CLA checker has ssl problems?

scala / scabot

Scala's PR&CI automation bot

Apache License 2.0

14 stars 14 forks source link

CLA checker has ssl problems? #92

Closed adriaanm closed 5 years ago

adriaanm commented 5 years ago

2018-12-27 17:27:23,003 [ERROR] from spray.can.client.HttpClientConnection in application-akka.actor.default-dispatcher-6 - Aborting encrypted connection to www.lightbend.com/34.238.100.233:443 due to [SSLHandshakeException:General SSLEngine problem] -> [SSLHandshakeException:General SSLEngine problem] -> [ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] -> [SunCertPathBuilderException:unable to find valid certification path to requested target]

~~It happened when I upgraded that machine, so maybe the JVM was upgraded and cacerts were changed to no longer include what's needed to validate our own cert??~~

Looks like lightbend.com got a new cert around the time this started failing

edwardcallahan commented 5 years ago

Was this using a SAN on the old cert? That is, www.lightbend.com should validate from a modern JVM, but other SAN hostnames on the cert were dropped from the certificate.

adriaanm commented 5 years ago

I have no idea :-/ The error is

Aborting encrypted connection to www.lightbend.com/34.238.100.233:443 due to 
[SSLHandshakeException:General SSLEngine problem] 
-> [SSLHandshakeException:General SSLEngine problem] 
-> [ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] 
-> [SunCertPathBuilderException:unable to find valid certification path to requested target]

(So, it looks like it's just using plain www.lightbend.com as the hostname.)

adriaanm commented 5 years ago

I followed https://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line and added https://support.comodo.com/index.php?/Knowledgebase/Article/View/970/108/intermediate-2-sha-2-comodo-rsa-domain-validation-secure-server-ca. That fixed it.

edwardcallahan commented 5 years ago

Interesting. So you needed to add the Comodo intermediate. @JustinPihony, did you upload or merge the comodo intermediate? If not, that would seem to be the change/difference. The CA vendor did not change between certs.

JustinPihony commented 5 years ago

I uploaded. It was a straight swap. I’ll review this in more depth in the am to make sure all is as is expected

On Dec 27, 2018, at 6:21 PM, Edward Callahan notifications@github.com wrote:

Interesting. So you needed to add the Comodo intermediate. @JustinPihony, did you upload or merge the comodo intermediate? If not, that would seem to be the change/difference. The CA vendor did not change between certs.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

JustinPihony commented 5 years ago

This has been handled at the server level, so it should work everywhere now. I'm unsure if your workaround will need to be removed or not @adriaanm

JustinPihony commented 5 years ago

Can this be closed?

adriaanm commented 5 years ago

Yep