CLA checker has ssl problems?
adriaanm opened this issue · 8 comments
2018-12-27 17:27:23,003 [ERROR] from spray.can.client.HttpClientConnection in application-akka.actor.default-dispatcher-6 - Aborting encrypted connection to www.lightbend.com/34.238.100.233:443 due to [SSLHandshakeException:General SSLEngine problem] -> [SSLHandshakeException:General SSLEngine problem] -> [ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] -> [SunCertPathBuilderException:unable to find valid certification path to requested target]
It happened when I upgraded that machine, so maybe the JVM was upgraded and cacerts were changed to no longer include what's needed to validate our own cert??
Looks like lightbend.com got a new cert around the time this started failing
Was this using a SAN on the old cert? That is, www.lightbend.com should validate from a modern JVM, but other SAN hostnames on the cert were dropped from the certificate.
I have no idea :-/ The error is
Aborting encrypted connection to www.lightbend.com/34.238.100.233:443 due to
[SSLHandshakeException:General SSLEngine problem]
-> [SSLHandshakeException:General SSLEngine problem]
-> [ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
-> [SunCertPathBuilderException:unable to find valid certification path to requested target]
(So, it looks like it's just using plain www.lightbend.com as the hostname.)
Interesting. So you needed to add the Comodo intermediate. @JustinPihony, did you upload or merge the comodo intermediate? If not, that would seem to be the change/difference. The CA vendor did not change between certs.
This has been handled at the server level, so it should work everywhere now. I'm unsure if your workaround will need to be removed or not @adriaanm
Can this be closed?
Yep