On Wed, Oct 24, 2018 at 12:43:06 +0200, Nikos Skalis wrote:
> Seems to make progress, but now am getting a different error:
>
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
It's still a problem with the certificates and the chain. Still nothing to do
with GoCD directly.
What is the output of the command I mentioned last time?
--- --- ---
jrunscript -e
'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket("LDAP_SERVER_URL_YOU_ARE_USING",
636).startHandshake())'
--- --- ---
You can find out the certificates you have in your cacerts by doing this:
--- --- ---
echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name cacerts)
| grep 'Owner:'
--- --- ---
You can then find the cert chain used by your LDAP server by doing this:
--- --- ---
openssl s_client -connect LDAP_SERVER_URL_YOU_ARE_USING:636 | sed -n
'/Certificate chain/,/^---/p'
--- --- ---
The certs in the chain (especially the last one in that chain) will need to be
in the list returned by keytool. My guess is that it's not.
As an example, google.com's root cert is not in my cacerts and so, Java is
unable to connect to google.com, for me:
--- --- ---
$ openssl s_client -connect google.com:443 | sed -n '/Certificate
chain/,/^---/p'
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
$ echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name
cacerts) | grep 'Owner:' | grep GlobalSign
# Returns no matches.
$ jrunscript -e
'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket("google.com",
443).startHandshake())'
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:531)
at
jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:448)
at
jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:405)
...
--- --- ---
If I add that root cert, the one named GlobalSign, I'm sure Java will be able
to connect.
Cheers,
Aravind
PS: Make sure you're using the same Java version for GoCD that you're running
locally (for JAVA_HOME, keytool, jrunscript, etc)
--
You received this message because you are subscribed to the Google Groups
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
