Better open one issue with all the details you got. Thanks!
On 15 September 2016 at 12:20, cen <imba...@gmail.com> wrote: > Sure. Should I open the issue specifically about Apache client and another > one for default Java client? > > The unexplained thing is why the default Java client isn't working with SNI > by default, even though it should in theory (Java 8 sends SNI automatically > and by default according to Oracle docs). The closest thing I found is this: > http://stackoverflow.com/questions/30817934/extended-server-name-sni-extension-not-sent-with-jdk1-8-0-but-send-with-jdk1-7 > a possible OpenJDK bug. > > A quick dig into JClouds code seems to confirm that setHostnameVerifier() is > used so this could be the case. > > > Ignasi Barrera je 15. 09. 2016 ob 12:06 napisal: > >> Thanks for the feedback and all the details cen! >> >> Would you mind opening an issue in our JIRA so we can track and fix >> the Apache driver? >> >> >> >> On 15 September 2016 at 11:17, cen <imba...@gmail.com> wrote: >>> >>> Hi >>> >>> Default driver and Apache driver failed me but OkHTTP worked. >>> >>> For Apache, I found a similar bug in Keycloak JIRA: >>> https://issues.jboss.org/browse/KEYCLOAK-2439 >>> >>> The interesting part is: >>> >>> "Client adapter uses a deprecated API when setting up HttpClient object >>> in >>> org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch which >>> is >>> part of HttpClient library since version 4.3.2, and which seems to >>> delegate >>> this part to Java SDK classes, where SNI is automatically set, isn't >>> activated." >>> >>> It's a guess on my part but I assume JClouds instantiates the HttpClient >>> in >>> a way that SNI does not get activated. >>> >>> I digged more into Apache driver and the way SSLSocketFactory is used by >>> JClouds is very similar to pre-patched Keycloak from that Jira issue >>> (according to pull requests). Might be worth looking into. >>> >>> Best regards, cen >>> >>> >>> Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal: >>> >>> Hi! >>> >>> jclouds supports several HTTP drivers. By default it relies on the java >>> HttpUrlConection, but you can also configure it to use the Apache Http >>> client or OkHttp [1]. Using those drivers is as simple as adding the >>> corresponding Guice module when creating the context (have a look at the >>> OkHttp driver readme for an example [2]) so feel free to use the one that >>> is better for your use case. >>> >>> If you need more control on how the http client is configured, you can >>> take >>> the jclouds Docker api as an example. It configures the OkHttp to support >>> TLS connections. You can have a look at its docker http module [3] and >>> create a similar module that initializes the OkHtttpClient as needed, and >>> then pass it to the ContextBuilder when creating the jclouds context. >>> >>> HTH! >>> >>> I. >>> >>> [1] https://github.com/jclouds/jclouds/tree/master/drivers >>> [2] >>> https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md >>> [3] >>> >>> https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java >>> >>> El 12 sept. 2016 7:02 p. m., "cen" <imba...@gmail.com> escribió: >>> >>> Hi >>> >>> We have a FakeS3 instance behind a reverse proxy which handles several >>> subdomains over a single IP. We use let's encrypt certificate to sign the >>> subdomains. We have the latest Java 8 installed which has the let's >>> encrypt >>> root in it's truststore. However, JClouds fails to connect to our FakeS3 >>> instance over https (http works). We believe it is because TLS SNI is not >>> supported in JClouds since this is the most common problem we found other >>> people having when googling around. I browsed around org.jclouds.http >>> package but I was unable to determine what HTTP client does JClouds use >>> behind the scenes or if it's a custom implementation. Could I get some >>> feedback whether my assumptions are correct and how hard would it be to >>> fix >>> this? This is the stacktrace: >>> >>> >>> PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target connecting to >>> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1 >>> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke( >>> BaseHttpCommandExecutorService.java:121) >>> at org.jclouds.rest.internal.InvokeHttpMethod.invoke( >>> InvokeHttpMethod.java:90) >>> at org.jclouds.rest.internal.InvokeHttpMethod.apply( >>> InvokeHttpMethod.java:73) >>> at org.jclouds.rest.internal.InvokeHttpMethod.apply( >>> InvokeHttpMethod.java:44) >>> at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle( >>> DelegatesToInvocationFunction.java:156) >>> at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke( >>> DelegatesToInvocationFunction.java:123) >>> at com.sun.proxy.$Proxy146.bucketExists(Unknown Source) >>> at org.jclouds.s3.blobstore.S3BlobStore.containerExists( >>> S3BlobStore.java:131) >>> at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42) >>> at com.redacted.util.storage.BlobStorageImpl.saveBlob( >>> BlobStorageImpl.java:19) >>> at >>> com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant( >>> ImagesResourceImpl.java:90) >>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$ >>> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>> NativeMethodAccessorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>> DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation >>> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49) >>> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext. >>> proceed(AroundInvokeInvocationContext.java:77) >>> at com.redacted.api.rest.v1.interceptors. >>> ValidatePermissionsInterceptor.checkOwnership( >>> ValidatePermissionsInterceptor.java:63) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>> NativeMethodAccessorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>> DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method. >>> invoke(Method.java:498) >>> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$ >>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74) >>> at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat >>> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat >>> ionContext.java:64) >>> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext. >>> proceed(AroundInvokeInvocationContext.java:77) >>> at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor. >>> manageTransaction(TransactionalInterceptor.java:34) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>> NativeMethodAccessorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>> DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$ >>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74) >>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler. >>> executeAroundInvoke(InterceptorMethodHandler.java:84) >>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler. >>> executeInterception(InterceptorMethodHandler.java:72) >>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke( >>> InterceptorMethodHandler.java:56) >>> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato >>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato >>> rStackMethodHandler.java:79) >>> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato >>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato >>> rStackMethodHandler.java:68) >>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$ >>> Proxy$_$$_WeldSubclass.createTenant(Unknown Source) >>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$ >>> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>> NativeMethodAccessorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>> DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.glassfish.jersey.server.model.internal. >>> ResourceMethodInvocationHandlerFactory$1.invoke( >>> ResourceMethodInvocationHandlerFactory.java:81) >>> at org.glassfish.jersey.server.model.internal. >>> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp >>> atcher.java:164) >>> at org.glassfish.jersey.server.model.internal. >>> >>> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp >>> atcher.java:181) >>> at org.glassfish.jersey.server.model.internal. >>> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch( >>> JavaResourceMethodDispatcherProvider.java:158) >>> at org.glassfish.jersey.server.model.internal. >>> AbstractJavaResourceMethodDispatcher.dispatch( >>> AbstractJavaResourceMethodDispatcher.java:101) >>> at org.glassfish.jersey.server.model.ResourceMethodInvoker. >>> invoke(ResourceMethodInvoker.java:389) >>> at org.glassfish.jersey.server.model.ResourceMethodInvoker. >>> apply(ResourceMethodInvoker.java:347) >>> at org.glassfish.jersey.server.model.ResourceMethodInvoker. >>> apply(ResourceMethodInvoker.java:102) >>> at org.glassfish.jersey.server.ServerRuntime$2.run( >>> ServerRuntime.java:305) >>> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) >>> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) >>> at org.glassfish.jersey.internal.Errors.process(Errors.java:315) >>> at org.glassfish.jersey.internal.Errors.process(Errors.java:297) >>> at org.glassfish.jersey.internal.Errors.process(Errors.java:267) >>> at org.glassfish.jersey.process.internal.RequestScope. >>> runInScope(RequestScope.java:317) >>> at org.glassfish.jersey.server.ServerRuntime.process( >>> ServerRuntime.java:288) >>> at org.glassfish.jersey.server.ApplicationHandler.handle( >>> ApplicationHandler.java:1110) >>> at org.glassfish.jersey.servlet.WebComponent.service( >>> WebComponent.java:401) >>> at org.glassfish.jersey.servlet.ServletContainer.service( >>> ServletContainer.java:386) >>> at org.glassfish.jersey.servlet.ServletContainer.service( >>> ServletContainer.java:335) >>> at org.glassfish.jersey.servlet.ServletContainer.service( >>> ServletContainer.java:222) >>> at org.eclipse.jetty.servlet.ServletHolder.handle( >>> ServletHolder.java:835) >>> at org.eclipse.jetty.servlet.ServletHandler$CachedChain. >>> doFilter(ServletHandler.java:1685) >>> at com.thetransactioncompany.cors.CORSFilter.doFilter( >>> CORSFilter.java:209) >>> at com.thetransactioncompany.cors.CORSFilter.doFilter( >>> CORSFilter.java:244) >>> at org.eclipse.jetty.servlet.ServletHandler$CachedChain. >>> doFilter(ServletHandler.java:1668) >>> at org.eclipse.jetty.servlet.ServletHandler.doHandle( >>> ServletHandler.java:581) >>> at org.eclipse.jetty.server.handler.ScopedHandler.handle( >>> ScopedHandler.java:143) >>> at org.eclipse.jetty.security.SecurityHandler.handle( >>> SecurityHandler.java:513) >>> at org.eclipse.jetty.server.session.SessionHandler. >>> doHandle(SessionHandler.java:226) >>> at org.eclipse.jetty.server.handler.ContextHandler. >>> doHandle(ContextHandler.java:1158) >>> at org.eclipse.jetty.servlet.ServletHandler.doScope( >>> ServletHandler.java:511) >>> at org.eclipse.jetty.server.session.SessionHandler. >>> doScope(SessionHandler.java:185) >>> at org.eclipse.jetty.server.handler.ContextHandler. >>> doScope(ContextHandler.java:1090) >>> at org.eclipse.jetty.server.handler.ScopedHandler.handle( >>> ScopedHandler.java:141) >>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle( >>> HandlerWrapper.java:119) >>> at org.eclipse.jetty.server.Server.handle(Server.java:517) >>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308) >>> at org.eclipse.jetty.server.HttpConnection.onFillable( >>> HttpConnection.java:242) >>> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded( >>> AbstractConnection.java:273) >>> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) >>> at org.eclipse.jetty.io.SelectChannelEndPoint$2.run( >>> SelectChannelEndPoint.java:75) >>> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume. >>> produceAndRun(ExecuteProduceConsume.java:213) >>> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run( >>> ExecuteProduceConsume.java:147) >>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( >>> QueuedThreadPool.java:654) >>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run( >>> QueuedThreadPool.java:572) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: >>> PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>> Method) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance( >>> NativeConstructorAccessorImpl.java:62) >>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( >>> DelegatingConstructorAccessorImpl.java:45) >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>> at sun.net.www.protocol.http.HttpURLConnection$10.run( >>> HttpURLConnection.java:1890) >>> at sun.net.www.protocol.http.HttpURLConnection$10.run( >>> HttpURLConnection.java:1885) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at sun.net.www.protocol.http.HttpURLConnection.getChainedException( >>> HttpURLConnection.java:1884) >>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( >>> HttpURLConnection.java:1457) >>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream( >>> HttpURLConnection.java:1441) >>> at java.net.HttpURLConnection.getResponseCode( >>> HttpURLConnection.java:480) >>> at >>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode( >>> HttpsURLConnectionImpl.java:338) >>> at >>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke( >>> JavaUrlHttpCommandExecutorService.java:105) >>> at >>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke( >>> JavaUrlHttpCommandExecutorService.java:65) >>> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke( >>> BaseHttpCommandExecutorService.java:99) >>> ... 89 more >>> Caused by: javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: >>> PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>> at sun.security.ssl.ClientHandshaker.serverCertificate( >>> ClientHandshaker.java:1509) >>> at sun.security.ssl.ClientHandshaker.processMessage( >>> ClientHandshaker.java:216) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) >>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) >>> at >>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake( >>> SSLSocketImpl.java:1375) >>> at sun.security.ssl.SSLSocketImpl.startHandshake( >>> SSLSocketImpl.java:1403) >>> at sun.security.ssl.SSLSocketImpl.startHandshake( >>> SSLSocketImpl.java:1387) >>> at sun.net.www.protocol.https.HttpsClient.afterConnect( >>> HttpsClient.java:559) >>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec >>> tion.connect(AbstractDelegateHttpsURLConnection.java:185) >>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( >>> HttpURLConnection.java:1513) >>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream( >>> HttpURLConnection.java:1441) >>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream( >>> HttpsURLConnectionImpl.java:254) >>> at >>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke( >>> JavaUrlHttpCommandExecutorService.java:97) >>> ... 91 more >>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>> failed: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild( >>> PKIXValidator.java:387) >>> at sun.security.validator.PKIXValidator.engineValidate( >>> PKIXValidator.java:292) >>> at sun.security.validator.Validator.validate(Validator.java:260) >>> at sun.security.ssl.X509TrustManagerImpl.validate( >>> X509TrustManagerImpl.java:324) >>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted( >>> X509TrustManagerImpl.java:229) >>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted( >>> X509TrustManagerImpl.java:124) >>> at sun.security.ssl.ClientHandshaker.serverCertificate( >>> ClientHandshaker.java:1491) >>> ... 104 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.provider.certpath.SunCertPathBuilder. >>> build(SunCertPathBuilder.java:141) >>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild( >>> SunCertPathBuilder.java:126) >>> at >>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>> at sun.security.validator.PKIXValidator.doBuild( >>> PKIXValidator.java:382) >>> ... 110 more >>> >>> >