search

stempler / gradle-versioneye-plugin

Plugin for Gradle to update your project's dependencies status on www.versioneye.com
MIT License
31 stars 5 forks source link

SSL issues? #28

Closed JordanMarshall closed 8 years ago

JordanMarshall commented 8 years ago

Yesterday things were working fine, but today I started running into what appears to be a certificate issue whenever I attempt to create/update projects via the plugin. I get the following error:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

After manually adding the certificate to the java certs, I get a different error:

Certificate for <www.versioneye.com> doesn't match any of the subject alternative names: [sengaa.versioneye.com]

Here are the logs preceding the errors:

[groovyx.net.http.HTTPBuilder] POST https://www.versioneye.com/api/v2/projects?api_key=<key removed>
[org.apache.http.impl.conn.BasicClientConnectionManager] Get connection for route {s}->https://www.versioneye.com:443
[org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to www.versioneye.com:443
[org.apache.http.impl.conn.DefaultClientConnection] Connection org.apache.http.impl.conn.DefaultClientConnection@7257cbce closed
[org.apache.http.impl.conn.DefaultClientConnection] Connection org.apache.http.impl.conn.DefaultClientConnection@7257cbce shut down
bootstraponline commented 8 years ago

It'd be nice to have an option to ignore SSL errors when versioneye.com has issues.

tompahoward commented 8 years ago

This is happening for me as well, from various machines and OSes

tompahoward commented 8 years ago

Also reported issue at https://bitbucket.org/versioneye/versioneye/issues/275/ssl-certificate-issues-when-using-gradle

reiz commented 8 years ago

@JordanMarshall @tompahoward We created some new SSL certificates for some sub domains via LetsEncrypt, but didn't updated the main cert for the main domain www.versioneye.com. I guess that caused the error. Now ALL domains and sub domains of VersionEye are running on LetsEncrypt certs. Can you please try again and let me know if it's fixed?

JordanMarshall commented 8 years ago

I just tried again on two different machines, but I'm still seeing the issue.

reiz commented 8 years ago

@JordanMarshall @tompahoward I did some research and find out that Oracle JVM has issues with LetsEncrypt. It seems they didn't ship the root cert of LetsEncrypt. For right now I rolled back our certificates and the JVM plugins are working fine again. It's sad that Java doesn't support LetsEncrypt :-( All other VersionEye plugins (PHP, NPM, Ruby) didn't complained about the LetsEncrypt cert.

bootstraponline commented 8 years ago

I thought they ship it in modern versions of Java?

tompahoward commented 8 years ago

@reiz I think there was more to it than that. After manually adding there cross-sign cert the PKIX error disappeared, but then it complained about the subject alternate names. Did your LetsEncrypt cert include www.versioneye.com in the SAN field? If not, then that could be the problem. RFC 6125 specifies that if the SAN is present then the CN should not be checked. But this is a new spec, so the other tooling may be checking both the SAN and the CN for www.versioneye.com

with credit to http://stackoverflow.com/a/5937270/269221

tompahoward commented 8 years ago

@reiz if you setup a different host with the Let's Encrypt cert (like maybe just a reverse proxy for www.versioneye.com), I'm happy to help you debug it further, but by using a different host, we won't be impacting anyone else.