charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon jfrog

Conan keeps uploading to Artifactory port 80 instead of 443 when using HTTPS

Open sssilver opened this issue 3 years ago • 1 comments

Is this a request for help?: Yes

Version of Helm and Kubernetes: Helm: v3.7.2 K8S Client Version: 1.16, Platform: darwin/amd64 K8S Server Version: 1.20+, Platform: linux/amd64

Which chart: jfrog/artifactory-cpp-ce

What happened: I deploy jfrog/artifactory-cpp-ce with the following command:

  $ helm upgrade --install artifactory -f ./values-artifactory-cpp-ce.yaml --namespace artifactory --set postgresql.postgresqlPassword=<censored> jfrog/artifactory-cpp-ce

My ./values-artifactory-cpp-ce.yaml contents:

# ...

access:
  accessConfig:
    security:
      tls: true

artifactory:
  accessConfig:
    security:
      tls: true

Then I configure Artifactory, create the repository named conan, set permissions, and add it as a remote to my Conan (notice the https prefix in the URL):

  $ conan remote add myrepo https://artifactory.example.com/artifactory/api/conan/conan

When I finally try to upload a package to my repo, I get the following errors:

  $ conan upload "entt/3.9.0" -r myrepo --all -c
Uploading to remote 'myrepo':
Uploading entt/3.9.0 to remote 'myrepo'                                                  
Please log in to "myrepo" to perform this action. Execute "conan user" command.
Please enter a password for "myrepo-github" account: 
ERROR: 
Error uploading file: conan_export.tgz, 'HTTPSConnectionPool(host='artifactory.example.com', port=80): Max retries exceeded with url: /artifactory/api/conan/conan/v1/files/_/entt/3.9.0/_/0/export/conan_export.tgz (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)')))'
ERROR: 
Error uploading file: conanfile.py, 'HTTPSConnectionPool(host='artifactory.example.com', port=80): Max retries exceeded with url: /artifactory/api/conan/conan/v1/files/_/entt/3.9.0/_/0/export/conanfile.py (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)')))'
ERROR: 
Error uploading file: conanmanifest.txt, 'HTTPSConnectionPool(host='artifactory.example.com', port=80): Max retries exceeded with url: /artifactory/api/conan/conan/v1/files/_/entt/3.9.0/_/0/export/conanmanifest.txt (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)')))'
ERROR: entt/3.9.0: Upload recipe to 'myrepo' failed: Execute upload again to retry upload the failed files: conan_export.tgz, conanfile.py, conanmanifest.txt. [Remote: myrepo]

ERROR: Errors uploading some packages

Notice four things:

  1. For some reason HTTPSConnectionPool is attempting to connect to port 80 rather than 443
  2. If I add the remote through an http schema rather than https, everything works
  3. The dashboard works great via HTTPS in the browser
  4. I don't know if this is relevant, but the host is behind Cloudflare with strict SSL turned on

What you expected to happen: I expect uploading to my Artifactory remote via HTTPS to work successfully.

I've been banging my head against this for a few days. Is this a Conan issue? Is my Artifactory misconfigured? What am I missing? All guidance is appreciated.

sssilver avatar Jan 21 '22 06:01 sssilver

Hi @sssilver,

By setting "artifactory.access.accessConfig.security.tls=true", JFrog Router expected for HTTPS traffic in port 8082, While the Tomcat still expected for HTTP traffic in port 8081.

By default, The bundled Nginx with Artifactory helm chart is having a reverse proxy role matching path for /artifactory/ to forward all requests from this path directly to the Tomcat (Bypassing JFrog router)

Due to misconfiguration in the Artifactory chart, the artifactory.scheme become HTTPS when "artifactory.access.accessConfig.security.tls=true" and that impact the traffic to the router and to the tomcat.

You should manually configure the artifactoryConf in the Nginx to force HTTP to the tomcat instead of HTTPS. I prepared an example for that change here (The actual change I made is to replace "{{ include "artifactory.scheme" . }}" with "http" under this section.

Did you consider disabling the JFrog Access TLS enabled? If you handle the SSL termination before Nginx, you might have both JFrog Router and Tomcat listen to HTTP only and still have a secured connection to Artifactory.

Please let me know if you managed to resolve the issue according to my response.

gitta-jfrog avatar Feb 07 '22 18:02 gitta-jfrog