romanharen1 commented 3 years ago

Hi Folks Im getting this error when i try to log in my gerrit:

`Sep 17, 2020 4:50:05 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [] threw exception
org.scribe.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service.
    at org.scribe.model.Request.send(Request.java:70)
    at org.scribe.model.Request.send(Request.java:76)
    at com.googlesource.gerrit.plugins.oauth.Office365OAuthService.getUserInfo(Office365OAuthService.java:84)
    at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:100)
    at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:108)
    at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:73)
    at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:117)
    at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:68)
    at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)
    at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)
    at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)
    at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)
    at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)
    at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)
    at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)
    at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)
    at com.google.gerrit.httpd.WebAppInitializer.doFilter(WebAppInitializer.java:123)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1757)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1716)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.scribe.model.Response.<init>(Response.java:29)
    at org.scribe.model.Request.doSend(Request.java:117)
    at org.scribe.model.Request.send(Request.java:66)
    ... 33 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 46 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 52 more

`

It was working until today morning

Someone can help me?

eriko-de commented 3 years ago

We had the same issue.

As of limited resources we weren't able to further debug and instead decided to disable the plug in

mhuin commented 2 years ago

Hello, I have noticed the same problem, it started when I switched to using gerrit in a container rather than the regular service. I believe the container doesn't have access to the global truststore and since my auth service uses a self-signed SSL cert, the same error occurs when trying to authenticate.

billsteve commented 1 year ago

@mhuin Have you resolve this error?

mhuin commented 1 year ago

@mhuin Have you resolve this error?

I resolved the issue by using a custom entrypoint script for the gerrit container:

`#!/bin/bash -e

what-java-security-egd-option-is-for

JAVA_OPTIONS="-Djava.security.egd=file:/dev/./urandom" JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStore=/var/gerrit/etc/keystore" JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStorePassword=p4ssw0rd" JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/var/gerrit/etc/truststore" JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStorePassword=changeit"

configure_keystore () { keytool -importkeystore -srckeystore /var/gerrit/etc/certificate.pkcs12 \ -srcstoretype PKCS12 -destkeystore /var/gerrit/etc/keystore \ -srcstorepass p4ssw0rd -deststorepass p4ssw0rd

keytool -importcert -alias my-local-ca -file /var/gerrit/etc/localCA.crt \
  -keystore /var/gerrit/etc/truststore -storepass changeit -noprompt

}

rm -f /var/gerrit/etc/trustore rm -f /var/gerrit/etc/keystore configure_keystore

if [ -f /var/gerrit/logs/.run_init ]; then echo "Initializing Gerrit site ..." java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war init -d /var/gerrit --batch --no-auto-start --skip-plugins java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war reindex -d /var/gerrit cp -f /var/gerrit-plugins/* /var/gerrit/plugins/ rm -f /var/gerrit/logs/.run_init fi

echo "Running Gerrit ..." exec java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war daemon -d /var/gerrit `

You'll most likely have to adapt this to your own use case. This entrypoint assumes two files, localCA.crt and certificate.pkcs12, are accessible with the correct rights in the /var/gerrit/etc volume. This is how we generate them via ansible, again adapt this to your own setup:

`- name: create PKCS12 bundle for gerrit keystore shell: | cat /etc/pki/tls/certs/certificate.crt /etc/pki/tls/certs/ca-bundle.crt > /tmp/cert-chain.txt openssl pkcs12 -export -inkey /etc/pki/tls/private/certificate.key -in /tmp/cert-chain.txt -out certificate.pkcs12 -passout pass:p4ssw0rd rm -f /tmp/cert-chain.txt

name: prepare localCA certificate for import in keystore if fqdn is updated or keystore does not exist shell: | openssl x509 -outform der -in /etc/pki/ca-trust/source/anchors/localCA.pem -out localCA.crt `

davido / gerrit-oauth-provider

unable to find valid certification path to requested target #145

The /dev/./urandom is not a typo. https://stackoverflow.com/questions/58991966/what-java-security-egd-option-is-for