the agent, and it would show up in the list of agents as described in the docs. Now (with the new cert), it doesn't show up in the docs, and we get the following error in the go-agent.logs:


shell 2016-04-13 18:55:41,057 [loopThread] ERROR thoughtworks.go.agent.AgentController:192 - There has been a problem with one of Go's SSL certificates. This can be caused by a man-in-the-middle attack, or by pointing the agent to a new server, or by deleting and re-installing Go Server. Go will ask for a new certificate. If this fails to solve the problem, try deleting config/trust.jks in Go Agent's home directory. javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty


Our hypothesis is that the cause of the problem is that the go-agent can't find the CA certs (from Gandi, cross-signed by Comodo) that are signing our x509 certificate. But we can't figure out how to ensure that these certs get picked up by go-agent. We've tried checking to make sure that these certs are available in both /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts and /etc/ssl/certs. We also attempted to inspect /var/lib/go-agent/trust.jks (on the theory that it might be useful to try to add the CA certs directly there), but were unable to access it because we don't have the keystore password for trust.jks. Lastly, we also tried deleting trust.jks as prompted by the error message, and upgrading nss (as suggested in this thread) but all of these produced no results.


At this point we're a little hard pressed to figure out what to try next. Any suggestions?

Austin Guest

unread,
Apr 13, 2016, 5:26:02 PM4/13/16
to go-cd
Hi everyone! I'm working with Alex, and we solved the problem!

The fix was to manually import our custom x509 certificate into the go-agent trust store (located at `var/lib/go-agent/config/trust.jks`), using straightforward keytool commands as documented here.

Hopefully this post helps someone else down the line! Is there any way we could contribute an update to go-cd's documentation based off our experience to help other people avoid similar problems in the future?

/a/

Edward Petersen

unread,
May 10, 2016, 4:31:32 PM5/10/16
to go-cd
Could you be a little more explicit about how this was fixed? When I try to use the instructions in your link to add our cert to the trust.jks, I am prompted for a password (makes sense) that I do not know. And I tried the one from these instructions, since they helped me get our cert into the keystore on the server.

-Ed

Ketan Padegaonkar

unread,
May 10, 2016, 6:37:44 PM5/10/16
to go-cd

Have you seen the instructions at https://docs.go.cd/current/installation/ssl_tls_config.html?


--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ketan Padegaonkar

unread,
May 10, 2016, 6:45:05 PM5/10/16
to go-cd

Sorry I meant this link https://docs.go.cd/current/installation/ssl_tls/custom_certificate.html

Edward Petersen

unread,
May 11, 2016, 11:08:27 AM5/11/16
to go...@googlegroups.com
I had not. In fact the last time I looked at the online documentation (which was only a few days ago), that sub-section didn't even exist under CONFIGURING SSL/TLS. The password was the real thing missing from all the random forum answers....

thanks,
Ed

You received this message because you are subscribed to a topic in the Google Groups "go-cd" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-cd/ltUom6DYVoc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-cd+un...@googlegroups.com.

Ketan Padegaonkar

unread,
May 11, 2016, 11:33:21 AM5/11/16
to go...@googlegroups.com
I'd split that page into multiple pages to organize the information better, it was all there in one page, just really hard to find :)

I'm glad you're all set.

Edward Petersen

unread,
May 11, 2016, 11:46:59 AM5/11/16
to go...@googlegroups.com
Well.........

My agent is showing up on the server, so that is good. But I need a little more information as to why my configuration works.

I edited the /etc/default/go-agent file assuming I needed to point the agent at the server fqdn and (SSL) port 8154. But that didn't work. Oddly, I'd start the agent and literally nothing would happen. I was tailing the log and nothing was written to it. So I changed the port back to 8153, still nothing. Then I used the IP address of my server instead of the fqdn and, bam, it worked. Suddenly the log tail comes alive. The agent appears in my server GUI. I changed it to the SSL port using the IP address just because it was the combo I hadn't tried, and nothing again.

If I am using SSL, and the box is reachable (ping works) using the fqdn, why isn't that the correct configuration?
Reply all
Reply to author
Forward
0 new messages