search

martinspielmann / nexus3-crowd-plugin

Sonatype Nexus plugin for Atlassian Crowd integration
Apache License 2.0
39 stars 15 forks source link

unable to find valid certification path to requested target #28

Closed rhoml closed 7 years ago

rhoml commented 7 years ago

Out internal CROWD has a self signed certificate and I a getting this pretty stacktrace


2016-12-13 16:06:17,894+1100 INFO  [qtp463892198-98] *UNKNOWN com.pingunaut.nexus3.crowd.plugin.CrowdAuthenticatingRealm - crowd authenticated: false
2016-12-13 16:06:49,339+1100 INFO  [qtp463892198-97] *UNKNOWN com.pingunaut.nexus3.crowd.plugin.CrowdAuthenticatingRealm - doGetAuthenticationInfo for userX
2016-12-13 16:06:49,387+1100 ERROR [qtp463892198-97] *UNKNOWN com.pingunaut.nexus3.crowd.plugin.internal.CachingNexusCrowdClient - error executng query
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [na:1.8.0_40]
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) [na:1.8.0_40]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) [na:1.8.0_40]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) [na:1.8.0_40]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) [na:1.8.0_40]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) [na:1.8.0_40]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) [na:1.8.0_40]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) [na:1.8.0_40]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) [na:1.8.0_40]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) [na:1.8.0_40]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) [na:1.8.0_40]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) [na:1.8.0_40]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:71) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:220) [nexus3-crowd-plugin:3.2.0]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:190) [nexus3-crowd-plugin:3.2.0]
    at com.pingunaut.nexus3.crowd.plugin.internal.CachingNexusCrowdClient.executeQuery(CachingNexusCrowdClient.java:82) [nexus3-crowd-plugin:3.2.0]
    at com.pingunaut.nexus3.crowd.plugin.internal.CachingNexusCrowdClient.authenticate(CachingNexusCrowdClient.java:124) [nexus3-crowd-plugin:3.2.0]
    at com.pingunaut.nexus3.crowd.plugin.CrowdAuthenticatingRealm.doGetAuthenticationInfo(CrowdAuthenticatingRealm.java:108) [nexus3-crowd-plugin:3.2.0]
    at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) [org.apache.shiro.core:1.3.2]
    at org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator.doMultiRealmAuthentication(FirstSuccessfulModularRealmAuthenticator.java:49) [org.sonatype.nexus.security:3.1.0.04]
    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269) [org.apache.shiro.core:1.3.2]
    at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) [org.apache.shiro.core:1.3.2]
    at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) [org.apache.shiro.core:1.3.2]
    at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) [org.apache.shiro.core:1.3.2]
    at org.apache.shiro.nexus.NexusWebSecurityManager.login(NexusWebSecurityManager.java:64) [org.sonatype.nexus.security:3.1.0.04]
    at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) [org.apache.shiro.core:1.3.2]
    at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53) [org.apache.shiro.web:1.3.2]
    at org.sonatype.nexus.rapture.internal.security.SessionAuthenticationFilter.onAccessDenied(SessionAuthenticationFilter.java:81) [org.sonatype.nexus.rapture:3.1.0.04]
    at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133) [org.apache.shiro.web:1.3.2]
    at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162) [org.apache.shiro.web:1.3.2]
    at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203) [org.apache.shiro.web:1.3.2]
    at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178) [org.apache.shiro.web:1.3.2]
    at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131) [org.apache.shiro.web:1.3.2]
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [org.apache.shiro.web:1.3.2]
    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [org.apache.shiro.web:1.3.2]
    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) [org.apache.shiro.web:1.3.2]
    at org.sonatype.nexus.security.SecurityFilter.executeChain(SecurityFilter.java:85) [org.sonatype.nexus.security:3.1.0.04]
    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) [org.apache.shiro.web:1.3.2]
    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) [org.apache.shiro.core:1.3.2]
    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) [org.apache.shiro.core:1.3.2]
    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) [org.apache.shiro.core:1.3.2]
    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) [org.apache.shiro.web:1.3.2]
    at org.sonatype.nexus.security.SecurityFilter.doFilterInternal(SecurityFilter.java:101) [org.sonatype.nexus.security:3.1.0.04]
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [org.apache.shiro.web:1.3.2]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [com.google.inject:4.0.0]
    at com.sonatype.nexus.licensing.internal.LicensingRedirectFilter.doFilter(LicensingRedirectFilter.java:112) [com.sonatype.nexus.plugins.nexus-licensing-plugin:3.1.0.04]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [com.google.inject:4.0.0]
    at com.codahale.metrics.servlet.AbstractInstrumentedFilter.doFilter(AbstractInstrumentedFilter.java:97) [com.codahale.metrics.servlet:3.0.2]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [com.google.inject:4.0.0]
    at org.sonatype.nexus.internal.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:63) [org.sonatype.nexus.base:3.1.0.04]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [com.google.inject:4.0.0]
    at org.sonatype.nexus.internal.web.EnvironmentFilter.doFilter(EnvironmentFilter.java:97) [org.sonatype.nexus.base:3.1.0.04]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [com.google.inject:4.0.0]
    at com.google.inject.servlet.DynamicFilterPipeline.dispatch(DynamicFilterPipeline.java:104) [com.google.inject:4.0.0]
    at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133) [com.google.inject:4.0.0]
    at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130) [com.google.inject:4.0.0]
    at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203) [com.google.inject:4.0.0]
    at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130) [com.google.inject:4.0.0]
    at org.sonatype.nexus.bootstrap.osgi.DelegatingFilter.doFilter(DelegatingFilter.java:73) [org.sonatype.nexus.bootstrap:3.1.0.04]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668) [org.eclipse.jetty.servlet:9.3.7.v20160115]
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581) [org.eclipse.jetty.servlet:9.3.7.v20160115]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [org.eclipse.jetty.security:9.3.7.v20160115]
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1158) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511) [org.eclipse.jetty.servlet:9.3.7.v20160115]
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1090) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119) [org.eclipse.jetty.server:9.3.7.v20160115]
    at com.codahale.metrics.jetty9.InstrumentedHandler.handle(InstrumentedHandler.java:175) [com.codahale.metrics.jetty9:3.0.2]
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.server.Server.handle(Server.java:517) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242) [org.eclipse.jetty.server:9.3.7.v20160115]
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273) [org.eclipse.jetty.io:9.3.7.v20160115]
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) [org.eclipse.jetty.io:9.3.7.v20160115]
    at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75) [org.eclipse.jetty.io:9.3.7.v20160115]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213) [org.eclipse.jetty.util:9.3.7.v20160115]
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147) [org.eclipse.jetty.util:9.3.7.v20160115]
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654) [org.eclipse.jetty.util:9.3.7.v20160115]
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572) [org.eclipse.jetty.util:9.3.7.v20160115]
    at java.lang.Thread.run(Thread.java:745) [na:1.8.0_40]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) [na:1.8.0_40]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) [na:1.8.0_40]
    at sun.security.validator.Validator.validate(Validator.java:260) [na:1.8.0_40]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) [na:1.8.0_40]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) [na:1.8.0_40]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) [na:1.8.0_40]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) [na:1.8.0_40]
    ... 89 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) [na:1.8.0_40]
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) [na:1.8.0_40]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) [na:1.8.0_40]
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) [na:1.8.0_40]
    ... 95 common frames omitted```

do you have any idea of how can I solve it??
martinspielmann commented 7 years ago

The easiest way to solve it, is to trust your certificate which means adding it to your local java keystore. Found a step-by-step guide here: http://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail#11617655

rhoml commented 7 years ago

Yep, I tried that and added 

-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts
-Djavax.net.ssl.trustStorePassword=REDACTED

but still get the same error, is it possible that the plugin is not getting the right SSL cert?

martinspielmann commented 7 years ago

i'll try to get that reproduced tomorrow and keep you updated

rhoml commented 7 years ago

🙏 thanks

rhoml commented 7 years ago

Hey nevermind I was importing the wrong certificate on the trust store. Everything is working like a charm.

martinspielmann commented 7 years ago

Selfhealing, that's my favorite kind of issues :) Thanks for the fast feedback!

vaibhavbhanawat01 commented 7 years ago

@pingunaut @rhoml Hi i am also getting this same issue So can you tell me which certificate i need to import to keystore ??

martinspielmann commented 7 years ago

Hi @vaibhavbhanawat01 The certificate to be imported is the one you used to secure your crowd instance. You can easily obtain it for example like this

  1. Navigate to your crowd instance in your web browser
  2. Click the small lock in the address bar,
  3. Click "View Certificate",
  4. Go to the "Details" tab,
  5. Click "Export" like shown in the Screenshot below (Screenshot is done with Firefox, but works similar in all browsers) image

Now that you have the certificate, you can import it to your java keystore like this: keytool -importcert -file [PATH_TO_CERTIFICATE] -keystore [PATH_TO_KEYSTORE_JKS] -alias "My Crowd cert"

Note: If there are multiple versions of Java present in your system, you need to check which Java installation is used by Nexus to ensure you choose the right keystore.

vaibhavbhanawat01 commented 7 years ago

Hi @pingunaut i am trying to send the Sms using the Nexmo API. But i am getting this below error

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at com.nexmo.client.voice.endpoints.AbstractMethod.execute(AbstractMethod.java:105) at com.nexmo.client.verify.endpoints.VerifyEndpoint.verify(VerifyEndpoint.java:100) at com.nexmo.client.verify.VerifyClient.verify(VerifyClient.java:79) at Nexmo.send2FACode(Nexmo.java:42) at Nexmo.main(Nexmo.java:23) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 26 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 32 more

martinspielmann commented 7 years ago

@vaibhavbhanawat01 OK, I think this is a bit off topic... how does this relate to Sonatype Nexus OSS of Atlassian Crowd?

vaibhavbhanawat01 commented 7 years ago

it is not related to Nexus OSS. But i am getting this same error while sending SMS using Nexmo API

martinspielmann commented 7 years ago

OK, unfortunately I don't know the Nexmo API, but the steps above might work for you also, you just have to navigate to the API URL instead of a crowd URL. Otherwise it might bei a good idea to post your problem in a Nexmo related forum or a platform like StackOverflow, because is has basically nothing to do with this repo...

vaibhavbhanawat01 commented 7 years ago

ok thanks @pingunaut