When adding a private GitLab instance in integration, validation fails with the error: Path does not chain with any of the trust anchors
search cancel

When adding a private GitLab instance in integration, validation fails with the error: Path does not chain with any of the trust anchors

book

Article ID: 385862

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

In some cases, a private gitlab with a valid certificate chain may fail validation when being added to Aria Automation.  The error will be as follows in the UI as well as in the cgs-service-app logs:

Failed to validate credentials error: I/O on HEAD request for https://<GitLabFQDN>.com PKIX path validation failed. java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors.

Environment

Aria Automation 8.x

Cause

The CGS service is unable to validate the full chain of trust.  

Execution of the following from the Aria Automation appliance will result in a successful validation:  

openssl s_client -connect server.domain.com:443 -servername server.domain.com -verify_return_error </dev/null

Execution of the same command (from within the kubernetes pod that supports the cgs-service-app) fails to validate:

kubectl exec -n prelude cgs-service-app-<Your Pod ID> – openssl s_client -connect server.domain.com:443 -servername server.domain.com -verify_return_error </dev/null

Resolution

To resolve this issue, add the integration endpoint using the API as it will bypass the certificate validation step.

  1. Obtain a bearer token for the API call.

  2. Using this bearer token for authentication, Perform a POST to Aria Automation with the following header and Body (in the body, only change the url, and provide your Gitlab Private Key): :  

https://<Automation-FQDN>/iaas/api/integrations?apiVersion=2021-07-15
{
    "integrationType": "com.gitlab.saas",
    "integrationProperties": {
        "url": "https://<GitLabFQDN>",
        "privateKey": "<GitLabPrivateKey>",
        "acceptSelfSignedCertificate": true
    },
    "customProperties": {
        "isExternal": "true"
    },
    "privateKey": "<GitLabPrivateKey>",
    "name": "gitlab-integration"
}

    3. Submit the request and verify that it succeeds and adds the integration in Aria Automation.