We are getting an error "Unable to connect to GitHub API: org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://github.xxx.com/api/v3/user" when trying to use github pull request builder in jenkins
You may need to add your Certificate Authority cert to the java keytool.
If you look in your jenkins log and find something like this:
org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://github.xxx.com/api/v3/user
Scroll down and see if there is a line like this:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This error is saying that the SSL handshake failed with something about the PKIX path/certpath. Try adding your CA Cert to the keytool and restarting Jenkins to see if that helps.
Here's the post that helped me modify the java certs with the keytool. (the default keytool password is "changeit")
You can also try installing the skip certificate check plugin, in plugin manager.
it seems your java cacerts is not having correct certificate for your git URL. you may try following steps.
Step 1 : Get root certificate of https://www.google.com
Open https://www.google.com in a chrome browser.
Select Inspect from context menu(right clicking on page) and navigate to security tab
Click on view certificates
Click on top most certificate on hierarchy and confirm it is tailed with Root CA phrase.
drag and drop that image which you saw written certificate on desktop.
Thats it! you got your root certificate!
Step 2 : install certificate to your java cacerts
please verify you have system variable JAVA_HOME declared and you will perform these steps on that jre cacerts only!
Navigate to cacerts by JAVA_HOME/jre/lib/security/cacerts
Download and install keytool explorer it is available for all platforms
open cacerts in that tool and import cetificate by "import trusted certificate" button.
Save your changes (you may come across issue if it is mac and you do not have write access!)
Step 3 : Restart jenkins
You should not get ssl handshake problem now onwards.
Related
The problem is that the OpenID Connect URL I'm trying to reach uses self-signed certs. The plugin securityDashboards doesn't seem to like that:
Error: unable to verify the first certificate\ n at TLSSocket.onConnectSecure(_tls_wrap.js: 1088: 34)\ n at TLSSocket.emit(events.js: 198: 13)\ n at TLSSocket._finishInit(_tls_wrap.js: 666: 8)\ n code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
...
Client request error: unable to verify the first certificate
Since this seems to be a JavaScript error, my first approach was to point npm to the same keystore which also curl uses and which has no problem with the URL. Via npm config set cafile /etc/ssl/certs/ca-certificates.crt
After that didn't work I tried to disable the SSL verification altogether just to see if it works. Via npm config set strict-ssl false
That failed so I read the docs about certificate validation, tried to set up pemtrustedcas_filepath with the keystore above... didn't work.
Then tried to download the cert and use pemtrustedcas_content, but that didn't work either.
Out of options. Thanks for any suggestion!
Setting opensearch_security.openid.root_ca: /etc/ssl/certs/ca-certificates.crt in opensearch_dashboards.yml worked for me.
I have a job that Sends Notification On success or On failure. It uses the Webhook option. The webhook is a Rundeck API that executes a job.
Here is my notification setup
I've check on the rundeck.log. It has the following error:
ERROR services.NotificationService [quartzScheduler_Worker-6] - Notification failed [onsuccess,succeeded,238621]; URL https://client-dns/api/33/job/cd3b3a1b-90c9-4c99-bf29-46c5aad1b4ff/run?authtoken=6XpW50hvZoPUTtlwucKGJ7ERKOxeJCTR&option.rd_exec_id=238621: Unable to POST notification after 1 tries: success for execution 238621 (succeeded): Error making request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I fix this issue? I have already a certificate but how can I tell rundeck to use it. Thank in advance to those who'll help me.
You need to add the webhook service certificate to the Java cacert to make recognizable by Rundeck. Alternatively, if you are using Rundeck over SSL, you can add that certificate to Rundeck truststore file in the following way:
Stop the Rundeck Service.
Extract the service certificate:
echo -n | openssl s_client -connect your_service_host:your_service_port > cert.out
Add it to your Rundeck truststore file:
keytool -importcert -trustcacerts -file certs.out -alias my_service -keystore your/path/to/rundeck/truststore
Start Rundeck service.
pkg set-publisher: The origin URIs for 'solarisstudio' do not appear to point to a valid pkg repository.
Please verify the repository's location and the client's network configuration.
Additional details:
Unable to contact valid package repository: https://pkg.oracle.com/solarisstudio/release
Encountered the following error(s):
Transport errors encountered when trying to contact repository.
Reported the following errors:
Framework error: code: 60 reason: SSL certificate problem: unable to get local issuer certificate
URL: 'https://pkg.oracle.com/solarisstudio/release'
1.Make sure that ca-certificates service is running on solaris
svcs -xv
if not try starting using the below commands
svcadm disable svc:/system/ca-certificates:default
svcadm enable svc:/system/ca-certificates:default
Make sure that the below permission is set for all the certificates
If the above solution doesnot work
2. Take backup of all the certificates under /etc/certs/CA. Check for the corrupted certificates, by moving the certificates one by one to /etc/certs/CA in the location and starting ca-certificate service. The point when the service doesn't start is the certificate which is corrupted.
Make sure that the certificates in the location have below permissions
sudo chown root:sys /etc/certs/CA/*.pem
I'm using the JavaLite implementation and everything works fine when requesting HTTP services but when trying to get data from the HTTPS version of the service I get the HttpException "Failed URL".
Here's my code:
Get get = Http.get(url + "/eds/api/v1/certificados");
get.header("Authorization", "Basic " + Credentials);
get.header("APIKey", APIKey);
get.header("Accept", "application/json");
System.out.println(get.text());
Also tried with
String test = Http.get(url + "/eds/api/v1/certificados").header("Authorization", "Basic " + Credentials).header("APIKey", APIKey).header("Accept", "application/json").text();
Both of them behave the same way, if the URL is HTTP I can get the data, if the URL is HTTPS catch "Failed URL". I've tested the REST service with SOAPui and the HTTPS server works fine.
Any suggestion what I'm missing when trying to send a GET on HTTPS with headers?
I was going to suggest that the site's digital certificate was not signed by a Certificate Authority that is contained in the Java JRE certificate store.
Here is what you can do:
Use the browser and explore the certificate of the site, including a certificate chain, all the way to the root Certificate Authority
Explore what CA certs are installed locally.
The file for Java is:
$JAVA_HOME/jre/lib/security/cacerts
you need to run this command:
keytool -list -keystore cacerts
When prompted for password, just press Enter.
If you do not see a certificate of a CA that was used to sign a certificate of your site, than you will have this error.
How to fix:
Use a well known CA to get a certificate for your site and ensure it is already present in your Java cert database.
or:
Get the certificate from the site using a browser, and import it into your local Java database with command:
keytool -importcert ...
For more information on the keytool program:
keytool --help
I want to run some tests against an internal (with an internally minted cert) web service using SoapUI. I am not sure I fully grasp the SSL handshake stuff. But I exported the cert for the endpoint to a .cer file, then fired up java keytool with this command:
keytool -import -alias ca -file myservice.cer -keystore cacerts –storepass changeit
Which I got from another SO question. Then I added this truststore file (cacerts) to the project properties in SoapUI. But when I try to add a WSDL to the project, I still get the same error as before:
Error loading [https://myservice?wsdl]: org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Am I completely off base? Do I add all the certs in the chain to the truststore? I wasn't able to do that, it told me that the alias was already in use? Or should I just get a cert minted from an outside trusted authority?
The SOAP UI raise the exception because your certificate not properly installed in SOAP UI trust store.
To resolve the above exception follow the below steps.
Export the certificate from the key store or browser (which contain the public key)
Go to the SOAPUI installed directory and locate following directory \SmartBear\soapUI- 4.0.1\jre\lib\security
Import the certificate in to cacerts trust store (Which is the default trust store)
Restart the SOAP UI and load the WSDL...
To understand more about SSL ... follow the below link ...JSSE documentation