gerrit-oauth-provider icon indicating copy to clipboard operation
gerrit-oauth-provider copied to clipboard

Published 20 hours ago verified publisher icon davido

unable to find valid certification path to requested target

Open romanharen1 opened this issue 4 years ago • 4 comments

Hi Folks Im getting this error when i try to log in my gerrit:

`Sep 17, 2020 4:50:05 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [] threw exception
org.scribe.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service.
	at org.scribe.model.Request.send(Request.java:70)
	at org.scribe.model.Request.send(Request.java:76)
	at com.googlesource.gerrit.plugins.oauth.Office365OAuthService.getUserInfo(Office365OAuthService.java:84)
	at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:100)
	at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:108)
	at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:73)
	at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:117)
	at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:68)
	at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)
	at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)
	at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)
	at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)
	at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)
	at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)
	at com.google.gerrit.httpd.WebAppInitializer.doFilter(WebAppInitializer.java:123)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1757)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1716)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
	at org.scribe.model.Response.<init>(Response.java:29)
	at org.scribe.model.Request.doSend(Request.java:117)
	at org.scribe.model.Request.send(Request.java:66)
	... 33 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
	... 46 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 52 more

`

It was working until today morning

Someone can help me?

romanharen1 avatar Sep 17 '20 20:09 romanharen1

We had the same issue.

As of limited resources we weren't able to further debug and instead decided to disable the plug in

eriko-de avatar Sep 21 '20 15:09 eriko-de

Hello, I have noticed the same problem, it started when I switched to using gerrit in a container rather than the regular service. I believe the container doesn't have access to the global truststore and since my auth service uses a self-signed SSL cert, the same error occurs when trying to authenticate.

mhuin avatar Dec 13 '21 10:12 mhuin

@mhuin Have you resolve this error?

billsteve avatar Feb 27 '23 03:02 billsteve

@mhuin Have you resolve this error?

I resolved the issue by using a custom entrypoint script for the gerrit container:

`#!/bin/bash -e

The /dev/./urandom is not a typo. https://stackoverflow.com/questions/58991966/what-java-security-egd-option-is-for

JAVA_OPTIONS="-Djava.security.egd=file:/dev/./urandom" JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStore=/var/gerrit/etc/keystore" JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStorePassword=p4ssw0rd" JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/var/gerrit/etc/truststore" JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStorePassword=changeit"

configure_keystore () { keytool -importkeystore -srckeystore /var/gerrit/etc/certificate.pkcs12
-srcstoretype PKCS12 -destkeystore /var/gerrit/etc/keystore
-srcstorepass p4ssw0rd -deststorepass p4ssw0rd

keytool -importcert -alias my-local-ca -file /var/gerrit/etc/localCA.crt \
  -keystore /var/gerrit/etc/truststore -storepass changeit -noprompt

}

rm -f /var/gerrit/etc/trustore rm -f /var/gerrit/etc/keystore configure_keystore

if [ -f /var/gerrit/logs/.run_init ]; then echo "Initializing Gerrit site ..." java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war init -d /var/gerrit --batch --no-auto-start --skip-plugins java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war reindex -d /var/gerrit cp -f /var/gerrit-plugins/* /var/gerrit/plugins/ rm -f /var/gerrit/logs/.run_init fi

echo "Running Gerrit ..." exec java ${JAVA_OPTIONS} -jar /var/gerrit/bin/gerrit.war daemon -d /var/gerrit `

You'll most likely have to adapt this to your own use case. This entrypoint assumes two files, localCA.crt and certificate.pkcs12, are accessible with the correct rights in the /var/gerrit/etc volume. This is how we generate them via ansible, again adapt this to your own setup:

`- name: create PKCS12 bundle for gerrit keystore shell: | cat /etc/pki/tls/certs/certificate.crt /etc/pki/tls/certs/ca-bundle.crt > /tmp/cert-chain.txt openssl pkcs12 -export -inkey /etc/pki/tls/private/certificate.key -in /tmp/cert-chain.txt -out certificate.pkcs12 -passout pass:p4ssw0rd rm -f /tmp/cert-chain.txt

  • name: prepare localCA certificate for import in keystore if fqdn is updated or keystore does not exist shell: | openssl x509 -outform der -in /etc/pki/ca-trust/source/anchors/localCA.pem -out localCA.crt `

mhuin avatar Feb 28 '23 10:02 mhuin