Is the plugin using the same trust store as IntelliJ?

[pcderic]

When trying to connect my IntelliJ IDE to our JFrog Xray instance via Test connection, I get the following error: Could not connect to Xray: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

We use an internal CA which requires us to add CA certs in our java trust store via the IntelliJ Preferences (on Mac, thats under Tools / Server Certificates). But the plugin doesn't seem to use this. Is the plugin not using the JDK used by the IDE? Can you suggest a fix or workaround?

Additional details... [ERROR] Scan failed javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:71) at org.jfrog.client.http.CloseableHttpClientDecorator.doExecute(CloseableHttpClientDecorator.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at com.jfrog.xray.client.impl.XrayImpl.setHeadersAndExecute(XrayImpl.java:107) at com.jfrog.xray.client.impl.XrayImpl.get(XrayImpl.java:85) at com.jfrog.xray.client.impl.services.system.SystemImpl.version(SystemImpl.java:43) at com.jfrog.ide.common.scan.ScanManagerBase.isXrayVersionSupported(ScanManagerBase.java:229) at com.jfrog.ide.common.scan.ScanManagerBase.scanAndCacheArtifacts(ScanManagerBase.java:161) at com.jfrog.ide.idea.scan.ScanManager.access$100(ScanManager.java:49) at com.jfrog.ide.idea.scan.ScanManager$2.onSuccess(ScanManager.java:156) at com.jfrog.ide.idea.scan.MavenScanManager.refreshDependencies(MavenSca[...]

[pcderic]

I found a fix/workaround: I added our Internal CA certs to the IntelliJ's cacerts file via:

$ cd "/Applications/IntelliJ IDEA CE 2019.1.app/Contents/jbr/Contents/Home/lib/security/" $ sudo keytool -keystore cacerts -importcert -alias MyRootCACert -file FILENAME1.crt $ sudo keytool -keystore cacerts -importcert -alias MySubCACert -file FILENAME2.crt

I'll leave it up to you to decide if this should be closed or if the code should be adjusted to use certs as specified via the IntelliJ prefs.

[yahavi]

Thanks for reporting this issue, @jourzero We opened this PR to target this. We'll keep you updated.

[yahavi]

@jourzero JFrog Idea plugin 1.4.0 is released. Since this version, the plugin reads the certificates from Intellij trust store, as instructed here.

We'll appreciate your feedback for that!

[bjpe]

Hi, today I got the following message from my JFrog IntelliJ plugin, version 2.3.0:

2023-07-26 07:36:34,494 [ 262908]   WARN - #com.jfrog.ide.idea.log.Logger - Error occurred for request GET /artifactory/api/system/version HTTP/1.1: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

However, the analysis seems to work, since I can see the results. Is there maybe a single call that does not use the trust store?

[yahavi]

Thanks for reporting this issue, @bjpe! Your analysis is correct. This is a harmless single call that does not use the trust store. We will look into it soon.