https://infracost.io logo
#help
Title
# help
p

powerful-author-61934

07/14/2023, 12:29 PM
Hey everyone, I am trying to run Infracost using Jenkins but I am facing
x509: certificate signed by unknown authority method POST url <https://pricing.api.infracost.io/graphql|https://pricing.api.infracost.io/graphql>
error. Is anyone have any idea about this?
l

little-author-61621

07/14/2023, 12:30 PM
Hi @powerful-author-61934. Does your Jenkins have an http proxy enabled?
p

powerful-author-61934

07/14/2023, 12:39 PM
Hi @little-author-61621, sorry but I don't have the idea of setting proxy for Infracost in Jenkins. Can you please guide a little bit more on the same. Thanks
l

little-author-61621

07/14/2023, 12:43 PM
Hi @powerful-author-61934, I’ve seen this error before when someone has their CI/CD integration configured with
http_proxy
or
https_proxy
environment variables, so I was wondering if your Jenkins installation has anything like this. One option to test this is to set the following env variable in your pipeline:
Copy code
no_proxy=<http://pricing.api.infracost.io|pricing.api.infracost.io>
p

powerful-author-61934

07/14/2023, 12:46 PM
I have tried with this also, but still getting the same error
l

little-author-61621

07/14/2023, 12:48 PM
Does running this in the pipeline work:
Copy code
curl -i <https://pricing.api.infracost.io/health> -H "X-Api-Key: API_KEY"
Where
API_KEY
is your api key
p

powerful-author-61934

07/14/2023, 12:49 PM
I have checked and found a raised issue on Infracost https://github.com/infracost/infracost/issues/1238 It is stated that this issue was resolved in v0.9.16
l

little-author-61621

07/14/2023, 12:50 PM
Ah okay, which version are you using?
p

powerful-author-61934

07/14/2023, 12:50 PM
Currently I am using v0.10.22
As HTML report issues is there in v0.10.24
l

little-author-61621

07/14/2023, 12:51 PM
Ok, that fix should be in v0.10.22
p

powerful-author-61934

07/14/2023, 12:52 PM
No i am using the same version bt still getting that issue
l

little-author-61621

07/14/2023, 12:52 PM
Does the
curl
command work for you?
p

powerful-author-61934

07/14/2023, 12:58 PM
No it is giving "SSL certificate problem: unable to get local issuer certificate" error
l

little-author-61621

07/14/2023, 12:59 PM
Does it work for other URLs like https://google.com?
p

powerful-author-61934

07/14/2023, 1:00 PM
No maybe curl is having certificate issue here
l

little-author-61621

07/14/2023, 1:01 PM
You could try curl with
--insecure
option to see.
p

powerful-author-61934

07/14/2023, 1:03 PM
Yes tried that, it is not giving any output and pipeline failed without stating any error with exit code 6
l

little-author-61621

07/14/2023, 1:04 PM
You could try this env variable
INFRACOST_TLS_INSECURE_SKIP_VERIFY=true
That will work the same as the curl
--insecure
flag.
p

powerful-author-61934

07/14/2023, 1:17 PM
I tried setting this env variable
INFRACOST_TLS_INSECURE_SKIP_VERIFY=true
But if I set this then infracost is showing INVALID API KEY. I tried switching this variable then I am getting the same error as above(x509)
l

little-author-61621

07/14/2023, 1:19 PM
What does
curl -vvv <https://pricing.api.infracost.io/>
show?
p

powerful-author-61934

07/14/2023, 1:25 PM
Same: SSL certificate problem: unable to get local issuer certificate Tried it with -insecure option as well
l

little-author-61621

07/14/2023, 1:25 PM
Okay, but did it give more logs… they might help in working out what the problem is.
p

powerful-author-61934

07/14/2023, 1:26 PM
Sure I will paste the complete log here
Hi @little-author-61621, I have tried the
curl -vvv <https://pricing.api.infracost.io/> --cacert cacert.pem -k
command, and after connecting to host pricing.api.infracost.io it is saying
* Connection #0 to host <http://pricing.api.infracost.io|pricing.api.infracost.io> left intact {"error": "Invalid API key"}
and ultimately throwing same x509 error
l

little-author-61621

07/17/2023, 9:12 AM
@powerful-author-61934 do you have the full logs from that command?
p

powerful-author-61934

07/17/2023, 9:23 AM
Copy code
+ curl -vvv <https://pricing.api.infracost.io/> --cacert cacert.pem -k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0*   Trying 52.95.251.237:443...
* Connected to <http://pricing.api.infracost.io|pricing.api.infracost.io> (52.95.251.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: cacert.pem
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
 
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [155 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3222 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.<http://api.infracost.io|api.infracost.io>
*  start date: Jul 15 09:25:06 2023 GMT
*  expire date: Jul 29 09:25:06 2023 GMT
*  issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (<http://zscalerthree.net|zscalerthree.net>) (t) 
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
} [5 bytes data]
> GET / HTTP/1.1
> Host: <http://pricing.api.infracost.io|pricing.api.infracost.io>
> User-Agent: curl/7.74.0
> Accept: */*
> 
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Mon, 17 Jul 2023 07:38:01 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 27
< Connection: keep-alive
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< ETag: W/"1b-MUVDKc802GySH68qxmhhZ8AjuoI"
< 
{ [27 bytes data]
 
100    27  100    27    0     0      5      0  0:00:05  0:00:04  0:00:01     6
* Connection #0 to host <http://pricing.api.infracost.io|pricing.api.infracost.io> left intact
{"error":"Invalid API key"}
[Pipeline] sh
+ infracost breakdown --path=.
time="2023-07-17T07:38:02Z" level=info msg="Evaluating Terraform directory at ."
time="2023-07-17T07:38:02Z" level=info msg="Starting: Downloading Terraform modules"
time="2023-07-17T07:38:02Z" level=info msg="Starting: Evaluating Terraform directory"
time="2023-07-17T07:38:02Z" level=info msg="Starting: Retrieving cloud prices to calculate costs"
time="2023-07-17T07:38:09Z" level=error library=retryablehttp msg="request failed error Post \"<https://pricing.api.infracost.io/graphql>\": x509: certificate signed by unknown authority method POST url <https://pricing.api.infracost.io/graphql>"
 
time="2023-07-17T07:38:12Z" level=error library=retryablehttp msg="request failed error Post \"<https://pricing.api.infracost.io/event>\": x509: certificate signed by unknown authority method POST url <https://pricing.api.infracost.io/event>"
time="2023-07-17T07:38:12Z" level=error msg="Error reporting event: Error sending API request: Post \"<https://pricing.api.infracost.io/event>\": POST <https://pricing.api.infracost.io/event> giving up after 1 attempt(s): Post \"<https://pricing.api.infracost.io/event>\": x509: certificate signed by unknown authority"
 
Project: *****
 
Errors:
  Error sending API request:
    Post "<https://pricing.api.infracost.io/graphql>":
      POST <https://pricing.api.infracost.io/graphql> giving up after 1 attempt(s):
        Post "<https://pricing.api.infracost.io/graphql>":
          x509:
            certificate signed by unknown authority
 
 OVERALL TOTAL       $0.00
Hi @little-author-61621 this are the logs
l

little-author-61621

07/17/2023, 9:30 AM
Copy code
*  issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (<http://zscalerthree.net|zscalerthree.net>) (t) 
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
Looks like this is a going through a proxy server on your end which it’s unable to get the certificate for. Do you have the Zscaler Intermediate Root CA certificate installed?
p

powerful-author-61934

07/17/2023, 9:36 AM
I have Zscaler service enabled currently but I dont have any knowledge about the Zscaler Intermediate Root CA certificate.
l

little-author-61621

07/17/2023, 9:54 AM
Okay, it’s not something I’ve used before but we do support passing a custom certificates using:
Copy code
export INFRACOST_TLS_CA_CERT_FILE=/path/to/ca.crt
Here’s some relevant docs I could find from the Zscaler website: https://help.zscaler.com/zia/adding-custom-certificate-application-specific-trust-store
p

powerful-author-61934

07/18/2023, 3:09 PM
Hi @little-author-61621, I have implement the integration. The issue was ZscalerRoot certificate. Thank you for your assistance. Glad to use Infracost.
l

little-author-61621

07/18/2023, 3:55 PM
Awesome! Thanks @powerful-author-61934 🙏
2 Views