If I use jgit clone to clone repository from remote instance docker, I am getting this error:
org.eclipse.jgit.api.errors.TransportException: https://<repo url>: Secure connection to https://<repo url> could not be established because of SSL problems
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So I am trying to bypass SSL check as mentioned here: Turn SSL verification off for JGit clone command
As given in the above link, I am trying to use jgit fetch(), instead of jgit clone:
public void fetchRepository(Git git) throws GitAPIException {
FetchCommand fetchCommand =
git.fetch()
.setCredentialsProvider(
new UsernamePasswordCredentialsProvider(
user, getSecretAuthTokenProvider(accountName)));
fetchCommand.call();
}
but getting this exception: 'org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: origin
Caused by: org.eclipse.jgit.errors.NoRemoteRepositoryException: origin: not found.'
How should I clone entire repository using jgit fetch?/
How should I bypass SSL certification check?/
How should I resolve SSL certification issue for docker?
Related
While connecting vault(hosted on https) with spring boot I am getting the below error.
org.springframework.vault.authentication.VaultLoginException: Cannot log in using
org.springframework.web.client.ResourceAccessException: I/O error on POST request
for "https://10.166.181.83:31975/v1/auth/cert/login":
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target; nested exception is
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
My pom.xml is
org.springframework.cloud
spring-cloud-starter-vault-config
While connectiong to localhost vault server which is on http , everything works fine.
Could anyone please help me on this?
**bootstrap.properties is :**
spring.cloud.vault.scheme=https
spring.cloud.vault.kv.enabled=true
spring.cloud.vault.generic.enabled=true
spring.cloud.vault.generic.backend=configuration-server
spring.cloud.vault.generic.default-context=credentials
spring.cloud.vault.connection-timeout=5000
spring.cloud.vault.read-timeout=15000
spring.cloud.vault.config.order=-10
spring.cloud.vault.authentication=CERT
spring.cloud.vault.ssl.cert-auth-path=cert
spring.cloud.vault.ssl.trust-store-location=classpath:vault.jks
spring.cloud.vault.ssl.trust-store-password=ril#12345
management.endpoints.web.exposure.include=*
management.endpoint.env.post.enabled=true
spring.cloud.vault.uri=https://../../../
spring.cloud.vault.token=hvs.XXXXXXXX
It looks like you are connecting to https using IP address in the URI. This results in an SSL error (since certificates are based on name and not IPs) so. you can either add the certificate to the trusted list using keytool or add code to ignore certificate validation (depending on how you connect, this will vary https://howtodoinjava.com/java/java-security/bypass-ssl-certificate-checking-java/ has some examples where one probably will fit).
We have a rest API written in SpringBoot using a 2-way ssl Auth.
We would like to send 401 HTTP status code when the user selects the wrong/expired client certificate.
When it happens I can see the exception:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The API starts normally and works fine. The exception occurs whenever the user tries to call my api selecting a wrong client certificate or invalid. In this case I would like to return 401 to the caller
Spring boot is configured with Tomcat and #EnableWebSecurity
http.x509().subjectPrincipalRegex("XXXXXX").userDetailsService(this.userDetailsService);
((RequiresChannelUrl)http.requiresChannel().anyRequest()).requiresSecure();
....
http.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
public TomcatConnectorCustomizer httpsConnectorCustomizer(....) {
return (connector) -> {
connector.setScheme("https");
connector.setPort(port);
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
protocol.setSSLEnabled(true);
protocol.setSecure(true);
protocol.setPort(port);
protocol.setClientAuth("optional");
protocol.setKeystoreFile(...);
protocol.setKeystorePass(...);
protocol.setKeystoreType(...);
protocol.setKeyAlias(...);
protocol.setTruststoreFile(...);
protocol.setTruststorePass(...);
protocol.setTruststoreType(...);
};
}
Here the stack trace:
DirectJDKLog.java:175 [] Handshake failed during wrap
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
....
....
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
The browser shows: ERR_BAD_SSL_CLIENT_AUTH_CERT
Is it possible to catch this exception in SpringBoot and send a specific HTTP status code?
It seems that the exception is deep down in java/tomcat and so far I was not able to catch it.
You won't be able to send a HTTP status code, because establishing the connection fails before you start talking HTTP.
See https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ for an intro to SSL / TLS
Cloning with HTTPS/SSL enabled authentication fails through Jgit code as explained in https://www.codeaffine.com/2014/12/09/jgit-authentication/
when i Use dockers for the app.
Clone is successful when I use the war file locally(Ubuntu and windows) with HTTPS authentication(SSL verify enabled) with username/password and even username/personal access token.
Strangely this SSL issues happens only in docker setup. However Cloning is successful when i use SSH authentication. I am using a private GITHUB repo to clone.
I have tried various stackoverflow suggestions to use keytool command to check cacerts.
There are various code suggestions to disable SSL verify but cannot afford to loose out on security.
Errors i get are:
org.eclipse.jgit.transport.TransportHttp.handleSslFailure(TransportHttp.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
caused by: javax.net.ssl.SSLHandshakeException unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
Can we code JGIT to clone successfully with HTTPS (SSL verification enabled),
using username/password credentials in Docker setup?
If anybody has done this, please let me know.
I have generated java classes using cxf wsdl2java. But not sure how to authenticate the request with client certificate. I was able to generate client classes from wsdl with out any issue by using the below command:
wsdl2java -ant - client -d D:\cxf-client D:\HelperActions.wsdl
I am getting the blogs or forums with userid and password authentication in google search. But not able to find how to authenticate the request with the jks or .crt certificate.
I tried what it was mentioned in the below link
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2014-07-java-soap-client-certificate-authentication
and also I tried implementing the certification mentioned in the below link
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/ClientNonSpring.java?revision=1406329&view=markup
But I am getting the following exception
javax.xml.ws.webserviceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'wsdl path'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failes: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: javax.net.ssl.HandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I placed the certificate in the class path, I tried both the ways mentioned in the above links, but all the effort didnt work well. I am not sure where I am going wrong.
Can anyone help me in sending the request with client certificate?
I am unable to connect to my Compose MongoDB service from my deployed bluemix app. It seems that it cannot find the necessary certificate. I had expected that it would pick that up directly from environment variable VCAP_SERVICES.
I can run this fine from my local test environment because I imported the key into the appropriate keystore in Java.
If I look at their node.js sample on bluemix they are actually passing the certificate during the connect. However, I cannot find this anywhere on the Java API.
I believe that I either need to add this cert to the VM on bluemix (seems unlikely) or I need to pass it via the Java driver when I cannot (can't see how).
Thoughts?
For the record, this is the exception I get:
com.mongodb.MongoTimeoutException: Timed out after 30000 ms while waiting for a server that matches
ReadPreferenceServerSelector{readPreference=primary}. Client view of
cluster state is {type=UNKNOWN, servers=[{address=bluemix-sandbox-dal-9-portal.7.dblayer.com:26123, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}, {address=bluemix-sandbox-dal-9-portal.6.dblayer.com:26123, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}]
com.mongodb.connection.BaseCluster.createTimeoutException(BaseCluster.java:377)
com.mongodb.connection.BaseCluster.selectServer(BaseCluster.java:104)
com.mongodb.binding.ClusterBinding$ClusterBindingConnectionSource.<init>(ClusterBinding.java:75)
com.mongodb.binding.ClusterBinding$ClusterBindingConnectionSource.<init>(ClusterBinding.java:71)
com.mongodb.binding.ClusterBinding.getReadConnectionSource(ClusterBinding.java:63)
com.mongodb.operation.OperationHelper.withConnection(OperationHelper.java:402)
com.mongodb.operation.FindOperation.execute(FindOperation.java:510)
com.mongodb.operation.FindOperation.execute(FindOperation.java:81)
com.mongodb.Mongo.execute(Mongo.java:836)
com.mongodb.Mongo$2.execute(Mongo.java:823)
com.mongodb.FindIterableImpl$FindOperationIterable.first(FindIterableImpl.java:216)
com.mongodb.FindIterableImpl.first(FindIterableImpl.java:156)
com.ibm.smarts.experiment.UserMgr.getUserDetails(UserMgr.java:146)
com.ibm.smarts.experiment.UserMgr.authenticateUser(UserMgr.java:123)
com.ibm.smarts.experiment.servlet.LoginServlet.doPost(LoginServlet.java:31)
javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
There are a few options documented here. For example:
Import the cert to Java truststore file, pack the file into Java application and specify its path via JAVA_OPTS environment variable; the truststore file can be placed under resource directory. This can be used for single applications:
By using the 'cf set-env' command:
cf set-env <app> JAVA_OPTS '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'
By using manifest.yml:
---
applications:
- name: java-app
...
env:
JAVA_OPTS: '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'