2

Cloning with HTTPS/SSL enabled authentication fails through Jgit code as explained in https://www.codeaffine.com/2014/12/09/jgit-authentication/
when i Use dockers for the app.

Clone is successful when I use the war file locally(Ubuntu and windows) with HTTPS authentication(SSL verify enabled) with username/password and even username/personal access token.

Strangely this SSL issues happens only in docker setup. However Cloning is successful when i use SSH authentication. I am using a private GITHUB repo to clone. I have tried various stackoverflow suggestions to use keytool command to check cacerts. There are various code suggestions to disable SSL verify but cannot afford to loose out on security.

Errors i get are:

org.eclipse.jgit.transport.TransportHttp.handleSslFailure(TransportHttp.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

caused by: javax.net.ssl.SSLHandshakeException unable to find valid certification path to requested target

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)

Can we code JGIT to clone successfully with HTTPS (SSL verification enabled), using username/password credentials in Docker setup? If anybody has done this, please let me know.

Seeker
  • 45
  • 5
  • Which java version? Is the server you're trying to connect to using a self signed certificate? – Misantorp May 18 '19 at 13:36
  • Thanks for your response, java -version openjdk version "1.8.0_212" OpenJDK Runtime Environment (build 1.8.0_212-b03) Eclipse OpenJ9 VM (build openj9-0.14.0, JRE 1.8.0 Linux amd64-64-Bit, Regarding certificate of server, the private repo is in github and my docker app am running in VM machine. Github is customer signed and my app running in docker is not signed (I am sorry am not aware of it). – Seeker May 18 '19 at 15:28
  • The repo which i clone is hosted on (https://github.com/), so the server running in docker tries to clone this repo at (https://github.com/username/repoToBeCloned) using HTTPS-username/password authentication. I hope this is clear. – Seeker May 18 '19 at 17:03
  • That makes it crystal clear :) If that is the case I would almost suspect that java either 1) has no trust store, or 2) that the docker image provides it's own java trust store that doesn't contain the [digicert root certificate](http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt) or 3) your connection is being intercepted – Misantorp May 18 '19 at 17:10
  • To be clear, the error you're seeing is related to java not trusting the certificate (or is unable to verify the certificate chain). It is not related to authentication – Misantorp May 18 '19 at 17:12
  • Thanks @Misantorp, can you pls let me know what is to be done to make java trust the certificate. – Seeker May 18 '19 at 17:23
  • 1
    For adding trust to the digicert root certificate please see [this answer](https://stackoverflow.com/a/46960270/9996073) to [this question](https://stackoverflow.com/q/46923699/9996073). Adjust that solution as needed. But that should all be unnecessary if your docker image uses the default java truststore. Please include the contents of your `dockerfile`. That way others and myself can see which base image you're using – Misantorp May 18 '19 at 17:35
  • FROM adoptopenjdk/openjdk8-openj9:alpine-slim LABEL maintainer="example company name" ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \ JHIPSTER_SLEEP=0 \ JAVA_OPTS="" RUN adduser -D -s /bin/sh jhipster WORKDIR /home/jhipster ADD entrypoint.sh entrypoint.sh RUN chmod 755 entrypoint.sh && chown jhipster:jhipster entrypoint.sh USER jhipster ENTRYPOINT ["./entrypoint.sh"] EXPOSE 8500 ADD *.war app.war – Seeker May 18 '19 at 17:47
  • This link https://stackoverflow.com/a/46960270/9996073 also did not work. Same error persists. – Seeker May 19 '19 at 11:59
  • Meanwhile am able to git clone the github repo through the command prompt in the docker – Seeker May 21 '19 at 13:16
  • 1
    Yes, the OS trust store and java trust store contain different certificates. You could just try to base your docker image on another base image. Currently you're using alpine, try something else – Misantorp May 21 '19 at 14:12
  • With ubuntu base image am having issues with spring bean creation, and with respect to alpine base image which is the OS trust store path and which is java store path, I think the java store path is $JAVA_HOME/jre/lib/security/cacerts, what could be the OS trust store, is it /etc/ssl_pub/server.jks ? – Seeker May 21 '19 at 17:30
  • Did some digging into the alpine image you're using and the keystore at `/opt/java/openjdk/jre/lib/security/cacerts` contains both the intermediate- and root certificate presented by github.com. Yours should be identical. I'm not familiar with `jgit`, but if it's not specifically configured to use an alternative trust store it should work out of the box. OS trust store is located at `/etc/ssl/certs/ca-certificates.crt` it seems. I don't think I'll be able to help you more, sorry – Misantorp May 21 '19 at 18:42
  • @Misantorp, Thanks a ton, I also executed in docker a java code using JGIT to clone repo from github successfully. Its picking the certificates from etc/ssl/cert.pem. – Seeker May 22 '19 at 10:41
  • @Misantorp Was able to fix it. The docker set up files had changed the default ssl certificates path and this ssl trust store was not updated, was able top fix it directions given in link shared . thanks. – Seeker May 25 '19 at 15:05

0 Answers0