[Geotools-devel] SSL certificate problem between Boundless Jenkins and Maven repo

Discussion:

Ben Caradoc-Davies

2017-07-18 23:48:55 UTC

The GeoTools master build also fails with and empty local repo. Both of
these tests with OpenJDK 8u131:

[ERROR] Failed to execute goal on project gt-coverage: Could not resolve
dependencies for project org.geotools:gt-coverage:jar:18-SNAPSHOT:
Failed to collect dependencies at
it.geosolutions.imageio-ext:imageio-ext-tiff:jar:1.1.17: Failed to read
artifact descriptor for
it.geosolutions.imageio-ext:imageio-ext-tiff:jar:1.1.17: Could not
transfer artifact
it.geosolutions.imageio-ext:imageio-ext-tiff:pom:1.1.17 from/to
boundless (https://repo.boundlessgeo.com/main/):
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target -> [Help 1]

Kind regards,
Ben.

The GeoServer build on master ("mvn clean install") fails with an empty
[ERROR] Failed to execute goal on project geoserver: Could not resolve
Failed to read artifact descriptor for
org.geotools:gt-api:jar:18-SNAPSHOT: Could not transfer artifact
org.geotools:gt-api:pom:18-SNAPSHOT from/to boundless
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target -> [Help 1]
Kind regards,
Ben.

--
Ben Caradoc-Davies <***@transient.nz>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

Ben Caradoc-Davies

2017-07-19 00:00:55 UTC

Permalink

Torben,

the DigiCert SSL certificate checker confirms that repo.boundlessgeo.com
is misconfigured: it is not sending their intermediate certificate:
https://www.digicert.com/help/
******
The server is not sending the required intermediate certificate.

This server needs to be configured to include DigiCert's intermediate
certificate to avoid trust errors in web browsers.
******

Firefox (54.0) is happy, likely because the DigiCert SHA2 Secure Server
intermediate certificate is bundled with Firefox:
https://repo.boundlessgeo.com/snapshot/

OpenSSL is not, because of the missing intermediate certificate:

$ openssl s_client -connect repo.boundlessgeo.com:443
CONNECTED(00000003)
depth=0 C = US, ST = New York, L = New York, O = "Boundless Spatial,
Inc.", OU = NA, CN = repo.boundlessgeo.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = New York, L = New York, O = "Boundless Spatial,
Inc.", OU = NA, CN = repo.boundlessgeo.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=New York/L=New York/O=Boundless Spatial,
Inc./OU=NA/CN=repo.boundlessgeo.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQC60lc9oAFL8SDvLcwjJ9LjANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTcwNzE3MDAwMDAwWhcN
MjAwOTIzMTIwMDAwWjCBgjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3Jr
MREwDwYDVQQHEwhOZXcgWW9yazEgMB4GA1UEChMXQm91bmRsZXNzIFNwYXRpYWws
IEluYy4xCzAJBgNVBAsTAk5BMR4wHAYDVQQDExVyZXBvLmJvdW5kbGVzc2dlby5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDir6JzTCujxCVGIwp1
ub8+M1t3eMflhXF8E2SAJBoi/hRkWjaKtFAXuhNR+QblpYG7c8C9bBwwnNAlYdi4
f9vKEQvCuJaPShvRAN238+Qknc/htyDaofvuVbg1eA4oJsgiTovfGZSx0pQR4CHS
FN0pwA/IgoT8gZoHlu0oSagU86ndgrVLOfdCTHXMOncQWKnWvWhoWF8DMDghv/ac
iDiv4YFpgWtruLLmmiIwfvsyfC9Z1mysP88J9p5AtP45aWA0KoEpi39+g6JPhcbd
t92oVeDR448lhtqGumeWX+yIHNR4FRjRTnhtZ/XLuO7QRiZMjZfDLB6Txtoq2LjJ
FpAjAgMBAAGjggHcMIIB2DAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ
4jAdBgNVHQ4EFgQUEhkqKlUOcez2fsJSHyW6Kq0CVI4wIAYDVR0RBBkwF4IVcmVw
by5ib3VuZGxlc3NnZW8uY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMu
ZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nMS5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0
LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZI
AYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D
UFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5k
aWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAEe72B/XuhDIYIGA0vVl6jIS4iHP
Uh+CZocfsgAwJ23K1mNVCzJ1vZVhMwN5v0fczuy2O5SZ/lt+HrB86ItGY45citZH
RAkuZCfBX6ZdgYahJvczMW+S1yI7UgfCixu0EjE7e5aucqd5s7wznRRJKLCERYHq
TtXmKZ3t9YlzPBiXxLgOlrkn3K/8KoTfjccnusfujkiKrx2CTdV+RV0+QhPeG9aD
dDtQPcOhoT32RUCJtpIERNh27KwIYIHrBzxSemU24lOEKmOulqWmA5/Y22zg3A54
IK2jq7k4+rz8HYUTX3aOoFWgXaoMvYx9VI7hErJ+Als/SS0JTF/9CvnAIr4=
-----END CERTIFICATE-----
subject=/C=US/ST=New York/L=New York/O=Boundless Spatial,
Inc./OU=NA/CN=repo.boundlessgeo.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2010 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
7663F86026BB65FC8D86D401C154638338D6FFFBDA18E0760310DFF200CF7D51
Session-ID-ctx:
Master-Key:
1E98B5D40AB4798A1D9587D360D0E333E23EBFF0E661D952704919E70FD747A377469C762AB3E50CB50C9A7F192C837D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e8 4c 36 38 7b a0 04 31-4e ad 88 9a 1a d3 8a 37
.L68{..1N......7
0010 - fc 9b 34 a4 e7 70 43 14-b5 06 6a f3 3d 44 4d 59
..4..pC...j.=DMY
0020 - 68 00 f6 eb b5 c6 78 b3-d4 c6 87 f5 99 ee 73 31
h.....x.......s1
0030 - 7f 52 96 c1 57 b2 c7 80-5f cf 8e 3c 5f 21 87 4b
.R..W..._..<_!.K
0040 - b6 bb 8b 1a cc 57 ca b7-16 1b a4 e7 bb c2 c3 8b
.....W..........
0050 - 29 84 72 b4 16 d5 43 be-6a f2 ef 50 7f 0b 82 92
).r...C.j..P....
0060 - 63 b8 8f 30 1b dc 66 fc-8b 0b 6d 14 c9 b6 31 05
c..0..f...m...1.
0070 - 06 55 96 6e 6f 8b 17 3a-1e 7f d3 68 b9 bb 54 ee
.U.no..:...h..T.
0080 - 99 9f 5f ad db e4 01 51-06 56 97 0b a8 d8 ce 3f
.._....Q.V.....?
0090 - 4f 3b 9e aa 86 a2 f0 ac-bb 48 dd 18 61 9e fb a1
O;.......H..a...
00a0 - 00 1f 67 49 8c ae af 12-7d cc 2b ce 6d ba 07 8c
..gI....}.+.m...

Start Time: 1500420480
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE

Kind regards,

--
Ben Caradoc-Davies <***@transient.nz>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

Ben Caradoc-Davies

2017-07-19 21:10:43 UTC

Permalink

Thanks very much, Quinn. I tested the build and can confirm that the
Maven repo certificate problem is fixed.

Kind regards,
Ben.

Issues should now be resolved, sorry for the interruption.

I have had issues with local building the last few days for the same
reason.
Cheers
Niels

Thanks, Torben. Much appreciated.
I do not know if this problem will impact anyone trying to build
GeoServer. I am testing with an empty local repo.
Kind regards,
Ben.

Hello Ben,
Nick is currently away, and Jody is at FOSS4G Europe, so I'm not sure
either of them will be likely to respond anytime soon.
I'll try an get in touch with someone at Boundless who can help.
Torben
On Tue, Jul 18, 2017 at 3:36 PM, Nuno Oliveira <
Humm ... I'm using the latest Oracle JDK version (141) and my system

Java certificates package is updated but I'm having the same issue.
I will give another try to this tomorrow if I have time ...
Jody and Nick,

there appears to be an SSL certificate problem between the Boundless
Jenkins worker that builds geoserver-master and the Boundless Maven
repo.
The Maven repo has a new SSL certificate with validity starting on 17
https://repo.boundlessgeo.com/snapshot/
The Jenkins geoserver-master deploy step fails with what looks like a
failure to establish and SSL trust chain (see below).
Is someone from Boundless able to investigate?
The Jenkins geoserver-master build uses java-8-oracle-amd64 in
/usr/lib/jvm/java-8-oracle on the worker. If this is old, the fix
might be
as simple as a upgrade of java-8-oracle-amd64 to pick up more recent
certificates. Another possible solution is to upgrade system CA
certificates (on Debian ca-certificates-java). I do not know which CA
certificate store is used by the Oracle JDK. Does it bundle its own or
use
the system certificates?
Kind regards,
Ben.
See <http://ares.boundlessgeo.com/jenkins/job/geoserver-master/4

929/changes>
[...]

[INFO] BUILD FAILURE

[INFO] ------------------------------------------------------------
------------
[INFO] Total time: 15.956 s
[INFO] Finished at: 2017-07-18T19:21:30+00:00
[INFO] Final Memory: 129M/630M
[INFO] ------------------------------------------------------------
------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven
-deploy-plugin:2.7:deploy
(default-deploy) on project geoserver: Failed to retrieve remote
metadata
org.geoserver:geoserver:2.12-SNAPSHOT/maven-metadata.xml: Could not
transfer metadata org.geoserver:geoserver:2.12-S
NAPSHOT/maven-metadata.xml
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with
the
-e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions,
[ERROR] [Help 1] http://cwiki.apache.org/conflu
ence/display/MAVEN/MojoExecutionException

Regards,
Nuno Oliveira
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==
Nuno Miguel Carvalho Oliveira
@nmcoliveira
Software Engineer
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio
stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential
or proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure,
reproduction,
copying, distribution, or either dissemination, either whole or
partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy
or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Ben Caradoc-Davies <***@transient.nz>
Director
Transient Software Limited <http://transient.nz/>
New Zealand