Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-16361

Upgrade Java version in Docker images to support Let's Encrypt certificates

    XMLWordPrintable

    Details

      Description

       

      Hi,

      it seems that the Artifactory docker image has problems connecting to Xray when Let's Encrypt certifaces are used.

      Both Artifactory and Xray are running in a Kubernetes cluster and are available at https URLs with valid Let's Encrypt certs.

      When, in Xray, I set the Base URL to http://xray.mydomain the conenction to Artifactory works fine.

      When I set the Base URL to https://xray.mydomain the connection fails with this error message in the Artifactory logs:

      Failed to propagate event to xray server at 'https://xray.mydomain' : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

       

      That's propably because of the java version used in the Artifactory docker image:

      /docker-java-home/bin/java -version openjdk version "1.8.0_131"

       

      I ran a small java test script in the container to verify this. The script just calls the xray https URL and throws this error:

      /docker-java-home/bin/java TestSecuredConnection
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.secur
ity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
       at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
       at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.
java:185)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
       at TestSecuredConnection.testConnectionTo(TestSecuredConnection.java:30)
       at TestSecuredConnection.main(TestSecuredConnection.java:16)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunC
ertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
       at sun.security.validator.Validator.validate(Validator.java:260)
       at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
       at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
       ... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to re
quested target
       at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
       ... 18 more

       

      I don't see importing the missing CA certs into the keystore as an option.
      Let's encrypt certs are not something exceptional anymore, but state of the art. I think that any software should support them by now.

      See ticket #78832 for reference.

      Best,
      Frank

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            frank.mueller Frank Mueller (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: