Cloning with HTTPS/SSL enabled authentication fails through Jgit code as explained in https://www.codeaffine.com/2014/12/09/jgit-authentication/
when i Use dockers for the app.
Clone is successful when I use the war file locally(Ubuntu and windows) with HTTPS authentication(SSL verify enabled) with username/password and even username/personal access token.
Strangely this SSL issues happens only in docker setup. However Cloning is successful when i use SSH authentication. I am using a private GITHUB repo to clone.
I have tried various stackoverflow suggestions to use keytool command to check cacerts.
There are various code suggestions to disable SSL verify but cannot afford to loose out on security.
Errors i get are:
org.eclipse.jgit.transport.TransportHttp.handleSslFailure(TransportHttp.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
caused by: javax.net.ssl.SSLHandshakeException unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
Can we code JGIT to clone successfully with HTTPS (SSL verification enabled),
using username/password credentials in Docker setup?
If anybody has done this, please let me know.
Related
While connecting vault(hosted on https) with spring boot I am getting the below error.
org.springframework.vault.authentication.VaultLoginException: Cannot log in using
org.springframework.web.client.ResourceAccessException: I/O error on POST request
for "https://10.166.181.83:31975/v1/auth/cert/login":
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target; nested exception is
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
My pom.xml is
org.springframework.cloud
spring-cloud-starter-vault-config
While connectiong to localhost vault server which is on http , everything works fine.
Could anyone please help me on this?
**bootstrap.properties is :**
spring.cloud.vault.scheme=https
spring.cloud.vault.kv.enabled=true
spring.cloud.vault.generic.enabled=true
spring.cloud.vault.generic.backend=configuration-server
spring.cloud.vault.generic.default-context=credentials
spring.cloud.vault.connection-timeout=5000
spring.cloud.vault.read-timeout=15000
spring.cloud.vault.config.order=-10
spring.cloud.vault.authentication=CERT
spring.cloud.vault.ssl.cert-auth-path=cert
spring.cloud.vault.ssl.trust-store-location=classpath:vault.jks
spring.cloud.vault.ssl.trust-store-password=ril#12345
management.endpoints.web.exposure.include=*
management.endpoint.env.post.enabled=true
spring.cloud.vault.uri=https://../../../
spring.cloud.vault.token=hvs.XXXXXXXX
It looks like you are connecting to https using IP address in the URI. This results in an SSL error (since certificates are based on name and not IPs) so. you can either add the certificate to the trusted list using keytool or add code to ignore certificate validation (depending on how you connect, this will vary https://howtodoinjava.com/java/java-security/bypass-ssl-certificate-checking-java/ has some examples where one probably will fit).
I am running an application in Eclipse locally. It tries to connect to an external URL to fetch some data. This application works fine from browser, but when I try the same from Eclipse as localhost, I get the below error:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
Many solutions, have mentioned to add the URL certificate from the browser using keytool. This application shows "This site does not have a certificate.". The application URL does not have a certificate.
In this case, how can I fix this issue without a certificate to install?
Regards,
R
looks like you are running any java based application on a web server(e.g. Tomcat) with HTTPS enabled.
If you donot have signed any self certificate, then following link can help:
How to configure Tomcat to support SSL or https
Further this link has discussed the matter in detail:
Stackoverflow Link
If I use jgit clone to clone repository from remote instance docker, I am getting this error:
org.eclipse.jgit.api.errors.TransportException: https://<repo url>: Secure connection to https://<repo url> could not be established because of SSL problems
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So I am trying to bypass SSL check as mentioned here: Turn SSL verification off for JGit clone command
As given in the above link, I am trying to use jgit fetch(), instead of jgit clone:
public void fetchRepository(Git git) throws GitAPIException {
FetchCommand fetchCommand =
git.fetch()
.setCredentialsProvider(
new UsernamePasswordCredentialsProvider(
user, getSecretAuthTokenProvider(accountName)));
fetchCommand.call();
}
but getting this exception: 'org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: origin
Caused by: org.eclipse.jgit.errors.NoRemoteRepositoryException: origin: not found.'
How should I clone entire repository using jgit fetch?/
How should I bypass SSL certification check?/
How should I resolve SSL certification issue for docker?
This question already has answers here:
"PKIX path building failed" and "unable to find valid certification path to requested target"
(53 answers)
Unable to find valid certification path to requested target - error even after cert imported
(17 answers)
Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(29 answers)
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
(33 answers)
Closed 7 months ago.
I am using weblogic server which has keystores in use like :
Now when my application running on this server tries to download images from another server, it throws
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
I have added server certificates to these both DemoTrust.jks and JDK CACERTS using this link :
after adding certificates, it looks like :
And java certs has
As suggested by different posts, I have also added to startWeblogic.cmd
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.verbose=true
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.enable.renegotiation=true
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dsun.security.ssl.allowUnsafeRenegotiation=true
Am I missing something ? Any Suggestions ?
Edit 1 : Adding exception stacktrace
vax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$1.run(JaSSLEngine.java:69)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:743)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.wrap(JaSSLEngine.java:67)
at weblogic.socket.JSSEFilterImpl.wrapAndWrite(JSSEFilterImpl.java:771)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:119)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:87)
at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:250)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:577)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:557)
at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:265)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:651)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:628)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:260)
at org.jsoup.helper.HttpConnection.get(HttpConnection.java:249)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:101)
at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:101)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:101)
at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73)
at org.jboss.weld.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52)
at sun.reflect.GeneratedMethodAccessor235.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:94)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy254.execute(Unknown Source)
at weblogic.ejb.container.internal.SessionLocalMethodInvoker.invoke(SessionLocalMethodInvoker.java:33)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:223)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:123)
... 44 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105)
at weblogic.security.SSL.jsseadapter.JaTrustManager.checkServerTrusted(JaTrustManager.java:128)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:999)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
... 52 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 60 more
Hello to whoever still looking for an answer,
Hope this helps you.
I also had similar issue in running my application in Jdeveloper 12.2.1.4.0.
Let me explain my situation and solution.
My application in Jdeveloper calls a REST api running in remote server.
I downloaded the cert from browser by loading the remote server URL. I uploaded to Demotrust.jks file in oracle middleware folder.
While running the application, I can see remote server cert appearing in Jdev logs (after turning on ssl debugging), but still the application was facing javax.net.ssl.SSLHandshakeException: General SSLEngine error while calling remote server REST api. I verified that the certificate is not expired.
In Weblogic admin console, I turned off Use KSS demo flag (Under Domain -> Security -> Advanced).
I have also set Hostname verification to None in SSL because its a wildcard certificate (Servers -> DefaultServer -> SSL -> advanced). Still getting the SSLEngine problem. I found one more thing that needs to be set correctly.
The remote server is running within corp network.
I found that proxy in Jdeveloper preferences is set to automatic. I set it to None (ofcourse test connection will fail and its ok) and restarted the server. With all of these configuration in place, the application is able to connect to REST API.
I have a JKS which I need for authentication to start making use of a SOAP webservice.
On my local machine (windows) all is working fine. For add the following to my startup parameters for Tomcat in Eclipse:
-Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.ssl.keyStore="path\to\keystore\keystore.jks" -Djavax.net.ssl.keyStorePassword=passwordC -Djavax.net.ssl.keyStoreType=jks
In production (ubuntu) we have the following:
-Dsun.security.ssl.allowUnsafeRenegotiation=true -Djavax.net.ssl.keyStore=/path/to/keystore/keystore.jks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyStoreType=jks"
I'm using Java 1.7.0.80 and Tomcat 7.0.61
When I want to connect with the SOAP webservice I get the following Stacktrace:
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://www.correosexpress.com/wsp/services/GrabacionEnvio: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1359)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1343)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 121 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I checked the Java versions, tomcat versions.
I also checked if the path to the JKS is correct, which it is.
On my local machine, I did not install any other certificates manually. i.e I don't have any entry in the cacerts which is related to the content in the jks.
Check with java keytool that your certificate is present in certificates list.
Check that your java home and your jre are the same. In ubuntu it possible to have java_home with one version of java and default jre with other version(check this command - update-alternatives --config java)
If you added certificate to the correct version of java and it's present in certs list check that you use correct version of certificate.