search

pwm-project / pwm

pwm
Other
909 stars 250 forks source link

Build failing PwmHttpClientTest #647

Open blissjoe opened 2 years ago

blissjoe commented 2 years ago

Describe the bug We are trying to build from the latest source and PwmHttpClientTest is failing.

We are running RHEL8 and have tried Open JDK 11 and 17. The build worked on this server around a month ago.

It may be related to this commit? - https://github.com/pwm-project/pwm/commit/d9cadfbe1a870b107466c6a7648d32d7efd2c0c4

To Reproduce Steps to reproduce the behavior:

  1. Follow the Linux Build instructions

Additional context

[INFO] Running password.pwm.AppPropertyTest
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.AppPropertyTest
[INFO] Running password.pwm.http.client.PwmHttpClientTest
[ERROR] Tests run: 5, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 2.234 s <<< FAILURE! - in password.pwm.http.client.PwmHttpClientTest
[ERROR] password.pwm.http.client.PwmHttpClientTest.testGetHttpClientSslHello  Time elapsed: 0.373 s  <<< ERROR!
password.pwm.error.PwmUnrecoverableException: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: Certificates do not conform to algorithm constraints)
    at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:253)
    at password.pwm.http.client.PwmHttpClientTest.testGetHttpClientSslHello(PwmHttpClientTest.java:200)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:54)
    at com.github.tomakehurst.wiremock.junit.WireMockRule$1.evaluate(WireMockRule.java:79)
    at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
    at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
    at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
    at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
    at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
    at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:364)
    at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:272)
    at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:237)
    at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:158)
    at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:428)
    at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:162)
    at org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:562)
    at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:548)
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:313)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at password.pwm.svc.httpclient.ApachePwmHttpClient.executeRequest(ApachePwmHttpClient.java:392)
    at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequestImpl(ApachePwmHttpClient.java:281)
    at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:249)
    ... 31 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1603)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1528)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1472)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
    ... 57 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=localhost
    at java.base/sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:898)
    at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:516)
    at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:252)
    at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:198)
    at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:292)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1599)
    ... 60 more

[ERROR] password.pwm.http.client.PwmHttpClientTest.testGetHttpClientSslWithCertificates  Time elapsed: 0.307 s  <<< ERROR!
password.pwm.error.PwmUnrecoverableException: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: Certificates do not conform to algorithm constraints)
    at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:253)
    at password.pwm.http.client.PwmHttpClientTest.testGetHttpClientSslWithCertificates(PwmHttpClientTest.java:233)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:54)
    at com.github.tomakehurst.wiremock.junit.WireMockRule$1.evaluate(WireMockRule.java:79)
    at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
    at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
    at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
    at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
    at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
    at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:364)
    at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:272)
    at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:237)
    at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:158)
    at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:428)
    at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:162)
    at org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:562)
    at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:548)
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:313)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at password.pwm.svc.httpclient.ApachePwmHttpClient.executeRequest(ApachePwmHttpClient.java:392)
    at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequestImpl(ApachePwmHttpClient.java:281)
    at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:249)
    ... 31 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1603)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1528)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1472)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
    ... 57 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=localhost
    at java.base/sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:898)
    at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:516)
    at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:252)
    at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:198)
    at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:292)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1599)
    ... 60 more

[INFO] Running password.pwm.http.HttpContentTypeTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.http.HttpContentTypeTest
[INFO] Running password.pwm.http.filter.RequestInitializationFilterTest
[INFO] Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.182 s - in password.pwm.http.filter.RequestInitializationFilterTest
[INFO] Running password.pwm.http.PwmURLTest
[INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.029 s - in password.pwm.http.PwmURLTest
[INFO] Running password.pwm.http.servlet.ControlledPwmServletTest
[INFO] Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.98 s - in password.pwm.http.servlet.ControlledPwmServletTest
[INFO] Running password.pwm.http.servlet.oauth.OAuthMachineTest
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.http.servlet.oauth.OAuthMachineTest
[INFO] Running password.pwm.bean.DomainIDTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.bean.DomainIDTest
[INFO] Running password.pwm.ws.server.rest.RestServletTest
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.454 s - in password.pwm.ws.server.rest.RestServletTest
[INFO] Running password.pwm.error.PwmErrorTest
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.error.PwmErrorTest
[INFO] Running password.pwm.tests.PwmPasswordJudgeTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.tests.PwmPasswordJudgeTest
[INFO] 
[INFO] Results:
[INFO] 
[ERROR] Errors: 
[ERROR]   PwmHttpClientTest.testGetHttpClientSslHello:200 » PwmUnrecoverable 5057 ERROR_...
[ERROR]   PwmHttpClientTest.testGetHttpClientSslWithCertificates:233 » PwmUnrecoverable ...
[INFO] 
[ERROR] Tests run: 211, Failures: 0, Errors: 2, Skipped: 0
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT:
[INFO] 
[INFO] PWM Password Self Service .......................... SUCCESS [ 13.409 s]
[INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 17.670 s]
[INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 20.952 s]
[INFO] PWM Password Self Service: Server JAR .............. FAILURE [01:39 min]
[INFO] PWM Password Self Service: Angular Client JAR ...... SKIPPED
[INFO] PWM Password Self Service: Server WAR .............. SKIPPED
[INFO] PWM Password Self Service: Executable Server JAR ... SKIPPED
[INFO] PWM Password Self Service: Data Service WAR ........ SKIPPED
[INFO] PWM Password Self Service: REST Test Server WAR .... SKIPPED
[INFO] PWM Password Self Service: Docker Image ............ SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  02:31 min
[INFO] Finished at: 2022-03-21T11:22:04-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5:test (default-test) on project pwm-server: There are test failures.
[ERROR] 
[ERROR] Please refer to /usr/src/pwm/server/target/surefire-reports for the individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR] 
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <args> -rf :pwm-server
jrivard commented 2 years ago

Hmm, not getting this issue with a clean install of Cent0S 7 and latest Java 11 installed from the distro. I don't have RHEL to test on. Is there anything else unusual about your server/jvm setup?

[vm@localhost pwm]$ git log -1 commit b9cb0ac28425cf83efefb6faf821a6aaff014fa0 Author: Jason Rivard jrivard@gmail.com Date: Sun Mar 20 14:01:15 2022 -0400

npm angular dependency updates

[vm@localhost pwm]$ git branch

[vm@localhost pwm]$ cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"

[vm@localhost pwm]$ ./mvnw verify

...snip....

INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT: [INFO] [INFO] PWM Password Self Service .......................... SUCCESS [04:33 min] [INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 17.950 s] [INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 13.934 s] [INFO] PWM Password Self Service: Server JAR .............. SUCCESS [02:16 min] [INFO] PWM Password Self Service: Angular Client JAR ...... SUCCESS [ 50.348 s] [INFO] PWM Password Self Service: Server WAR .............. SUCCESS [02:19 min] [INFO] PWM Password Self Service: Executable Server JAR ... SUCCESS [ 44.821 s] [INFO] PWM Password Self Service: Data Service WAR ........ SUCCESS [ 56.567 s] [INFO] PWM Password Self Service: REST Test Server WAR .... SUCCESS [ 8.749 s] [INFO] PWM Password Self Service: Docker Image ............ SUCCESS [01:01 min] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 13:23 min [INFO] Finished at: 2022-03-21T19:41:23-04:00 [INFO] ------------------------------------------------------------------------

blissjoe commented 2 years ago

Thank you for the response. Here is some additional information from the build above.

I will try my build on CentOS Stream 8 later today and see if it runs into the same problem. I'll also see if I can find any other helpful information.

[user@pwm01-test pwm]# git log -1 commit b9cb0ac28425cf83efefb6faf821a6aaff014fa0 (HEAD -> master, origin/master, origin/HEAD) Author: Jason Rivard jrivard@gmail.com Date: Sun Mar 20 14:01:15 2022 -0400

npm angular dependency updates

[user@pwm01-test pwm]# git branch

[user@pwm01-test ~]$ java -version -- test server openjdk version "17.0.2" 2022-01-18 LTS OpenJDK Runtime Environment 21.9 (build 17.0.2+8-LTS) OpenJDK 64-Bit Server VM 21.9 (build 17.0.2+8-LTS, mixed mode, sharing)

[user@pwm01 ~]$ java -version -- production server openjdk version "11.0.14.1" 2022-02-08 LTS OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)

To help verify, I ran, git checkout 437e617cd76c3de8528a6bab939c1cefecabdc94 and was able to build on the same server.

[user@pwm01-test pwm]# git log -1 commit 437e617cd76c3de8528a6bab939c1cefecabdc94 (HEAD) Author: Jason Rivard jrivard@gmail.com Date: Fri Mar 4 17:29:34 2022 -0500

create lib-data and lib-util submodules and begin move of appropriate code to submodules

[user@pwm01-test pwm]# ./mvnw clean verify

...snip...

[INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT: [INFO] [INFO] PWM Password Self Service .......................... SUCCESS [05:15 min] [INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 18.501 s] [INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 21.988 s] [INFO] PWM Password Self Service: Server JAR .............. SUCCESS [03:11 min] [INFO] PWM Password Self Service: Angular Client JAR ...... SUCCESS [ 47.298 s] [INFO] PWM Password Self Service: Server WAR .............. SUCCESS [02:45 min] [INFO] PWM Password Self Service: Executable Server JAR ... SUCCESS [ 59.189 s] [INFO] PWM Password Self Service: Data Service WAR ........ SUCCESS [ 29.318 s] [INFO] PWM Password Self Service: REST Test Server WAR .... SUCCESS [ 10.620 s] [INFO] PWM Password Self Service: Docker Image ............ SUCCESS [ 45.033 s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 15:05 min [INFO] Finished at: 2022-03-22T07:31:54-04:00 [INFO] ------------------------------------------------------------------------

After I ran, git checkout d9cadfbe1a870b107466c6a7648d32d7efd2c0c4 and ran into the build issue.

[user@pwm01-test pwm]# git log -1 commit d9cadfbe1a870b107466c6a7648d32d7efd2c0c4 (HEAD) Author: Jason Rivard jrivard@gmail.com Date: Wed Mar 9 17:43:45 2022 -0500

fix test cases, improve docker startup scripts

[user@pwm01-test pwm]# ./mvnw clean verify

...snip...

[INFO] Results: [INFO] [ERROR] Errors: [ERROR] PwmHttpClientTest.testGetHttpClientSslHello:200 » PwmUnrecoverable 5057 ERROR_... [ERROR] PwmHttpClientTest.testGetHttpClientSslWithCertificates:233 » PwmUnrecoverable ... [INFO] [ERROR] Tests run: 211, Failures: 0, Errors: 2, Skipped: 0 [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT: [INFO] [INFO] PWM Password Self Service .......................... SUCCESS [ 19.567 s] [INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 21.365 s] [INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 24.159 s] [INFO] PWM Password Self Service: Server JAR .............. FAILURE [01:48 min] [INFO] PWM Password Self Service: Angular Client JAR ...... SKIPPED [INFO] PWM Password Self Service: Server WAR .............. SKIPPED [INFO] PWM Password Self Service: Executable Server JAR ... SKIPPED [INFO] PWM Password Self Service: Data Service WAR ........ SKIPPED [INFO] PWM Password Self Service: REST Test Server WAR .... SKIPPED [INFO] PWM Password Self Service: Docker Image ............ SKIPPED [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 02:53 min [INFO] Finished at: 2022-03-22T07:39:29-04:00 [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5:test (default-test) on project pwm-server: There are test failures.

blissjoe commented 2 years ago

Hi Jason,

I was able to replicate the issue with CentOS 8 Stream. I setup a new virutal machine with the following settings -

CentOS 8 Stream - Minimal Install

dnf install git java-11-openjdk java-11-openjdk-devel bzip2 unzip wget export JAVA_HOME="/usr/lib/jvm/java-11-openjdk-11.0.14.1.1-2.el8.x86_64" git clone https://github.com/pwm-project/pwm cd pwm ./mvnw clean verify

[root@pwm02-test pwm]# git log -1 commit b9cb0ac28425cf83efefb6faf821a6aaff014fa0 (HEAD -> master, origin/master, origin/HEAD) Author: Jason Rivard jrivard@gmail.com Date: Sun Mar 20 14:01:15 2022 -0400

npm angular dependency updates

[root@pwm02-test pwm]# git branch

[root@pwm02-test pwm]# java -version openjdk version "11.0.14.1" 2022-02-08 LTS OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)

[root@pwm02-test pwm]# cat /etc/os-release NAME="CentOS Stream" VERSION="8" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="8" PLATFORM_ID="platform:el8" PRETTY_NAME="CentOS Stream 8" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:8" HOME_URL="https://centos.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

[root@pwm02-test pwm]# ./mvnw clean verify

...snip...

[ERROR] Errors: [ERROR] PwmHttpClientTest.testGetHttpClientSslHello:200 » PwmUnrecoverable 5057 ERROR_... [ERROR] PwmHttpClientTest.testGetHttpClientSslWithCertificates:233 » PwmUnrecoverable ... [INFO] [ERROR] Tests run: 211, Failures: 0, Errors: 2, Skipped: 0 [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT: [INFO] [INFO] PWM Password Self Service .......................... SUCCESS [02:33 min] [INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 17.190 s] [INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 12.475 s] [INFO] PWM Password Self Service: Server JAR .............. FAILURE [01:08 min] [INFO] PWM Password Self Service: Angular Client JAR ...... SKIPPED [INFO] PWM Password Self Service: Server WAR .............. SKIPPED [INFO] PWM Password Self Service: Executable Server JAR ... SKIPPED [INFO] PWM Password Self Service: Data Service WAR ........ SKIPPED [INFO] PWM Password Self Service: REST Test Server WAR .... SKIPPED [INFO] PWM Password Self Service: Docker Image ............ SKIPPED [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 04:12 min [INFO] Finished at: 2022-03-23T08:33:27-04:00 [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5:test (default-test) on project pwm-server: There are test failures.

[root@pwm02-test pwm]# git checkout 437e617cd76c3de8528a6bab939c1cefecabdc94

[root@pwm02-test pwm]# git log -1 commit 437e617cd76c3de8528a6bab939c1cefecabdc94 (HEAD) Author: Jason Rivard jrivard@gmail.com Date: Fri Mar 4 17:29:34 2022 -0500

create lib-data and lib-util submodules and begin move of appropriate code to submodules

[root@pwm02-test pwm]# ./mvnw clean verify

...snip...

[INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT: [INFO] [INFO] PWM Password Self Service .......................... SUCCESS [02:14 min] [INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 10.250 s] [INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 11.766 s] [INFO] PWM Password Self Service: Server JAR .............. SUCCESS [01:59 min] [INFO] PWM Password Self Service: Angular Client JAR ...... SUCCESS [ 47.275 s] [INFO] PWM Password Self Service: Server WAR .............. SUCCESS [01:57 min] [INFO] PWM Password Self Service: Executable Server JAR ... SUCCESS [ 40.300 s] [INFO] PWM Password Self Service: Data Service WAR ........ SUCCESS [ 38.640 s] [INFO] PWM Password Self Service: REST Test Server WAR .... SUCCESS [ 7.882 s] [INFO] PWM Password Self Service: Docker Image ............ SUCCESS [ 38.104 s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 09:25 min [INFO] Finished at: 2022-03-23T08:45:14-04:00 [INFO] ------------------------------------------------------------------------

blissjoe commented 2 years ago

It looks like inside server/src/test/java/password/pwm/http/client/PwmHttpClientTest.java a test certificate is created.

Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=localhost

I think if we update server/src/main/java/password/pwm/util/secure/self/SelfCertSettings.java to 2048 then it might resolve the issue.

    @Builder.Default
    private int keySize = 1024;

I can try it on my system and try to do a Pull Request.

blissjoe commented 2 years ago

Updating that keySize did fix the build on CentOS Stream 8. I will test it on RHEL8 and see if I can figure out how to do a Pull Request for it.

[root@pwm02-test pwm]# git log -1 commit b9cb0ac28425cf83efefb6faf821a6aaff014fa0 (HEAD -> master, origin/master, origin/HEAD) Author: Jason Rivard jrivard@gmail.com Date: Sun Mar 20 14:01:15 2022 -0400

npm angular dependency updates

[root@pwm02-test pwm]# cat server/src/main/java/password/pwm/util/secure/self/SelfCertSettings.java | grep 2048

private int keySize = 2048;

[root@pwm02-test pwm]# ./mvnw clean verify

...snip...

[INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT: [INFO] [INFO] PWM Password Self Service .......................... SUCCESS [ 10.988 s] [INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 11.635 s] [INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 12.461 s] [INFO] PWM Password Self Service: Server JAR .............. SUCCESS [02:01 min] [INFO] PWM Password Self Service: Angular Client JAR ...... SUCCESS [ 44.394 s] [INFO] PWM Password Self Service: Server WAR .............. SUCCESS [01:48 min] [INFO] PWM Password Self Service: Executable Server JAR ... SUCCESS [ 39.902 s] [INFO] PWM Password Self Service: Data Service WAR ........ SUCCESS [ 17.279 s] [INFO] PWM Password Self Service: REST Test Server WAR .... SUCCESS [ 7.645 s] [INFO] PWM Password Self Service: Docker Image ............ SUCCESS [ 34.451 s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 06:48 min [INFO] Finished at: 2022-03-23T09:22:15-04:00 [INFO] ------------------------------------------------------------------------

jrivard commented 2 years ago

So I've been looking into this for past few days and I'm a bit confused why CentOS Stream 8/9 is having trouble with the 2048 key size. I've tested half dozen other distros default JDK without issue, as well as Win11+Terminum JDK. It took me awhile to figure out CentOS "Stream" replaced CentOS, but after I did I tested 8/9 and saw the same errors as you. However if I grab Azul or Temurin build of 11.0.14 and use on CentOS Stream 8/9 it works fine, so this appears to be an issue purely with the CentOS Stream builds of OpenJDK.

I looked at the java.security properties file of the CentOS Stream JDKs, but I couldn't see any reason why it would limit the keysize to 1024.

I changed the keysize from 1024 in PWM, because best practices are now >= 2048 for RSA keys, and had an issue with WireMock at 1024 - though WireMock is quite fragile and my issue may have been unrelated.

I'm reluctant to downgrade the default self service key back to 1024, but if we can figure out a way to parameterize it for the test that might be a workable solution.....