I am trying to run git clone in Spring Tool Suite (eclipse) from local gitlab server.
I'm using HTTPS clone url and the server certificate is signed by our organization CA.
I'm getting the error: unable to find valid certification path to requested target.
The root certificate of the organization is in the Windows trusted certificates store.
I tried placing the git configuration in the path %USERPROFILE%\.gitconfig with the content:
[http]
sslBackend = schannel
I can see in STS that the configuration was loaded in the eclipse preferences, but the error is still there.
Any idea how to get git commands in STS / Eclipse to trust the Windows certificate store?
Thanks,
Eyal
found it...
I had to add to the java options in the SpringToolSuite4.ini
javax.net.ssl.trustStore=NUL
javax.net.ssl.trustStoreType=Windows-ROOT
Then java trusted the Windows keystore
Related
I still can't install any plugin for eclipse because of a ValidatorException
Unable to read repository at http://www.pydev.org/updates/content.xml.
sun.security.validator.ValidationException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
What should I do in that case?
I think this is a common certificate issue, which can happen because of multiple reasons. I'll list the 2 most likely to be the case here:
The URL mentioned in the error does a redirect from HTTP to HTTPS, which java does not seem to like.
I'm not sure if this is still an issue in recent Java versions, could not find a better reference but they mention it here: https://github.com/protegeproject/protege/issues/17
Please try to change the update-site URL from http://www.pydev.org/updates/ to what it redirects to (which currently is: https://dl.bintray.com/fabioz/pydev/5.3.1/)
The certificate could not be validated because the certificate issuers root certificate is not in your keystore. Make sure you have the most recent version of java installed (each new version contains a new keystore). You can also add the issuers root certificate (or the certificate of the site) into your keystore using the keytool.
I have installed the Jenkins plugin for the Play! framework: https://wiki.jenkins-ci.org/display/JENKINS/play-plugin
However, I run into a problem configuring that plugin. The Jenkins server doesn't have Play installed, so I tried to configure the auto-install, using the "Install automatically" option. Unfortunately, when I pass the URL to the Typesafe Activator's ZIP archive, I get a handshake failure.
The Jenkins server is a part of the Cloudbees cloud.
Any ideas on what is going wrong and how to deal with it?
EDIT: Changing "https" to "http" resolves the handshake problem. However, Play does not get installed on the Jenkins server. The build does not find the "activator" executable. I suspect this may be an issue with the Play plugin for Jenkins.
it seems your java cacerts is not having correct certificate. you may try following steps.
Step 1 : Get root certificate of https://www.google.com
Open https://www.google.com in a chrome browser.
Select Inspect from context menu(right clicking on page) and navigate to security tab
Click on view certificates
Click on top most certificate on hierarchy and confirm it is tailed with Root CA phrase.
drag and drop that image which you saw written certificate on desktop.
Thats it! you got your root certificate!
Step 2 : install certificate to your java cacerts
please verify you have system variable JAVA_HOME declared and you will perform these steps on that jre cacerts only!
Navigate to cacerts by JAVA_HOME/jre/lib/security/cacerts
Download and install keytool explorer it is available for all platforms
open cacerts in that tool and import cetificate by "import trusted certificate" button.
Save your changes (you may come across issue if it is mac and you do not have write access!)
Step 3 : Restart jenkins
You should not get ssl handshake problem now onwards.
Running Eclipse 3.6 and trying to get version 3.2.4 of the GWT plugin. I add the source and it results in the following:
Unable to read repository at https://commondatastorage.googleapis.com/eclipse_toolreleases/products/gpe/release/3.2.4/3.6/content.xml.
Unable to read repository at https://commondatastorage.googleapis.com/eclipse_toolreleases/products/gpe/release/3.2.4/3.6/content.xml.
com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by OU=Equifax Secure Certificate Authority, O=Equifax, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
I have the correct path, my local time on my machine is accurate/correct (I had read some about some odd timestamp issues with certs?), and I can't seem to find any information about this. I tried installing locally, and there are missing dependencies when I use a local archive. I am curious though, why is it trying to hit content.xml? There is no such file in the downloadable repo, and when I try to hit that URI, I get the following:
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>
It's because the repository does not have a valid, i.e. trusted, certificate according to our SSL. You need to manually add the certificate as trusted, and then install the plugin.
We have a java webstart application which is hosted a web server. The signer of the SSL certificate in the web server is not in the cacerts of the JRE, by default. Thus when we run
javaws https://blablah/our.jnlp
we get a Security Warning dialog saying the connection the website is untrusted. Is it possible to pass a custom truststore that contains the singer certificate to the javaws process? to avoid the warning?
I was hoping following would work
javaws -J-Djavax.net.ssl.trustStore=<path_to_custom_trusstore> https://blablah/our.jnlp
where custom_trusstore contains the signer certificate.
This does not seem to work. Warning still shows.
I know alternatively we can add the signer certificate from the Java Control Panel, but is there any other way?
have you tried to add the password?
-Djavax.net.ssl.trustStorePassword=storePassword
I have installed the Eclipse Java EE Developers Helios SR2 IDE. The only additional plugins, installed from the Eclipse marketplace, are WebSphere Application Server 8.0 Developer Tools (8.0.4) and JGit/EGit.
I could attach to github fine until I follow the steps on the IBM site to update the eclipse.ini file to use the IBM-provided JRE that comes with WAS8.
Once I changed Eclipse to use the IBM JRE, I could not connect to github. When I tried to clone a repository, for instance, I got the error here:
my/url/to.git: cannot open git-upload-pack
java.lang.ClassNotFoundException: Cannot find the specified class com.ibm.websphere.ssl.protocol.SSLSocketFactory
I updated the configuration file as documented here:
http://publib.boulder.ibm.com/infocenter/radhelp/v7r5/index.jsp?topic=%2Fcom.ibm.ws.ast.st.v6.ui.doc%2Ftopics%2Frssl_isUseIBMSSLSocketFactory.html
After I make the change, it still doesn't work. I get this error:
my/url/to.git: cannot open git-upload-pack
com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
(Firstly, I'm not sure why you want to run Eclipse on the IBM JRE. If you need the IBM JRE for specific projects (or even by default) as the running environment, you could add it and set it in the Workspace (or Project) properties.)
This error is happening because the IBM JRE doesn't trust this certificate (CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US) out of the box.
Both the Oracle and the IBM JRE come with a default set of trusted CA certificates.
In Oracle Java, they're located in "jssecacerts, if it exists. Otherwise, cacerts". The documentation also says:
IMPORTANT NOTE: The JDK ships with a limited number of trusted root
certificates in the /lib/security/cacerts file. As
documented in keytool, it is your responsibility to maintain (that is,
add/remove) the certificates contained in this file if you use this
file as a truststore.
Depending on the certificate configuration of the servers you contact,
you may need to add additional root certificate(s). Obtain the needed
specific root certificate(s) from the appropriate vendor.
This may be in a different place for the IBM JRE, but ultimately, this piece of advice also applies: it's ultimately up to you to make sure you have the CA certificates you want to trust. You could export them from your browser, for example.