Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unable to find valid certification path to requested target #145

Open
romanharen1 opened this issue Sep 17, 2020 · 4 comments
Open

unable to find valid certification path to requested target #145

romanharen1 opened this issue Sep 17, 2020 · 4 comments

Comments

@romanharen1
Copy link

romanharen1 commented Sep 17, 2020
edited
Loading

Hi Folks
Im getting this error when i try to log in my gerrit:

`Sep 17, 2020 4:50:05 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [] threw exception
org.scribe.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service.
	at org.scribe.model.Request.send(Request.java:70)
	at org.scribe.model.Request.send(Request.java:76)
	at com.googlesource.gerrit.plugins.oauth.Office365OAuthService.getUserInfo(Office365OAuthService.java:84)
	at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:100)
	at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:108)
	at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:73)
	at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:117)
	at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:68)
	at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)
	at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)
	at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)
	at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)
	at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)
	at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)
	at com.google.gerrit.httpd.WebAppInitializer.doFilter(WebAppInitializer.java:123)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1757)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1716)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
	at org.scribe.model.Response.<init>(Response.java:29)
	at org.scribe.model.Request.doSend(Request.java:117)
	at org.scribe.model.Request.send(Request.java:66)
	... 33 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
	... 46 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 52 more

`

It was working until today morning

Someone can help me?
@eriko-de
Copy link

We had the same issue.

As of limited resources we weren't able to further debug and instead decided to disable the plug in

@mhuin
Copy link

mhuin commented Dec 13, 2021

Hello,
I have noticed the same problem, it started when I switched to using gerrit in a container rather than the regular service. I believe the container doesn't have access to the global truststore and since my auth service uses a self-signed SSL cert, the same error occurs when trying to authenticate.

@billsteve
Copy link

@mhuin Have you resolve this error?

@mhuin
Copy link

mhuin commented Feb 28, 2023

@mhuin Have you resolve this error?

I resolved the issue by using a custom entrypoint script for the gerrit container:

`#!/bin/bash -e

The /dev/./urandom is not a typo. https://stackoverflow.com/questions/58991966/what-java-security-egd-option-is-for

JAVA_OPTIONS="-Djava.security.egd=file:/dev/./urandom"
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStore=/var/gerrit/etc/keystore"
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStorePassword=p4ssw0rd"
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/var/gerrit/etc/truststore"
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStorePassword=changeit"

configure_keystore () {
keytool -importkeystore -srckeystore /var/gerrit/etc/certificate.pkcs12
-srcstoretype PKCS12 -destkeystore /var/gerrit/etc/keystore
-srcstorepass p4ssw0rd -deststorepass p4ssw0rd

keytool -importcert -alias my-local-ca -file /var/gerrit/etc/localCA.crt \
  -keystore /var/gerrit/etc/truststore -storepass changeit -noprompt

}

rm -f /var/gerrit/etc/trustore
rm -f /var/gerrit/etc/keystore
configure_keystore

if [ -f /var/gerrit/logs/.run_init ]; then
echo "Initializing Gerrit site ..."
java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war init -d /var/gerrit --batch --no-auto-start --skip-plugins
java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war reindex -d /var/gerrit
cp -f /var/gerrit-plugins/* /var/gerrit/plugins/
rm -f /var/gerrit/logs/.run_init
fi

echo "Running Gerrit ..."
exec java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war daemon -d /var/gerrit
`

You'll most likely have to adapt this to your own use case. This entrypoint assumes two files, localCA.crt and certificate.pkcs12, are accessible with the correct rights in the /var/gerrit/etc volume. This is how we generate them via ansible, again adapt this to your own setup:

`- name: create PKCS12 bundle for gerrit keystore
shell: |
cat /etc/pki/tls/certs/certificate.crt /etc/pki/tls/certs/ca-bundle.crt > /tmp/cert-chain.txt
openssl pkcs12 -export -inkey /etc/pki/tls/private/certificate.key -in /tmp/cert-chain.txt -out certificate.pkcs12 -passout pass:p4ssw0rd
rm -f /tmp/cert-chain.txt

  • name: prepare localCA certificate for import in keystore if fqdn is updated or keystore does not exist
    shell: |
    openssl x509 -outform der -in /etc/pki/ca-trust/source/anchors/localCA.pem -out localCA.crt
    `

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mhuin @eriko-de @billsteve @romanharen1