Closed onesecurity closed 1 year ago
https://github.com/HXSecurity/DongTai-agent-java/releases/tag/v1.7.7 - Request OK https://github.com/HXSecurity/DongTai-agent-java/releases/tag/v1.7.9 - Request Fail
No system configuration has been updated
We have reimplemented the http client in version 1.7.8, which currently does not support invalid SSL certificates
Supplemental certificate chain solved the issue.Alibaba Cloud Certificate Service does not package the root certificate in the certificate file.
Preflight Checklist
Version
1.7.9
Installation Type
Official Kubernetes
Service Name
DongTai-agent-java
Describe the details of the bug and the steps to reproduce it
新版本Agent注册失败,v1.7.7 Agent运行正常,服务端均为最新版本 1.8.7。
错误日志如下:
2022-10-31 18:30:52 [io.dongtai.iast.agent] [INFO] DongTai Config: /tmp/dongtai-root/v1.7.9/iast.properties 2022-10-31 18:30:52 [io.dongtai.iast.agent] [DEBUG] DongTai will install for Servlet Service 2022-10-31 18:30:54 [io.dongtai.iast.agent] [ERROR] request https://xx/openapi/api/v1/agent/register failed, Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetjavax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) at sun.security.ssl.TransportContext.fatal(TransportContext.java:291) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) at io.dongtai.iast.thirdparty.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) at io.dongtai.iast.thirdparty.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at io.dongtai.iast.thirdparty.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at io.dongtai.iast.thirdparty.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at io.dongtai.iast.thirdparty.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at io.dongtai.iast.thirdparty.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at io.dongtai.iast.thirdparty.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at io.dongtai.iast.thirdparty.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at io.dongtai.iast.thirdparty.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at io.dongtai.iast.thirdparty.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at io.dongtai.iast.thirdparty.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at io.dongtai.iast.common.utils.AbstractHttpClientUtils.sendRequestInternal(AbstractHttpClientUtils.java:123) at io.dongtai.iast.common.utils.AbstractHttpClientUtils.sendRequest(AbstractHttpClientUtils.java:64) at io.dongtai.iast.common.utils.AbstractHttpClientUtils.sendRequest(AbstractHttpClientUtils.java:35) at io.dongtai.iast.agent.util.HttpClientUtils.sendPost(HttpClientUtils.java:48) at io.dongtai.iast.agent.report.AgentRegisterReport.register(AgentRegisterReport.java:223) at io.dongtai.iast.agent.report.AgentRegisterReport.send(AgentRegisterReport.java:238) at io.dongtai.iast.agent.AgentLauncher.install(AgentLauncher.java:112) at io.dongtai.iast.agent.AgentLauncher.premain(AgentLauncher.java:48) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386) at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:401) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at sun.security.validator.Validator.validate(Validator.java:271) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636) ... 36 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 42 more
2022-10-31 18:30:54 [io.dongtai.iast.agent] [ERROR] Parse https://xxx/openapi register response failed: io.dongtai.iast.thirdparty.org.json.JSONException: A JSONObject text must begin with '{' at 1 [character 2 line 1] 2022-10-31 18:30:54 [io.dongtai.iast.agent] [ERROR] Agent registered failed. Start without DongTai IAST.
Additional Information
No response
Logs
No response