-
Type:
Improvement
-
Status: Open
-
Resolution: Unresolved
-
Affects Version/s: 5.9.3
-
Fix Version/s: None
-
Component/s: Docker Image
-
Labels:
Hi,
it seems that the Artifactory docker image has problems connecting to Xray when Let's Encrypt certifaces are used.
Both Artifactory and Xray are running in a Kubernetes cluster and are available at https URLs with valid Let's Encrypt certs.
When, in Xray, I set the Base URL to http://xray.mydomain the conenction to Artifactory works fine.
When I set the Base URL to https://xray.mydomain the connection fails with this error message in the Artifactory logs:
Failed to propagate event to xray server at 'https://xray.mydomain' : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
That's propably because of the java version used in the Artifactory docker image:
/docker-java-home/bin/java -version openjdk version "1.8.0_131"
I ran a small java test script in the container to verify this. The script just calls the xray https URL and throws this error:
/docker-java-home/bin/java TestSecuredConnection javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.secur ity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection. java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at TestSecuredConnection.testConnectionTo(TestSecuredConnection.java:30) at TestSecuredConnection.main(TestSecuredConnection.java:16) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunC ertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ... 12 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to re quested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 18 more
I don't see importing the missing CA certs into the keystore as an option.
Let's encrypt certs are not something exceptional anymore, but state of the art. I think that any software should support them by now.
See ticket #78832 for reference.
Best,
Frank