Delegate is unable to connect to the public endpoints with the default java trust store

A new Delegate with the default java trust store might fail with certificate errors while connecting to public endpoints. For example, a GitHub connector configured to connect with the public GitHub endpoint might fail with the below error in the delegate log while validating the public cert received from GitHub.

2022-10-25 16:48:32,364 [1.0.77221-000] 210 [task-exec-3] ERROR io.harness.utils.ScmGrpcClientUtils - Unable to connect to Git Provider, error while connecting to scm service [perpetualTaskId=Zj-b63MYQ9SfYGkj29tqNg]
io.grpc.StatusRuntimeException: UNKNOWN: Get "https://api.github.com/user/repos?page=1": x509: certificate signed by unknown authority

If you receive the above error or similar in the delegate log while connecting to any public endpoint, check if you are using an SSL proxy between the delegate and the public endpoint that reproduces the server certificate which then sends back to the delegate and this cert can not be validated by delegate process without your internal CA cert chain available in the default trust store. In order to check the details of the cert that is being received from the public endpoint, we can run the below command inside the delegate.

openssl s_client -connect github.com:443 -proxy <proxy-hostname>:<port>

Note that we try to connect to GitHub in the above command but it can be changed to any server as per the requirement. Also, replace and with the corresponding values.

Once we confirm that the issue is matching with the one mentioned above, you can follow this doc or this to update the java trust store on delegate with the required internal cert chain.

4 Likes