Closed adrianblakey closed 4 years ago
I have added the ability to add system properties and vm options by setting the JAVA_OPTS environment variable. For your use case add -e JAVA_OPTS="-Djavax.net.ssl.trustStore= -Djavax.net.ssl.keyStore="
to your docker command. It's currently only available in the latest tag. Please give this a try and let me know how it goes.
As far as adding basic security, I'm not opposed to adding it, but It would need to add the ability in a non obtrusive way. Spring security is very flexible and supports a myriad of different options for securing an application, which other people my want over basic (for example oauth2). I haven't had the time to come up with something that meets those requirements. I would gladly accept a pull request if someone would like to add this ability.
I start it up and run the simple curl test against the proxy to our git repo.
Now I get the lovely java traceback and ...:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <x.x.lab> doesn't match any of the subject alternative names: [x.x.lab, foo, foo-test, *.foo.ent]
In the docker-compose.yml file SPRING_CLOUD_CONFIG_SERVER_GIT_URI=https://xx:xxxx@x.x.lab/Development/spring-config-server-test.git -
I have configure a truststore (/cacerts/cacerts) containing the TLS cert of the proxy to git on a docker volume that's mounted in the container.
It's referenced by this JAVA_OPTS='-Djavax.net.ssl.trustStore=/cacerts/cacerts -Dnet.ssl.trustStorePassword=changeit -server'
I can successfully run the same git command from the command line - outside the container on the machine running the docker container, e.g. git clone https://xx:xxxx@x.x.lab/Development/spring-config-server-test.git
I use a simple openssl script to capture the TLS cert from the server on the host, verify it and add it to the cacerts that I copy out of the container and then copy back in (just to make sure it's fine)
Everything points to something being bad about the cert - however I can list the truststore using keytool and verify the cert using openssl and I can access the server using git. The cert has the SAN's in it and the first name is the hostname of the proxy(!) ARGH.
Any ideas?
It's not possible this is the issue? is it? https://henningwaack.wordpress.com/2020/01/26/javax-net-ssl-sslpeerunverifiedexception-certificate-for-server-dev-untrusted-doesnt-match-any-of-the-subject-alternative-names-server-dev-unstrusted-web-dev-unstrusted-localhost/
From a typescript capture of the the maven build I notice that maven seems to depend on the following httpclients - one of which is 4.5.11 that the post above seems to think contains the defect: $ grep httpclient typescript Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.pom (6.6 kB at 135 kB/s) Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar (778 kB at 436 kB/s) Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.pom (7.5 kB at 153 kB/s) Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.pom (6.4 kB at 130 kB/s) Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar (737 kB at 1.1 MB/s)
Amazing thing that thing between your ears ...
Yes, indeed it looks like the issues might be httpclient-4.5.11
I looked at the stack trace -
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.11.jar!/:4.5.11]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.11.jar!/:4.5.11]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.11.jar!/:4.5.11]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.11.jar!/:4.5.11]
at org.eclipse.jgit.transport.http.apache.HttpClientConnection.execute(HttpClientConnection.java:254) ~[org.eclipse.jgit.http.apache-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
at org.eclipse.jgit.transport.http.apache.HttpClientConnection.getResponseCode(HttpClientConnection.java:231) ~[org.eclipse.jgit.http.apache-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
There’s an existing issue for adding basic security. Closing this one for adding the java opts
We run a github appliance which listens on https. In order to access it from the config server it's necessary to provider a truststore containing the git server's tls certificate , ow:
Secondly - I am using the jwilder/nginx-proxy image to listen on https and provide basic authentication. I read the other comment about basic authentication as not being your wish to support. However any thoughts about enabling https support so I can forgo a proxy?
To make this work the following needs to be added to the java command line: -Djavax.net.ssl.trustStore= and -Djavax.net.ssl.keyStore= and access to the cert stores.
Any thoughts about enabling this?