Jump to content


Jira causing error do to SSL requirement


  • Please log in to reply
12 replies to this topic

#1 jbarr

jbarr

    Advanced Member

  • Members
  • PipPipPip
  • 49 posts

Posted 16 January 2014 - 12:02 AM

Our swarm system will not start up because of SSL errors in the log:

Next exception 'Zend\Http\Client\Adapter\Exception\RuntimeException' with message 'Unable to enable crypto on TCP connection jira.XXXXXXX.com: make sure the "sslcapath" option points to a valid SSL certificate directory' in /opt/swarm/library/Zend/Http/Client/Adapter/Socket.php:299

#2 P4Geoff

P4Geoff

    Advanced Member

  • Members
  • PipPipPip
  • 217 posts

Posted 16 January 2014 - 07:02 PM

Jeff,

Does the remote jira server have a valid HTTPS certificate or is it self signed.
E.g. if you visit the site directly do you get a warning in your browser re: the certificate validity.

#3 jbarr

jbarr

    Advanced Member

  • Members
  • PipPipPip
  • 49 posts

Posted 22 January 2014 - 08:07 PM

It's valid we do not get a warning.

#4 jbarr

jbarr

    Advanced Member

  • Members
  • PipPipPip
  • 49 posts

Posted 22 January 2014 - 09:28 PM

The first error is actually:  
2014-01-22T13:23:48-08:00 ERR (3): exception 'ErrorException' with message 'stream_socket_enable_crypto() [<a href='function.stream-socket-enable-crypto'>function.stream-socket-enable-crypto</a>]: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' in /opt/swarm/library/Zend/Http/Client/Adapter/Socket.php:276
 


#5 P4Geoff

P4Geoff

    Advanced Member

  • Members
  • PipPipPip
  • 217 posts

Posted 27 January 2014 - 04:34 PM

Jeff,

Sorry for the slow reply.
Thanks much for the log error that is most assistive.

I will dig into your issue and post a solution or at least status update later today.

#6 jbarr

jbarr

    Advanced Member

  • Members
  • PipPipPip
  • 49 posts

Posted 27 January 2014 - 11:30 PM

I'm wondering if this error is causing us not to be able to use the strict enforcement in the triggers.  Currently, when we run a review, the changelist is referenced in the review, but the actual changes in files are not copied to the review changelist.  Therefore, when we unshelve the changes, to submit the CL, the review CL and the submitted CL do match and the trigger prevents submission.

Please can you get back to me on this.

#7 P4Geoff

P4Geoff

    Advanced Member

  • Members
  • PipPipPip
  • 217 posts

Posted 27 January 2014 - 11:35 PM

Jeff,

The issue you are experiencing is caused by the openssl library throwing a bit of a fit when trying to talk to an HTTPS enabled server.
This can occur in a couple spots:
  • When Swarm calls the defined 'automated tests' url
  • When Swarm calls the defined 'automated deployment' url
  • When Swarm communicates with JIRA
Commonly, the ssl stuff 'just works' but unfortunately on some distributions (Ubuntu is somewhat notorious apparently) it can generate the error you are seeing.

In essence, the ssl library isn't confident where to locate the local (to the Swarm server) certificates folder to verify the remote peer is trustworthy.

I have a couple things you can try, the best option is to tell openssl where the certs are stored so it can go about its work. You'll need to add an entry similar to below to your <swarm-root>/data/config.php:
   'http_client_options' => array(
      'sslcapath' => '/etc/ssl/certs'
   )

Kindly verify /etc/ssl/certs exists on your system and appears to contain certs if taking this approach.

The other, unfortunately less secure, option is to tell openssl you don't want it to bother validating certificates. Though this is more surefire to fix the issue do kindly be advised it leaves your system open to man in the middle attacks. If you are on a trusted network link this may be an acceptable risk but it would be highly unadvisable over an untrusted network.
To disable peer validation add the below to your <swarm-root>/data/config.php:

   'http_client_options' => array(
      'sslverifypeer' => false
   )


In either case please do let me know if this seems to sort your issue out.

#8 P4Geoff

P4Geoff

    Advanced Member

  • Members
  • PipPipPip
  • 217 posts

Posted 27 January 2014 - 11:42 PM

View Postjbarr, on 27 January 2014 - 11:30 PM, said:

I'm wondering if this error is causing us not to be able to use the strict enforcement in the triggers.  Currently, when we run a review, the changelist is referenced in the review, but the actual changes in files are not copied to the review changelist.  Therefore, when we unshelve the changes, to submit the CL, the review CL and the submitted CL do match and the trigger prevents submission.

Please can you get back to me on this.

Jeff,

This sounds like a significant issue which I, or our support department, would very much like to help you with.
It also however sounds unrelated to the error you are experiencing with 'stream_socket_enable_crypto'.

There are a few issues which could lead to this behaviour, for the most part they would all relate to queue'ing and processing of queue'd shelf-commit events.

Things to check include:
- Do you have a cron job on the swarm system configured to start workers?
-- You can check by logging into swarm and then visiting http://<swarm-host>/queue/status you should see that 3 workers are running and no tasks are waiting in the queue, if not the cron job is missing or misconfigured
- Are all of the swarm triggers configured on your p4d server (in particular the shelf-commit trigger)?
- Is curl or wget installed on your p4d server and on the path for the trigger script?
- Is the trigger token correctly set in the trigger script? You can view the expected token value in swarm by logging in as an admin and clicking help -> about. Compare the expected value to the value set under SWARM_TOKEN near the top of swarm-trigger.sh
- Is the swarm host set correctly in the trigger script? Review the value under SWARM_HOST near the top of swarm-trigger.sh on the p4d server

If all of those items look ok its worth verify you don't have any strange log entries relating to the queue.
Log files to check include:
On the swarm server, <swarm-root>/data/log and /var/log/apache/*
On the perforce server, /var/log/system.log or wherever syslog is directed to

Please do let me know if that all makes sense and if you require further assistance on this issue.

If you'd like to contact our support department you could send in a copy of your logs and we can assist in more depth that way as well.
(I wouldn't advise posting your full log files to the forum)

#9 jbarr

jbarr

    Advanced Member

  • Members
  • PipPipPip
  • 49 posts

Posted 27 January 2014 - 11:51 PM

I had already tried this and it did not work.

Quote

'http_client_options' => array(
  'sslverifypeer' => false
   )


#10 jbarr

jbarr

    Advanced Member

  • Members
  • PipPipPip
  • 49 posts

Posted 27 January 2014 - 11:53 PM

Also, all of our settings are correct.  Is there a special setting to tell swarm that jira is using https?

#11 P4Geoff

P4Geoff

    Advanced Member

  • Members
  • PipPipPip
  • 217 posts

Posted 27 January 2014 - 11:59 PM

View Postjbarr, on 27 January 2014 - 11:51 PM, said:

I had already tried this and it did not work.

Can you kindly private message or email gnicol@perforce.com a copy of your <swarm-root>/data/config.php (feel free to blank out passwords).

#12 P4Geoff

P4Geoff

    Advanced Member

  • Members
  • PipPipPip
  • 217 posts

Posted 28 January 2014 - 12:00 AM

View Postjbarr, on 27 January 2014 - 11:53 PM, said:

Also, all of our settings are correct.  Is there a special setting to tell swarm that jira is using https?

If you specify the jira host as something like:
        'host'      => 'https://jira.example.com'

Swarm will automatically recognize it is using HTTPS. This process appears to be working correctly. The difficulty is your openssl installation in PHP is unable to validate the HTTPS certificate in use (quite likely because it cannot locate the certs folder).

What version and distribution of linux are you running?

Thanks
-Geoff

#13 Suresh

Suresh

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 22 March 2016 - 11:52 AM

Is this fixed. We have same problem with JIRA and Swarm connection


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users