I am trying to create a project from a git url in the form of https://<local_ip>/myproject.git
However I am getting the following exception:
List remote refs failed: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
Since this is our local ip we are not using any ssl certificates or ssh encryption ? Any ideas why I am getting this error ? Is it possible to configure teamcity to ignore ssl checking ?
EDIT:
I try the url in my browser. After loging in to the server (which is hosted on a local gitstack instance) I get the following error:
Using the URLconf defined in app.urls, Django tried these URL patterns, in this order:
^registration/login/$
^gitstack/
^rest/
Related
I have a local environment with WebLogic 10.3.4 and and .ear app deployed on it. This app must communicate with external services via REST APIs. These external services are exposed in https and use wildcard certificates.
I receive the following exceptions when I try to connect to to one of these services.
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://dds-service.domain.com" General SSLEngine problem; nested exception is javax.net.ssl.SSLHandshakeException: General SSLEngine problem [...]
[...] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [...]
[...] Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So what I tried in first instance was to open the same url the app tries to connect to in my browser, download its wildcard certificate (.cer Base64 encoded) and with key tool import it into the jvm's trust store that WebLogic loads and looks up when trying to validate a cert. I am sure is the correct one because i imported other certificates that caused the same error and also because of this log
<Loading trusted certificates from the jks keystore file C:\WEBLOG~1\wls\JROCKI~1.1-3\jre\lib\security\cacerts.>
At this point, I suppose the problem is related to the way I import the wildcard certificate in WebLogic. I tried to look for different ways to do it but, like this one, require a .pfx file that is not currently available to me at the moment.
Do I need a .pfx to solve this or is there another way?
If someone will ever have the same problem, here is the solution i found: it appears that WLS 10.3.x has issues in trusting certificates wth keys longer than 128 bits, this is what caused the problem in first instance. That said, 2 actions solved my problem
-DUseSunHttpHandler=true added as a VM argument in the setDomainEnv script
Enable JSSE SSL via WLS adminn console (Environment > Servers > server name > Configuration > SSL > Advanced > check the JSSE SSL box)
Click Save, and restart WLS server.
Locally everything works!
However, after a deployment to my Kubernetes k3s cluster on raspberrypi, which is accessible via https domain the oauth2 code exchange for token feature doesn't work. I currently support authentication via Google and GitHub and both of them have this problem. Below are the logs:
GitHub login failure:
org.springframework.security.oauth2.core.OAuth2AuthenticationException:
[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: Error while extracting response for type [class org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] and content type [application/json;charset=utf-8];
nested exception is org.springframework.http.converter.HttpMessageNotReadableException: An error occurred reading the OAuth 2.0 Access Token Response: tokenValue cannot be empty;
nested exception is java.lang.IllegalArgumentException: tokenValue cannot be empty
Google login failure:
org.springframework.security.oauth2.core.OAuth2AuthenticationException:
[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://www.googleapis.com/oauth2/v4/token": Invalid ECDH ServerKeyExchange signature;
nested exception is javax.net.ssl.SSLHandshakeException: Invalid ECDH ServerKeyExchange signature
What I've already tried:
I thought it might be a problem with sending https requests from within my Kubernetes cluster, but I connected to the running pod and curled https://google.com and it worked just fine.
Have any of you guys encountered such a problem?
#edit
I'm using Java 11
#edit2
There seems to be a problem with docker on my raaspberrypi. Curling https requests work fine, but using RestTemplate in Java doesn't work
#edit3
Found a related issue https://github.com/docker-library/tomcat/issues/182
Assuming you are using the exact same container/executable/libraries both locally and Kubernetes and based on the error messages that you shared, the most likely reason is different credentials and/or private keys between your local environment and your Kubernetes environment.
The errors look different for Github and Google though. The first error (GitHub) seems like you are sending an empty token.
The second error (Google) seems like you are sending an private key that doesn't match a certificate. Based on similar Java errors:
The Invalid ECDH ServerKeyExchange signature can indicate that a key
and a corresponding certificate don’t match and are causing the
handshake to fail. Verify the contents of each of the files you are
using for your configured certificate authorities, certificates and
keys. In particular, check that the key and certificate belong to the
same key pair.
Problem Solved and is not connected with spring or oauth configuration at all.
Adoptopenjdk Docker image for arm is broken. It prevents making https requests. Even the following example failed:
RestTemplate().getForEntity("https://google.com", String::class.java)
So the solution is to swap broken base image in my Dockerfile like this:
Previous:
FROM adoptopenjdk/openjdk11:armv7l-ubuntu-jdk-11.0.6_10-slim
Current:
FROM arm32v7/openjdk:11.0.3-slim
I have successfully builded and ran a code snippet to upload the document to google cloud storage using the Java API. While integration of Google Sql to our project we have introduced the keystore and truststore params. After the introduction of the store params the upload document API's are failing with Certification related errors.
Dec 26, 2017 4:00:46 PM com.google.api.client.http.HttpRequest execute
WARNING: exception thrown while executing request
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Caused by: com.google.cloud.storage.StorageException: Error getting
access token for service account:
If we remove the javax ssl params the code is working as expected, Is it because Cloud storage Api's are using the cloud sql ssl certificates to connect to the storage ? If it is the case is there a way to skip checking of certificates in cloud storage API ? Or What is the best way to solve this issue ?
Yes, we had a very similar complex problem and it turned out to be MacAfee Web gateway (MWG) proxy configuration causing this issue. We noticed a strange behavior of the SSL certificate validation where it works from one process and gives an error from another process. It worked from straight command line Java execution but gave an error when we ran the same code through a container. We imported all the certs from accounts.google.com and *.googleapsi.com. We were clue less on what to do.
It looks that MacAfee Web gateway (MWG) proxy white list configuration is based on the client process(exe or script) name. MWG has default configuration to white list all HTTPS URLs for Java.exe process but not for other process (exe) names such as container(odi.exe). Because of this setting in MacAfee Web gateway proxy the command line Java code worked successfully and the same code from container gave error. We also noticed that if there is a proxy issued SSL cert for the HTTPS URL then SSL cert validation worked.
I am trying to debug my SOAP requests going to a third party web service. My client side code (the code running on my local machine) was generated using wsimport. I am trying to configure Fiddler to intercept my outgoing SOAP requests but have had no luck. Here is what I have done so far:
WinINET LAN settings pointed to localhost (127.0.0.1:8888) with Fiddler running and capturing traffic. I have HTTPS requests being decrypted by Fiddler since my web service is using HTTPS. At this point my requests to the 3rd party URL do not appear at all. I receive a stack trace error telling me the web service cannot process request due to an internal error (this is why I am debugging my request - since it is third party I do not have access to the web service logs).
I then added the following code to my method that calls the web service:
System.setProperty("http.proxyHost", "127.0.0.1");
System.setProperty("https.proxyHost", "127.0.0.1");
System.setProperty("http.proxyPort", "8888");
System.setProperty("https.proxyPort", "8888");
When I execute my code with this included, I receive the following errors:
org.apache.jasper.JasperException: javax.xml.ws.WebServiceException: Failed to access the WSDL at: <wsdl_url>. It failed with:
Got sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target while opening stream from <wsdl_url>.
BUT in Fiddler I get an entry for the request that seems to not complete (sorry - new to Fiddler). The host is listed as "Tunnel to" and it is greyed out. In the Fiddler log I get this error:
!SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < An unknown error occurred while processing the certificate on pipe to (CN=<wsdl_base_url>, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).
To me, it seems that I have the configuration correct for Fiddler and my proxy, but I am missing something in Java. I can't help but feel that I am missing a critical step here, so any advice would be greatly appreciated. Thanks!
EDIT: Do I need to generate new Java code using wsimport with the -httpproxy option set?
You need to add Fiddler's root certificate to the Java Key Store. Java does not use the system's certificate store, so the fact that Fiddler puts itself there doesn't solve the problem for you.
Get Fiddler's certificate by clicking Export Root Certificate from inside Tools > Fiddler Options > HTTPS. Then import the cert: http://azure.microsoft.com/en-us/documentation/articles/java-add-certificate-ca-store/#to-add-a-certificate-to-the-cacerts-store
I want to get the content of a url with the https protocol. The problem is that when this code is executed from a tomcat server, I get a HandshakeException.
url = new URL("https://donneespubliques.meteofrance.fr/donnees_libres/Txt/Nivo/nivo.20140309.csv");
Scanner s = new Scanner(url.openStream());
I tried to look into other stackoverflow questions (How can I use different certificates on specific connections? or SSL Socket connection) and it seems I need to define a KeyStore.
I have no idea of how to do this.
The full error in the tomcat server is
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
What is the best way to acheve this?
The default java truststore ($JAVA_HOME/lib/security/cacerts) contains the CA cert for donneespubliques.meteofrance.fr. Most likely tomcat is using a different one.
You should be able to force it by updating the tomcat startup script to include the castore location. Something like this:
-Djavax.net.ssl.trustStore="C:\Program Files\Java\jre7\lib\security\cacerts"
-Djavax.net.ssl.trustStorePassword=changeit