Closed adrianblakey closed 4 years ago
hyness
commented
4 years ago I have added the ability to add system properties and vm options by setting the JAVA_OPTS environment variable. For your use case add -e JAVA_OPTS="-Djavax.net.ssl.trustStore= -Djavax.net.ssl.keyStore=" to your docker command. It's currently only available in the latest tag. Please give this a try and let me know how it goes.
hyness
commented
4 years ago As far as adding basic security, I'm not opposed to adding it, but It would need to add the ability in a non obtrusive way. Spring security is very flexible and supports a myriad of different options for securing an application, which other people my want over basic (for example oauth2). I haven't had the time to come up with something that meets those requirements. I would gladly accept a pull request if someone would like to add this ability.
adrianblakey
commented
4 years ago I start it up and run the simple curl test against the proxy to our git repo.
Now I get the lovely java traceback and ...:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <x.x.lab> doesn't match any of the subject alternative names: [x.x.lab, foo, foo-test, *.foo.ent]
In the docker-compose.yml file SPRING_CLOUD_CONFIG_SERVER_GIT_URI=https://xx:xxxx@x.x.lab/Development/spring-config-server-test.git -
I have configure a truststore (/cacerts/cacerts) containing the TLS cert of the proxy to git on a docker volume that's mounted in the container.
It's referenced by this JAVA_OPTS='-Djavax.net.ssl.trustStore=/cacerts/cacerts -Dnet.ssl.trustStorePassword=changeit -server'
I can successfully run the same git command from the command line - outside the container on the machine running the docker container, e.g. git clone https://xx:xxxx@x.x.lab/Development/spring-config-server-test.git
I use a simple openssl script to capture the TLS cert from the server on the host, verify it and add it to the cacerts that I copy out of the container and then copy back in (just to make sure it's fine)
Everything points to something being bad about the cert - however I can list the truststore using keytool and verify the cert using openssl and I can access the server using git. The cert has the SAN's in it and the first name is the hostname of the proxy(!) ARGH.
Any ideas?
adrianblakey
commented
4 years ago It's not possible this is the issue? is it? https://henningwaack.wordpress.com/2020/01/26/javax-net-ssl-sslpeerunverifiedexception-certificate-for-server-dev-untrusted-doesnt-match-any-of-the-subject-alternative-names-server-dev-unstrusted-web-dev-unstrusted-localhost/
From a typescript capture of the the maven build I notice that maven seems to depend on the following httpclients - one of which is 4.5.11 that the post above seems to think contains the defect: $ grep httpclient typescript Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.pom (6.6 kB at 135 kB/s) Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar (778 kB at 436 kB/s) Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.pom (7.5 kB at 153 kB/s) Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.pom (6.4 kB at 130 kB/s) Downloading from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar (737 kB at 1.1 MB/s)
adrianblakey
commented
4 years ago Amazing thing that thing between your ears ...
Yes, indeed it looks like the issues might be httpclient-4.5.11
I looked at the stack trace -
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.11.jar!/:4.5.11]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.11.jar!/:4.5.11]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.11.jar!/:4.5.11]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.11.jar!/:4.5.11]
at org.eclipse.jgit.transport.http.apache.HttpClientConnection.execute(HttpClientConnection.java:254) ~[org.eclipse.jgit.http.apache-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]
at org.eclipse.jgit.transport.http.apache.HttpClientConnection.getResponseCode(HttpClientConnection.java:231) ~[org.eclipse.jgit.http.apache-5.1.3.201810200350-r.jar!/:5.1.3.201810200350-r]There’s an existing issue for adding basic security. Closing this one for adding the java opts
We run a github appliance which listens on https. In order to access it from the config server it's necessary to provider a truststore containing the git server's tls certificate , ow:
Secondly - I am using the jwilder/nginx-proxy image to listen on https and provide basic authentication. I read the other comment about basic authentication as not being your wish to support. However any thoughts about enabling https support so I can forgo a proxy?
To make this work the following needs to be added to the java command line: -Djavax.net.ssl.trustStore= and -Djavax.net.ssl.keyStore= and access to the cert stores.
Any thoughts about enabling this?