Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-16361

Upgrade Java version in Docker images to support Let's Encrypt certificates

    Details

      Description

       

      Hi,

      it seems that the Artifactory docker image has problems connecting to Xray when Let's Encrypt certifaces are used.

      Both Artifactory and Xray are running in a Kubernetes cluster and are available at https URLs with valid Let's Encrypt certs.

      When, in Xray, I set the Base URL to http://xray.mydomain the conenction to Artifactory works fine.

      When I set the Base URL to https://xray.mydomain the connection fails with this error message in the Artifactory logs:

      Failed to propagate event to xray server at 'https://xray.mydomain' : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

       

      That's propably because of the java version used in the Artifactory docker image:

      /docker-java-home/bin/java -version openjdk version "1.8.0_131"

       

      I ran a small java test script in the container to verify this. The script just calls the xray https URL and throws this error:

      /docker-java-home/bin/java TestSecuredConnection
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.secur
      ity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
             at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
             at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
             at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
             at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
             at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
             at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
             at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
             at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
             at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
             at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
             at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
             at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
             at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
             at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.
      java:185)
             at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
             at TestSecuredConnection.testConnectionTo(TestSecuredConnection.java:30)
             at TestSecuredConnection.main(TestSecuredConnection.java:16)
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunC
      ertPathBuilderException: unable to find valid certification path to requested target
             at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
             at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
             at sun.security.validator.Validator.validate(Validator.java:260)
             at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
             at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
             at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
             at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
             ... 12 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to re
      quested target
             at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
             at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
             at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
             at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
             ... 18 more

       

      I don't see importing the missing CA certs into the keystore as an option.
      Let's encrypt certs are not something exceptional anymore, but state of the art. I think that any software should support them by now.

      See ticket #78832 for reference.

      Best,
      Frank

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              frank.mueller Frank Mueller
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: