search

kinow / testopia-plugin

Jenkins plug-in to integrate different test management tools
2 stars 6 forks source link

Problems with using self signed cerificates #2

Closed tooh closed 11 years ago

tooh commented 12 years ago

ENVIRONMENT:

OS: Darwin iMac.local 11.4.0 Darwin Kernel Version 11.4.0: Mon Apr 9 19:32:15 PDT 2012; root:xnu-1699.26.8~1/RELEASE_X86_64 x86_64

BUGZILLA: version 4.2.1

TESTOPIA: version 2.5

JENKINS: version 1.471

TestThemAll plugin: version ???

PREREQUISITES::

  1. Install TestThemAll.HPI plugin (manual upload)
  2. Choose "Manage Jenkins" option
  3. Configure URI of Testopia instance and username/password of test user
  4. Configure freestyle job
  5. Choose previously configured Testopia instance
  6. Enter a Testrun ID
  7. Choose Iterative Test Build Steps
  8. Execute a shell command
  9. Enter the command "echo $TESTOPIA_TESTCASE_SCRIPT"

RESULT:

When doing a Build it fails showing in the console output that login was not successfull.

ANALYIS: Perhaps it is a problem that the Testopia instance uses https and the server does not have an official certificate.

LOGFILE:

Started by user anonymous [EnvInject] - Loading node environment variables. Building on master in workspace /Users/peter/.jenkins/workspace/TestThemAll - Plugin Connecting to Testopia to retrieve automated test cases. java.lang.RuntimeException: Failed to login! at org.mozilla.testopia.service.xmlrpc.XmlRpcMiscService.login(XmlRpcMiscService.java:63) at jenkins.plugins.testthemall.TestopiaBuilder.perform(TestopiaBuilder.java:169) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:19) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:717) at hudson.model.Build$BuildExecution.build(Build.java:199) at hudson.model.Build$BuildExecution.doRun(Build.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:499) at hudson.model.Run.execute(Run.java:1484) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46) at hudson.model.ResourceController.execute(ResourceController.java:88) at hudson.model.Executor.run(Executor.java:236) Caused by: org.apache.xmlrpc.XmlRpcException: Failed to read server's response: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:161) at org.apache.xmlrpc.client.XmlRpcHttpTransport.sendRequest(XmlRpcHttpTransport.java:143) at org.apache.xmlrpc.client.XmlRpcSunHttpTransport.sendRequest(XmlRpcSunHttpTransport.java:69) at org.apache.xmlrpc.client.XmlRpcClientWorker.execute(XmlRpcClientWorker.java:56) at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:167) at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:137) at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:126) at org.mozilla.testopia.service.xmlrpc.XmlRpcMiscService.login(XmlRpcMiscService.java:61) ... 10 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230) at org.apache.xmlrpc.client.XmlRpcSunHttpTransport.writeRequest(XmlRpcSunHttpTransport.java:104) at org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:151) ... 17 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217) at sun.security.validator.Validator.validate(Validator.java:218) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185) ... 30 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318) ... 36 more ERROR: Failed to login! Finished: FAILURE

kinow commented 12 years ago

Hi Peter!

That's right, it's an issue with SSL. I will use the code from TestLink plug-in to solve this issue. Probably in one day or two I will send you a new version.

Thanks for filling such detailed bug :-)

tooh commented 12 years ago

Installed new version of the plugin. Have to tackle the certiticate problem. Extra info is that I am running the .war file like this:

java -jar /usr/local/jenkins/jenkins.war --httpPort=-1 --httpsPort=8081 --httpsKeyStore=keystore.jks --httpsKeyStorePassword=[password]

This does not solve the problem.

kinow commented 12 years ago

Hmmm, weird. Do you have the certificate from your bugzilla instance in your keystore?

tooh commented 12 years ago

Hi Bruno,

I need some step to step guidance from you to manage this. I'm not so into certificates.

tooh commented 12 years ago

Hi Bruno

Can you confirm this steps:

  1. Exported my self signed certificate from OSX Lion server as Certificate.cer
  2. executed this command in the shell 
sudo keytool -keystore /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts -import -file Certificate.cer

Get a question for the keystore password. Get an error:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Is this a password I should have created somewhere in the process or is this the root password ?

kinow commented 12 years ago

Hi Peter

I'm not so into certificates as well. Some time ago I had this issue with SSL + Jenkins, and I remember I had to create a new keystore with a new password. But I think there is a default password... let me review what is needed for this. I will create a self signed certificate and will install at my local apache for testing. Then I will write a step-by-step blog post about it. It may be useful for other people too :)

Cheers

tooh commented 12 years ago

Hi Bruno

Your answer made me remember that i saw somewhere a default password "changeit"

tooh commented 12 years ago

Indeed the password was the default password changeit

1.I managed to add the certificate.

  1. I tested the build again and still I can't login, but I studied the log and now I get a different error
Building on master in workspace /Users/peter/.jenkins/workspace/TestThemAll - Plugin
Connecting to Testopia to retrieve automated test cases.
java.lang.RuntimeException: Failed to login!
    at org.mozilla.testopia.service.xmlrpc.XmlRpcMiscService.login(XmlRpcMiscService.java:63)
    at jenkins.plugins.testthemall.TestopiaBuilder.perform(TestopiaBuilder.java:177)
    at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:19)
    at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:717)
    at hudson.model.Build$BuildExecution.build(Build.java:199)
    at hudson.model.Build$BuildExecution.doRun(Build.java:160)
    at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:499)
    at hudson.model.Run.execute(Run.java:1488)
    at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
    at hudson.model.ResourceController.execute(ResourceController.java:88)
    at hudson.model.Executor.run(Executor.java:236)
Caused by: org.apache.xmlrpc.XmlRpcException: Failed to read server's response: java.security.cert.CertificateException: No subject alternative DNS name matching tooh.homedns.org found.
    at org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:161)
    at org.apache.xmlrpc.client.XmlRpcHttpTransport.sendRequest(XmlRpcHttpTransport.java:143)
    at org.apache.xmlrpc.client.XmlRpcSunHttpTransport.sendRequest(XmlRpcSunHttpTransport.java:69)
    at org.apache.xmlrpc.client.XmlRpcClientWorker.execute(XmlRpcClientWorker.java:56)
    at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:167)
    at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:137)
    at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:126)
    at org.mozilla.testopia.service.xmlrpc.XmlRpcMiscService.login(XmlRpcMiscService.java:61)
    ... 10 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching tooh.homedns.org found.
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at org.apache.xmlrpc.client.XmlRpcSunHttpTransport.writeRequest(XmlRpcSunHttpTransport.java:104)
    at org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:151)
    ... 17 more
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching tooh.homedns.org found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
    ... 30 more
ERROR: Failed to login!
Finished: FAILURE
kinow commented 12 years ago

Hmmm, will have to try to reproduce at my machine. But I've never seen an error message like this:

 No subject alternative DNS name matching tooh.homedns.org found.
tooh commented 12 years ago

Situation is as follows.

  1. I don't have an official Domain name and use the free homedns.org service
  2. Somehow the certificate is missing this subject alternative DNS name

I will have to check this and perhaps issue a different cetificate. I use the OSX Keychain Access application fort this.

This project is getting more interesting everyday :)

kinow commented 12 years ago

True indeed hahaha, unexpected situations with interesting context. I will try to find some spare time this week to work on this busy again.

tooh commented 12 years ago

STEPS

  1. Issued a different certificate and used tooh.homedns.org as the DNS name
  2. deleted the old certificate : 
sudo keytool -delete -keystore /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts -alias mykey
  1. Imported the new certificate
sudo keytool -keystore /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts -import -file Certificate.cer

RESULT I now get a different error: 

java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
kinow commented 12 years ago

:-| never seen this exception too hahaha

tooh commented 12 years ago

I changed something in the Certificate

When importing I see the following:

Extensions:

1: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [ DigitalSignature Key_CertSign ]

2: ObjectId: 2.5.29.37 Criticality=true

ExtendedKeyUsages [ serverAuth ]

So in KeyUsage I now have the Key_CertSign on.

RESULT:

Retested and got the same error. Grrrrrr....

tooh commented 11 years ago

Hi Bruno, Still no results, don't know what to do now. Informed with some contacts that use Java if they have a suggestion.

Can you perhaps give me a keytool example that in your opinion should produce the correct certificate, given my host name iMac.local and my dynDnS/ virtual host name t00.homedns.org ?

Am I adding the cer to the correct keystore ? (used command described earlier)

I really want to push this forward.

kinow commented 11 years ago

Hi Peter, I've arrived from US and now am reorganizing my activities. I'll have a cycle to work on this next week, and no more talks or articles this year, so no more distractions \o/ (only vacations soon haha)

Will keep you posted

tooh commented 11 years ago

Ah, was it a nice trip ? I kept on googling and found this.

http://www.exampledepot.com/egs/javax.net.ssl/trustall.html

Can this be of help for this problem as well. ? I know this is not a "secure" solution but perhaps with an option you can set in the job it can be usefull for testing puposes.

tooh commented 11 years ago

I found a plugin skip-certificate-check. This does wat it says. Highly insecure but for now a nice workaround.

After installing this i get some new testresults.

I will log this in a separate issue.

kinow commented 11 years ago

The trip was all right. I miss the local food so much when I'm abroad, but much more when I am in the US, as there are so much fast food (and it is so cheap hehe).

Hmmm, handy plug-in :D good to know. So let's focus on other functionalities for now. We can come back at this issue later.

kinow commented 11 years ago

Issue ported to JIRA, see issues.jenkins-ci.org