Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-16361

Upgrade Java version in Docker images to support Let's Encrypt certificates

          Details

            Description

             

            Hi,

            it seems that the Artifactory docker image has problems connecting to Xray when Let's Encrypt certifaces are used.

            Both Artifactory and Xray are running in a Kubernetes cluster and are available at https URLs with valid Let's Encrypt certs.

            When, in Xray, I set the Base URL to http://xray.mydomain the conenction to Artifactory works fine.

            When I set the Base URL to https://xray.mydomain the connection fails with this error message in the Artifactory logs:

            Failed to propagate event to xray server at 'https://xray.mydomain' : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

             

            That's propably because of the java version used in the Artifactory docker image:

            /docker-java-home/bin/java -version openjdk version "1.8.0_131"

             

            I ran a small java test script in the container to verify this. The script just calls the xray https URL and throws this error:

            /docker-java-home/bin/java TestSecuredConnection
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.secur
ity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
       at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
       at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.
java:185)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
       at TestSecuredConnection.testConnectionTo(TestSecuredConnection.java:30)
       at TestSecuredConnection.main(TestSecuredConnection.java:16)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunC
ertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
       at sun.security.validator.Validator.validate(Validator.java:260)
       at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
       at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
       at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
       ... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to re
quested target
       at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
       ... 18 more

             

            I don't see importing the missing CA certs into the keystore as an option.
            Let's encrypt certs are not something exceptional anymore, but state of the art. I think that any software should support them by now.

            See ticket #78832 for reference.

            Best,
            Frank

              Attachments

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    frank.mueller Frank Mueller
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated: