leiningen: How do I turn off ssl verification? - ssl

I'm a first-time leiningen user on Windows. When I run lein run I get the following error:
C:\Users\me\clojure-app>lein run
Could not transfer artifact org.clojure:clojure:pom:1.7.0 from/to central (https://repo1.maven.org/maven2/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Could not transfer artifact org.clojure:tools.nrepl:pom:0.2.10 from/to central (https://repo1.maven.org/maven2/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Could not transfer artifact clojure-complete:clojure-complete:pom:0.2.3 from/to central (https://repo1.maven.org/maven2/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This could be due to a typo in :dependencies or network issues.
If you are behind a proxy, try setting the 'http_proxy' environment variable.
My http_proxy and https_proxy environment variables are indeed set properly.
I'm behind a corporate firewall that re-signs web traffic with its own SSL certificates, which I suspected could be the root of my issues. However, I set my HTTP_CLIENT environment variable to:
curl --insecure -f -L -o
...to avoid SSL verification (as suggested by this note in the installation help) but that did not change the error message.
So, my root question, I suppose is: what steps must a user take to get lein run to successfully bring down dependencies on a Windows machine that is behind a corporate firewall that re-signs SSL traffic? :o)

Here are some options in inverse order of crazyness (least crazy first)
Add you companies proxy to your trust store, and don't do anything special in Leiningen that you will have to remember to do again the next time you change projects or computers. You may also need to add it to the Java JVM's certificate store in addition to the systems (this is very likely your problem)
Add you companies proxy certificate to the project's project.clj's :certificate section This way if the certificate needs to be changed than only one person needs to change it and the whole team will get the benefit.
Many companies have an internal caching maven proxy such as Nexus that will automatically fetch and cache dependencies and then make them quickly available to people inside the network. Find out if you have one of these by asking around or looking in .pom file on Java projects for the config.
Go home, or to a local coffee shop, download the dependencies, and then come back to the office. A walk and some fresh air is always good after dealing with TLS certs anyway.
Download the file manually, with your browser and put them in the .m2 directory yourself.
I'm really trying to not be snooty, by omitting an answer to your actual question. I do realize that there is not an option to disable security on this list. That's on purpose because one of there options will surely work and will make your life much better for knowing how to use these. If it still comes across as pretentious then please accept my most sincere apology along with the answer.

To elaborate on Arthur's answer and save a trip to google for the command:
To add the certificate to the JRE's truststore, use this keytool command:
keytool -import -trustcacerts -file CompanyMitmProxyCertificate.crt -alias ZScaler -keystore cacerts
Where: "CompanyMitmProxyCertificate.crt" is the certificate for your company's man-in-the-middle-attack cert and 'cacerts' is the keystore for your jre located under "\lib\security". The default password for the keystore is 'changeit'.

Related

although the cert is included in Accepted certificates ,PKIX path building failed

I Use #Intellij idea .my program try to connect the #URL using a #HttpURLConnection.I face the error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
After downloading the certificate from the browser, it is included in the accepted certificated in Intellij setting( File/setting/tools/server certificates) and also select the item " Accept non-trusted certificates automatically" at the top of the page.
Also the downloaded certificate is added successfully to #keystore through the command #keytool in #cmd administrator mode.( by the list command it can be seen correctly). I add the certificate to the #cacerts #keystore exactly to the JDK and JRE path mentioned in "build, execution and deployment" section in #Intellij idea setting.
when I debug the program, the added certificate is listed correctly in the #trustedCerts.
I appreciate your help and welcome any idea and tricks. Thanks in advance.

Jenkins doesn't connect to Internet (SSL trouble)

Error message: SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I been trying to configure the proxy correctly but some http servers respond with success, meanwhile all the https doesn't.
I installed all the necessary plugins manually for run a sample pipeline but the error in console output is just a nested page 404 by jenkins.
It's important to know that my OS have the cli internet connection blocked for security terms.
This is the last followable trouble that I have, but I'm a little bit confusing with the SSL cert, I tried to resolve it by this post but is not clear to me which SSL cert I have to download and if this could cause troubles with my PC restrictions.
One solution to resolve this issue is change the update url at management plugins > advanced setting > url update from this
https://updates.jenkins.io/update-center.json
to this
http://updates.jenkins.io/update-center.json
this solutions is not definitive and i won't recommend it.
Actually i solve this problem loading the plugins.jenkins.io cert to the javas's keystore using
.\keytool.exe -import -alias {alias} -keystore %JAVA%\lib\security\cacerts -file \path\to\your\cert
(Be sure than you are not overwritting anything and the password for -import param by default is changeit)

InstallCert.java crashes server before certificates are retrieved

I have a server running on Dropwizard (i.e. running Jetty for its web server). I'm trying to set up SSL for it.
I have a certificate signed by a CA (specifically Comodo, through Namecheap). I installed the root and intermediate certificates, then installed my own certificate (using the instructions on Comodo's support. Nonetheless, when I attempt to connect to my server for the first time (it boots fine), I get an error: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (Of course the stack trace is much longer, but that's the root cause.)
I've tried searching this error, and consistently people say it should only happen for self-signed certificates, which mine is not. Nonetheless, I tried downloading the InstallCert.java program that seems to have originated from a (now removed) article on the Sun blog. Specifically I got the degree from this page.
After several (failed) attempts to get it to work by command line (that's a discussion for another time), I eventually got it to run properly. Now the output I get from the program is:
Loading KeyStore C:\Program Files\Java\jdk1.8.0_05\jre\lib\security\cacerts...
Opening connection to localhost:8443...
Starting SSL handshake...
Exception in thread "main" java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:150)
at java.net.SocketInputStream.read(SocketInputStream.java:121)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at com.aw.ad.util.InstallCert.main(InstallCert.java:98)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Process finished with exit code 1
Meanwhile, if I open the window with my website, it once more delivers the unable to find valid certification path to requested target error and crashed (hence leading to the timeout). In essence, what it seems to me is that InstallCerts (which should fix my SSL problems) is crashing my server due to the SSL issues.
If I try using something like openssl s_client -connect localhost:8443 -showcerts (which was a recommendation I saw somewhere, save the results of that to a .pem file and install that), the same thing happens.
Is there a solution this problem? Am I missing something obvious here?
You might be missing the whole chain of certificates from Comodo root CA to your site's certificate. Examine the keystore that you configured in Dropwizard and see if you have them all. The simplest way is to look for the issuer of your certificate, you need to have the certificate with the same subject, next look for the issuer of that certificate and so forth. To be sure try to chain authority key identifier certificate extension of your certificate with the key fingerprint (key identifier) of the issuer, and the issuer's issuer. If you provide
keytool -list -keystore <your keystore> -rfc
I might be able to help you more...
Added later:
I've managed to reproduce your problem exactly. TL;DR; add:
validateCerts: true
trustStorePath: lyonesgamer.com.keystore
enableCRLDP: true
I created a keystore containing the chain (single entry, 3 certificates, ca, subordinate ca and end entity certificate) and another keystore containing only the two ca certificates as trusted entries. Then I configured keyStorePath, keyStorePassword, trustStorePath and validateCerts: true.
This resulted in:
java.security.cert.CertificateException: Unable to validate certificate: unable to find valid certification path to requested target
After adding -Djava.security.debug=certpath I noticed that revocation checking was failing, and that this in fact was the root cause of certificate chain failure:
certpath: SunCertPathBuilder.depthFirstSearchForward(): validation failed:
java.security.cert.CertPathValidatorException: Could not determine revocation status
Then I remembered that if you do not enable CRL Distribution Point extension usage for the CertPath API you need to specify the CRL yourself. Fortunately Dropwizard has an option to enable the CRLDP: enableCRLDP: true. With it enabled application successfully starts.
Alternatively you could keep the CRL in a file and point crlPath to it.
After all this time, I'd been chasing a rabbit hole. It turned out the problem was that I (rather naively) was testing this on my own computer. Dropwizard's validation saw an error, because the certificate was only valid for my domain, which my personal computer is not a member of. Hence it crashed because it couldn't validate.
I discovered this by turning validateCerts off in my Dropwizard config file (I had thought I'd turned it off already, but apparently not). Dropwizard booted fine and allowed me to connect. When I did, then Firefox gave me an Untrusted Connection error, and clicking on Details gave me the much more useful information:
localhost:8443 uses an invalid security certificate.
The certificate is only valid for the following names: lyonesgamer.com, www.lyonesgamer.com
(Error code: ssl_error_bad_cert_domain)
Thank you, Zoran, very much for trying to help. I'm afraid much of it was in vain.

Spring Security with LDAP over SSL: need more details

I've got web application that uses authentification via LDAP. It works flawlessly, but production version is required to use SSL. We have a server running at "ldaps://ourserver.com:636", but Spring Security throws following exception when I try to connect to it:
Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested targe
Apache Directory Studio also warns me about unknown certificate, but allows to ignore the check it and eventually to connect and read the data required.
There are plenty of questions and answers here about how to implement LDAP over SSL, but no one of them provide full solution. I've got two opportunities: to make the certificate trusted or to disable certificate check at all. No matter which way I choose, I can't figure out how to use the mechanism with Spring Security:
If I choose to use keytool and make the certificate trusted, I can't figure out how JVM / Tomcat / Spring Security will figure out which password I have defined (-keypass changeit).
If I choose to disable the certificate validation, I can't figure out what is the place the code should be placed.
I'm also curious on how Apache Directory Studio is able to make the certificate trusted for itself without that keytool import - which significantly reduces application portability? Solution like that would be perfect for my webapp, but I haven't found anything like that all.
Here is a solution I was able to use. The key thing I had to understand is that neither JVM, nor container with webapp needs to know alias and password. It's JVM headache to check all the certs registered, and this has nothing to do with your webapp. Unfortunately, the solution implies that you install the certificate for the whole JVM. That makes webapp less portable, but at least it works correctly. I've decided to provide following bash script with the webapp sources so other developers can install the cert easily on their machines:
SERVER="mydomain:636"
CRT_NAME="mydomain.crt"
CRT_ALIAS="mydomain_cert"
echo -n | openssl s_client -connect $SERVER | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' > $CRT_NAME
$JAVA_HOME/bin/keytool -import -alias $CRT_ALIAS -keystore $JAVA_HOME/lib/security/cacerts -file $CRT_NAME -storepass changeit
You may wish to add additional error checks, I've omitted them to simplify the script. You will need root priviledges to launch the second command.

Unable to load web app

Unable to load web application and console says the following
InstallationHandlers.isRegistered() failed, reason:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
what does it means? Any Idea ?
Thanks,
Pramod
Check your SSL settings. Try to turn off SSL and see if it helps.
And, as error msg says, check all paths to keystores and all certificate aliases.
I don't use glassfish - I just look at error message. PKIX is format of file, that contains certificates. All certificates, depending of CA (certificate authority), belong to different paths. Example: certificate from Thawte belongs to Thawte certficiate paths, cert from Verisign belong to Verisign path. So there is something wrong with certificate you use: it does not belong to any registered path, I think. One of the most popular ways to use certificates is SSL, so I presume this is your case. SSL settings should be somewhere in glassfish - google it. Or, maybe, you can make your application use unencrypted connections.