search

GitHubSecurityLab / actions-permissions

GitHub token permissions Monitor and Advisor actions
MIT License
256 stars 20 forks source link

Could not find a suitable TLS CA certificate bundle, invalid path: /home/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem #14

Closed JarLob closed 3 months ago

JarLob commented 1 year ago

https://github.com/tspascoal-demo2/MyShuttle/actions/runs/5443639260/jobs/9900419190

roman-parkhunovskyi commented 1 year ago

Same thing, a lot of issues related to certificates, both with java build and k8s manipulations. As soon as I remove GitHubSecurityLab/actions-permissions/monitor action, everything works again. Another side effect, actions/checkout@v3 takes 15min to checkout the repository. Not that critical to have this GitHubSecurityLab/actions-permissions/monitor action, removing it for good as it is not GA at all. E.g. the errors I get are:

error: downloading sbt launcher 1.8.0

error: [info] [launcher] getting org.scala-sbt sbt 1.4.9  (this may take some time)...

Error: [error] [launcher] xsbt.boot.internal.shaded.coursier.error.ResolutionError$Several: Error downloading org.scala-sbt:sbt:1.4.9
  not found: /home/runner/.ivy2/local/org.scala-sbt/sbt/1.4.9/ivys/ivy.xml
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.4.9/sbt-1.4.9.pom
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.4.9/sbt-1.4.9.pom
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.4.9/sbt-1.4.9.pom
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt/1.4.9/ivys/ivy.xml
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo.scala-sbt.org/scalasbt/ivy-snapshots/org.scala-sbt/sbt/1.4.9/ivys/ivy.xml
Error downloading org.scala-lang:scala-library:2.12.12
  not found: /home/runner/.ivy2/local/org.scala-lang/scala-library/2.12.12/ivys/ivy.xml
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo1.maven.org/maven2/org/scala-lang/scala-library/2.12.12/scala-library-2.12.12.pom
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-lang/scala-library/2.12.12/scala-library-2.12.12.pom
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-lang/scala-library/2.12.12/scala-library-2.12.12.pom
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo.typesafe.com/typesafe/ivy-releases/org.scala-lang/scala-library/2.12.12/ivys/ivy.xml
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo.scala-sbt.org/scalasbt/ivy-snapshots/org.scala-lang/scala-library/2.12.12/ivys/ivy.xml

Error: [error] [launcher] could not retrieve sbt 1.4.9

or

Run java -version
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_292-b10)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.292-b10, mixed mode)
2.1.2
Exception in thread "main" coursier.error.ResolutionError$CantDownloadModule: Error downloading org.scala-lang:scala3-compiler_3:latest.stable
  download error: Caught javax.net.ssl.SSLHandshakeException (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while downloading https://repo1.maven.org/maven2/org/scala-lang/scala3-compiler_3/maven-metadata.xml
    at coursier.Resolve$.$anonfun$validate$1(Resolve.scala:367)
    at scala.collection.TraversableLike.$anonfun$map$1(TraversableLike.scala:286)
    at scala.collection.Iterator.foreach(Iterator.scala:943)
    at scala.collection.Iterator.foreach$(Iterator.scala:943)
    at scala.collection.AbstractIterator.foreach(Iterator.scala:1431)
    at scala.collection.IterableLike.foreach(IterableLike.scala:74)
    at scala.collection.IterableLike.foreach$(IterableLike.scala:73)
    at scala.collection.AbstractIterable.foreach(Iterable.scala:56)
    at scala.collection.TraversableLike.map(TraversableLike.scala:286)
    at scala.collection.TraversableLike.map$(TraversableLike.scala:279)
    at scala.collection.AbstractTraversable.map(Traversable.scala:108)
    at coursier.Resolve$.validate(Resolve.scala:365)
    at coursier.Resolve.validate0$1(Resolve.scala:137)
    at coursier.Resolve.$anonfun$ioWithConflicts0$4(Resolve.scala:187)
    at coursier.util.Task$.$anonfun$flatMap$extension$1(Task.scala:14)
    at coursier.util.Task$.$anonfun$flatMap$extension$1$adapted(Task.scala:14)
    at coursier.util.Task$.wrap(Task.scala:82)
    at coursier.util.Task$.$anonfun$flatMap$2(Task.scala:14)
    at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
    at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
    at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
    at java.base@17.0.5/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base@17.0.5/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base@17.0.5/java.lang.Thread.run(Thread.java:833)
    at com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:775)
    at com.oracle.svm.core.posix.thread.PosixPlatformThreads.pthreadStartRoutine(PosixPlatformThreads.java:203)
Error: Process completed with exit code 1.

In Run GitHubSecurityLab/actions-permissions/monitor@v1 step it can be seen that it's doing something with the certs:

...
Successfully installed Brotli-1.0.9 MarkupSafe-2.1.3 Werkzeug-2.3.6 asgiref-3.5.2 cffi-1.15.1 cryptography-38.0.4 flask-2.2.5 h11-0.14.0 h2-4.1.0 hpack-4.0.0 hyperframe-6.0.1 itsdangerous-2.1.2 kaitaistruct-0.10 ldap3-2.9.1 mitmproxy-9.0.1 mitmproxy-wireguard-0.1.23 msgpack-1.0.5 passlib-1.7.4 protobuf-4.23.4 publicsuffix2-2.20191221 pyOpenSSL-22.1.0 pycparser-2.21 pyperclip-1.8.2 ruamel.yaml-0.17.32 ruamel.yaml.clib-0.2.7 sortedcontainers-2.4.0 tornado-6.3.2 typing-extensions-4.4.0 urwid-2.1.2 wsproto-1.2.0 zstandard-0.19.0

waiting for mitmdump to generate the certificate...

waiting for mitmdump to generate the certificate...

waiting for mitmdump to generate the certificate...

Updating certificates in /etc/ssl/certs...

rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL

1 added, 0 removed; done.

Processing triggers for ca-certificates (20230311ubuntu0.22.04.1) ...

Updating certificates in /etc/ssl/certs...

0 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d...

/etc/ssl/certs/adoptium/cacerts successfully populated.

Updating Mono key store

Mono Certificate Store Sync - version 6.12.0.182
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:

I already trust 137, your new list has 138

Certificate added: CN=mitmproxy, O=mitmproxy
1 new root certificates were added to your trust store.
Import process completed.

Importing into BTLS system store:

I already trust 136, your new list has 138

Certificate added: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068

Certificate added: CN=mitmproxy, O=mitmproxy
2 new root certificates were added to your trust store.
Import process completed.

Done

done.

Updating certificates in /etc/ssl/certs...

0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

/etc/ssl/certs/adoptium/cacerts successfully populated.

Updating Mono key store

Mono Certificate Store Sync - version 6.12.0.182
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:

I already trust 138, your new list has 138

Import process completed.

Importing into BTLS system store:

I already trust 137, your new list has 138

Certificate added: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068

1 new root certificates were added to your trust store.

Import process completed.

Done

done.

net.ipv4.ip_forward = 1

net.ipv6.conf.all.forwarding = 1

net.ipv4.conf.all.send_redirects = 0

--all done--
JarLob commented 3 months ago

Should be fixed with hosts filtering. Please try f62d32cd684392a758c627a58e0756b734bd54fd and reopen if still present.