search

rstudio / shinycannon

Load generation tool, part of shinyloadtest
https://rstudio.github.io/shinyloadtest/
15 stars 6 forks source link

javax.net.ssl.SSLHandshakeException - documentation needed for adding trust chain certificates to shinycannon #50

Open mskyttner opened 4 years ago

mskyttner commented 4 years ago

When using shinycannon against a https URL with a valid trust chain of certificates recognised by major webbrowsers (in this case involving TERENA SSL CA 3 and DigiCert Assured ID Root CA, which do not seem to come pre-installed in the default trusted keystores used by the Java runtime that executes shinycannon - or in the system package "ca-certificates"), the following exception occurs:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This issue is a wish for extended shinycannon documentation to cover a recommended way for how to add the relevant certificates to the Java runtime in order to avoid the above exception when using shinycannon against a valid https url.

In my case I was able to resolve the issue above and get rid of the exception by installing the certificate chain (using the chain.pem-file that Firefox provided when inspecting the SSL certificate) into /usr/local/share/ca-certificates and then running "sudo apt update-ca-certificates" which made the trust chain available to the system (in this case running rocker/tidyverse based on Debian 9 OS). It then also became available to Java at which point shinycannon was happy again. The procedure will likely differ depending on platform / OS where the Java runtime is deployed.

luma-sb commented 1 year ago

I had same issue in Windows, for anyone else coming across this - I resolved by:

  1. From your Java's bin directory open an Administrator Terminal:
    • eg. C:\Program Files\Java\jre1.8.0_351\bin
  2. Obtain certificate from site you are testing from your browser. In Edge:
    • click padlock
    • click Connection is secure >
    • click little certificate icon in top-right
    • In certificate viewer, click Details tab
    • click Export... button at bottom right
    • Save
    • Select a directory to save to (eg. Downloads)
    • Save as type Base64-encoded, certificate chain
    • Click Save
  3. In Terminal run keytool -import -file {certfile path} -alias {descriptive name} -keystore {cacerts file}, where:
    • {certfile path} = path to certificate file saved in step 2
    • {descriptive name} = any reasonable descriptive name for certificate
    • {cacerts file} = ..\lib\security\cacerts
    • eg. keytool -import -file "C:\Users\<your username>\Downloads\_.yourdomain.crt" -alias "<your domain>" -keystore "..\lib\security\cacerts"
  4. When prompted to Enter keystore password:
    • default value is: changeit
  5. When asked Trust this certificate? [no]:
    • type yes
  6. Ensure you do NOT get following output: keytool error: java.io.FileNotFoundException: ..\lib\security\cacerts (Access is denied)
    • if you do, you likely need to repeat the above in an Administrator Terminal as advised above!

If anyone knows a way to avoid the above process I would love to hear! Thanks