unable to find valid certification path to requested target
romanharen1 opened this issue · 4 comments
Hi Folks
Im getting this error when i try to log in my gerrit:
`Sep 17, 2020 4:50:05 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [] threw exception
org.scribe.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service.
at org.scribe.model.Request.send(Request.java:70)
at org.scribe.model.Request.send(Request.java:76)
at com.googlesource.gerrit.plugins.oauth.Office365OAuthService.getUserInfo(Office365OAuthService.java:84)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:100)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:108)
at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:73)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:117)
at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:68)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)
at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)
at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)
at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)
at com.google.gerrit.httpd.WebAppInitializer.doFilter(WebAppInitializer.java:123)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1757)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1716)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at org.scribe.model.Response.<init>(Response.java:29)
at org.scribe.model.Request.doSend(Request.java:117)
at org.scribe.model.Request.send(Request.java:66)
... 33 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 46 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 52 more
`
It was working until today morning
Someone can help me?
We had the same issue.
As of limited resources we weren't able to further debug and instead decided to disable the plug in
Hello,
I have noticed the same problem, it started when I switched to using gerrit in a container rather than the regular service. I believe the container doesn't have access to the global truststore and since my auth service uses a self-signed SSL cert, the same error occurs when trying to authenticate.
@mhuin Have you resolve this error?
I resolved the issue by using a custom entrypoint script for the gerrit container:
`#!/bin/bash -e
The /dev/./urandom is not a typo. https://stackoverflow.com/questions/58991966/what-java-security-egd-option-is-for
JAVA_OPTIONS="-Djava.security.egd=file:/dev/./urandom"
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStore=/var/gerrit/etc/keystore"
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStorePassword=p4ssw0rd"
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/var/gerrit/etc/truststore"
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStorePassword=changeit"
configure_keystore () {
keytool -importkeystore -srckeystore /var/gerrit/etc/certificate.pkcs12
-srcstoretype PKCS12 -destkeystore /var/gerrit/etc/keystore
-srcstorepass p4ssw0rd -deststorepass p4ssw0rd
keytool -importcert -alias my-local-ca -file /var/gerrit/etc/localCA.crt \
-keystore /var/gerrit/etc/truststore -storepass changeit -noprompt
}
rm -f /var/gerrit/etc/trustore
rm -f /var/gerrit/etc/keystore
configure_keystore
if [ -f /var/gerrit/logs/.run_init ]; then
echo "Initializing Gerrit site ..."
java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war init -d /var/gerrit --batch --no-auto-start --skip-plugins
java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war reindex -d /var/gerrit
cp -f /var/gerrit-plugins/* /var/gerrit/plugins/
rm -f /var/gerrit/logs/.run_init
fi
echo "Running Gerrit ..."
exec java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war daemon -d /var/gerrit
`
You'll most likely have to adapt this to your own use case. This entrypoint assumes two files, localCA.crt and certificate.pkcs12, are accessible with the correct rights in the /var/gerrit/etc volume. This is how we generate them via ansible, again adapt this to your own setup:
`- name: create PKCS12 bundle for gerrit keystore
shell: |
cat /etc/pki/tls/certs/certificate.crt /etc/pki/tls/certs/ca-bundle.crt > /tmp/cert-chain.txt
openssl pkcs12 -export -inkey /etc/pki/tls/private/certificate.key -in /tmp/cert-chain.txt -out certificate.pkcs12 -passout pass:p4ssw0rd
rm -f /tmp/cert-chain.txt
- name: prepare localCA certificate for import in keystore if fqdn is updated or keystore does not exist
shell: |
openssl x509 -outform der -in /etc/pki/ca-trust/source/anchors/localCA.pem -out localCA.crt
`