Upstream connection issues
If there is an SSL error in logs while connecting to the upstream Artifactory server(Ex: Dockerhub, RedHat CDN), enable the following debug logger. This logger will print entries when you perform the “Test Connection” on remote repository settings.
If these debug loggers don’t help, add any one of the following debug loggers in the Artifactory system configuration file(system.yaml) to capture the JVM-level loggers.
-Djavax.net.debug=ssl,handshake
(or)
-Djavax.net.debug=all (This will print heavy logging, recommended for non-prod environment debugging)
Here is the sample configuration for your reference.
## ARTIFACTORY TEMPLATE
In case of any misconfiguration of these parameters, Artifactory will not start or generate exceptions. We nee to check the Tomcat’s Catalina logs and $JFROG_HOME/artifactory/app/artifactory/tomcat/conf
/server.xml file which gets generated on every Artifactory startup for further debugging.
Reverse proxy level SSL issues
In general, the SSL termination occurs at the reverse proxy layer if it is configured in front of Artifactory. Here are the sample configurations of two different third-party applications.
Apache:
Nginx:
We need to make sure these certificates and keys are present in the respective paths with relevant permissions. There are a few cases where we may have to remove/block a few SSL protocols based on organizational requirements.
If there are any issues during the startup or while running the application, kindly check the reverse proxy logs for more details. In case the SSL certificates are about to expire, we need to get the new certificates and replace them. In such cases, a restart of the reverse proxy is required. (No need to restart Artifactory since we are not making any changes in it.
If there is an SSL error in logs while connecting to the upstream Artifactory server(Ex: Dockerhub, RedHat CDN), enable the following debug logger. This logger will print entries when you perform the “Test Connection” on remote repository settings.
<logger name="org.artifactory.ui.rest.service.admin.configuration.repositories.util.RemoteRepositoryTestUrl"> <level value="debug"/> </logger>Note: Please remove this logger configuration once the troubleshooting process is complete.
If these debug loggers don’t help, add any one of the following debug loggers in the Artifactory system configuration file(system.yaml) to capture the JVM-level loggers.
-Djavax.net.debug=ssl,handshake
(or)
-Djavax.net.debug=all (This will print heavy logging, recommended for non-prod environment debugging)
Here is the sample configuration for your reference.
## ARTIFACTORY TEMPLATE
artifactory: #port: 8081 ## Artifactory Tomcat connector customization on the Artifactory port tomcat: ## Artifactory connector settings ## Set up an HTTPS connector for artifactory. ## This opens a port in addition to the default HTTP connector. httpsConnector: ## Enable connector with SSL/TLS enabled: true ## Port to use for the HTTPS connector port: 8443 ## Certificate file to use certificateFile: "$JFROG_HOME/artifactory/var/etc/artifactory/security/ssl/server.crt" ## Certificate key file to use. certificateKeyFile: "$JFROG_HOME/artifactory/var/etc/artifactory/security/ssl/server.key" ## Extra configuration for the HTTPS connector. ## For example extraConfig: "SSLProtocol='TLSv1+TLSv1.1+TLSv1.2'" #extraConfig: ""
In case of any misconfiguration of these parameters, Artifactory will not start or generate exceptions. We nee to check the Tomcat’s Catalina logs and $JFROG_HOME/artifactory/app/artifactory/tomcat/conf
/server.xml file which gets generated on every Artifactory startup for further debugging.
Reverse proxy level SSL issues
In general, the SSL termination occurs at the reverse proxy layer if it is configured in front of Artifactory. Here are the sample configurations of two different third-party applications.
Apache:
<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/httpd/ssl/yourdomain.com.crt SSLCertificateKeyFile /etc/httpd/yourdomain.com.key SSLProxyEngine on …… </VirtualHost>
Nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_certificate /etc/nginx/ssl/yourdomain.com.crt; ssl_certificate_key /etc/nginx/ssl/yourdomain.com.key; ssl_session_cache shared:SSL:1m; ssl_prefer_server_ciphers on;
We need to make sure these certificates and keys are present in the respective paths with relevant permissions. There are a few cases where we may have to remove/block a few SSL protocols based on organizational requirements.
If there are any issues during the startup or while running the application, kindly check the reverse proxy logs for more details. In case the SSL certificates are about to expire, we need to get the new certificates and replace them. In such cases, a restart of the reverse proxy is required. (No need to restart Artifactory since we are not making any changes in it.