XRAY: Configure JAS for Self-Signed Certificates in Xray Setup

XRAY: Configure JAS for Self-Signed Certificates in Xray Setup

AuthorFullName__c
Jian Sun
articleNumber
000006219
ft:sourceType
Salesforce
FirstPublishedDate
2024-10-29T07:11:16Z
lastModifiedDate
2024-10-29
VersionNumber
2
Introduction 

An SSL error is encountered in Xray when running JAS scan:
This error can be seen in xray-contextual-analysis.log and xray-exposures.log, indicating an inability to connect to Artifactory.
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain


Root Cause

The root cause of this issue is that Xray fails to verify the self-signed certificate when accessing myartifactory.com:443. The absence of the CA certificate leads to the failure of the SSL connection, resulting in connectivity issues.



Resolution

Modify Xray Configuration
Reference the custom certificate by modifying the configuration and restarting Xray:
$ openssl s_client -connect myartifactory.com:443 -showcerts < /dev/null > /opt/jfrog/xray/var/etc/security/keys/trusted/myart.pem 
$ vim /opt/jfrog/xray/var/etc/system.yaml
executionService: 
  platformCertificatePath: "/opt/jfrog/xray/var/etc/security/keys/trusted/myart.pem"

Restart the K3s cluster.


References:
https://jfrog.com/help/r/jfrog-installation-setup-documentation/xray-system-yaml
https://jfrog.com/help/r/jfrog-installation-setup-documentation/configure-jas-for-self-signed-non-helm-installation