You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jclouds.apache.org by cen <im...@gmail.com> on 2016/09/12 17:02:38 UTC
JClouds TLS SNI support?
Hi
We have a FakeS3 instance behind a reverse proxy which handles several
subdomains over a single IP. We use let's encrypt certificate to sign
the subdomains. We have the latest Java 8 installed which has the let's
encrypt root in it's truststore. However, JClouds fails to connect to
our FakeS3 instance over https (http works). We believe it is because
TLS SNI is not supported in JClouds since this is the most common
problem we found other people having when googling around. I browsed
around org.jclouds.http package but I was unable to determine what HTTP
client does JClouds use behind the scenes or if it's a custom
implementation. Could I get some feedback whether my assumptions are
correct and how hard would it be to fix this? This is the stacktrace:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target connecting to HEAD
https://s3.demo.mydomain.com/productname HTTP/1.1
at
org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(BaseHttpCommandExecutorService.java:121)
at
org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:90)
at
org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:73)
at
org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:44)
at
org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:156)
at
org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123)
at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
at
org.jclouds.s3.blobstore.S3BlobStore.containerExists(S3BlobStore.java:131)
at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
at
com.redacted.util.storage.BlobStorageImpl.saveBlob(BlobStorageImpl.java:19)
at
com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(ImagesResourceImpl.java:90)
at
com.redacted.api.rest.v1.resources.ImagesResourceImpl$Proxy$_$$_WeldSubclass.createTenant$$super(Unknown
Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
at
org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:77)
at
com.redacted.api.rest.v1.interceptors.ValidatePermissionsInterceptor.checkOwnership(ValidatePermissionsInterceptor.java:63)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
at
org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocationContext.proceedInternal(NonTerminalAroundInvokeInvocationContext.java:64)
at
org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:77)
at
com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.manageTransaction(TransactionalInterceptor.java:34)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
at
org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.executeAroundInvoke(InterceptorMethodHandler.java:84)
at
org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.executeInterception(InterceptorMethodHandler.java:72)
at
org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(InterceptorMethodHandler.java:56)
at
org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:79)
at
org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:68)
at
com.redacted.api.rest.v1.resources.ImagesResourceImpl$Proxy$_$$_WeldSubclass.createTenant(Unknown
Source)
at
com.redacted.api.rest.v1.resources.ImagesResourceImpl$Proxy$_$$_WeldClientProxy.createTenant(Unknown
Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:164)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:181)
at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:158)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:101)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)
at
org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:305)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)
at
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:288)
at
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1110)
at
org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:401)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:386)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:335)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:222)
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:835)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1685)
at
com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:209)
at
com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:244)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:513)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1158)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1090)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119)
at org.eclipse.jetty.server.Server.handle(Server.java:517)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at
org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75)
at
org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213)
at
org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1890)
at
sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1885)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1884)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1457)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at
org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(JavaUrlHttpCommandExecutorService.java:105)
at
org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(JavaUrlHttpCommandExecutorService.java:65)
at
org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(BaseHttpCommandExecutorService.java:99)
... 89 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at
org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(JavaUrlHttpCommandExecutorService.java:97)
... 91 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 104 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 110 more
Re: JClouds TLS SNI support?
Posted by Ignasi Barrera <na...@apache.org>.
Better open one issue with all the details you got. Thanks!
On 15 September 2016 at 12:20, cen <im...@gmail.com> wrote:
> Sure. Should I open the issue specifically about Apache client and another
> one for default Java client?
>
> The unexplained thing is why the default Java client isn't working with SNI
> by default, even though it should in theory (Java 8 sends SNI automatically
> and by default according to Oracle docs). The closest thing I found is this:
> http://stackoverflow.com/questions/30817934/extended-server-name-sni-extension-not-sent-with-jdk1-8-0-but-send-with-jdk1-7
> a possible OpenJDK bug.
>
> A quick dig into JClouds code seems to confirm that setHostnameVerifier() is
> used so this could be the case.
>
>
> Ignasi Barrera je 15. 09. 2016 ob 12:06 napisal:
>
>> Thanks for the feedback and all the details cen!
>>
>> Would you mind opening an issue in our JIRA so we can track and fix
>> the Apache driver?
>>
>>
>>
>> On 15 September 2016 at 11:17, cen <im...@gmail.com> wrote:
>>>
>>> Hi
>>>
>>> Default driver and Apache driver failed me but OkHTTP worked.
>>>
>>> For Apache, I found a similar bug in Keycloak JIRA:
>>> https://issues.jboss.org/browse/KEYCLOAK-2439
>>>
>>> The interesting part is:
>>>
>>> "Client adapter uses a deprecated API when setting up HttpClient object
>>> in
>>> org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch which
>>> is
>>> part of HttpClient library since version 4.3.2, and which seems to
>>> delegate
>>> this part to Java SDK classes, where SNI is automatically set, isn't
>>> activated."
>>>
>>> It's a guess on my part but I assume JClouds instantiates the HttpClient
>>> in
>>> a way that SNI does not get activated.
>>>
>>> I digged more into Apache driver and the way SSLSocketFactory is used by
>>> JClouds is very similar to pre-patched Keycloak from that Jira issue
>>> (according to pull requests). Might be worth looking into.
>>>
>>> Best regards, cen
>>>
>>>
>>> Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal:
>>>
>>> Hi!
>>>
>>> jclouds supports several HTTP drivers. By default it relies on the java
>>> HttpUrlConection, but you can also configure it to use the Apache Http
>>> client or OkHttp [1]. Using those drivers is as simple as adding the
>>> corresponding Guice module when creating the context (have a look at the
>>> OkHttp driver readme for an example [2]) so feel free to use the one that
>>> is better for your use case.
>>>
>>> If you need more control on how the http client is configured, you can
>>> take
>>> the jclouds Docker api as an example. It configures the OkHttp to support
>>> TLS connections. You can have a look at its docker http module [3] and
>>> create a similar module that initializes the OkHtttpClient as needed, and
>>> then pass it to the ContextBuilder when creating the jclouds context.
>>>
>>> HTH!
>>>
>>> I.
>>>
>>> [1] https://github.com/jclouds/jclouds/tree/master/drivers
>>> [2]
>>> https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
>>> [3]
>>>
>>> https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java
>>>
>>> El 12 sept. 2016 7:02 p. m., "cen" <im...@gmail.com> escribió:
>>>
>>> Hi
>>>
>>> We have a FakeS3 instance behind a reverse proxy which handles several
>>> subdomains over a single IP. We use let's encrypt certificate to sign the
>>> subdomains. We have the latest Java 8 installed which has the let's
>>> encrypt
>>> root in it's truststore. However, JClouds fails to connect to our FakeS3
>>> instance over https (http works). We believe it is because TLS SNI is not
>>> supported in JClouds since this is the most common problem we found other
>>> people having when googling around. I browsed around org.jclouds.http
>>> package but I was unable to determine what HTTP client does JClouds use
>>> behind the scenes or if it's a custom implementation. Could I get some
>>> feedback whether my assumptions are correct and how hard would it be to
>>> fix
>>> this? This is the stacktrace:
>>>
>>>
>>> PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target connecting to
>>> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
>>> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>>> BaseHttpCommandExecutorService.java:121)
>>> at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
>>> InvokeHttpMethod.java:90)
>>> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>>> InvokeHttpMethod.java:73)
>>> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>>> InvokeHttpMethod.java:44)
>>> at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
>>> DelegatesToInvocationFunction.java:156)
>>> at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
>>> DelegatesToInvocationFunction.java:123)
>>> at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
>>> at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
>>> S3BlobStore.java:131)
>>> at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
>>> at com.redacted.util.storage.BlobStorageImpl.saveBlob(
>>> BlobStorageImpl.java:19)
>>> at
>>> com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
>>> ImagesResourceImpl.java:90)
>>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>>> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> NativeMethodAccessorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
>>> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
>>> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>>> proceed(AroundInvokeInvocationContext.java:77)
>>> at com.redacted.api.rest.v1.interceptors.
>>> ValidatePermissionsInterceptor.checkOwnership(
>>> ValidatePermissionsInterceptor.java:63)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> NativeMethodAccessorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.
>>> invoke(Method.java:498)
>>> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>>> at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
>>> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
>>> ionContext.java:64)
>>> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>>> proceed(AroundInvokeInvocationContext.java:77)
>>> at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
>>> manageTransaction(TransactionalInterceptor.java:34)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> NativeMethodAccessorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>>> executeAroundInvoke(InterceptorMethodHandler.java:84)
>>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>>> executeInterception(InterceptorMethodHandler.java:72)
>>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
>>> InterceptorMethodHandler.java:56)
>>> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>>> rStackMethodHandler.java:79)
>>> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>>> rStackMethodHandler.java:68)
>>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>>> Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
>>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>>> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> NativeMethodAccessorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.glassfish.jersey.server.model.internal.
>>> ResourceMethodInvocationHandlerFactory$1.invoke(
>>> ResourceMethodInvocationHandlerFactory.java:81)
>>> at org.glassfish.jersey.server.model.internal.
>>> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
>>> atcher.java:164)
>>> at org.glassfish.jersey.server.model.internal.
>>>
>>> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
>>> atcher.java:181)
>>> at org.glassfish.jersey.server.model.internal.
>>> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
>>> JavaResourceMethodDispatcherProvider.java:158)
>>> at org.glassfish.jersey.server.model.internal.
>>> AbstractJavaResourceMethodDispatcher.dispatch(
>>> AbstractJavaResourceMethodDispatcher.java:101)
>>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>>> invoke(ResourceMethodInvoker.java:389)
>>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>>> apply(ResourceMethodInvoker.java:347)
>>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>>> apply(ResourceMethodInvoker.java:102)
>>> at org.glassfish.jersey.server.ServerRuntime$2.run(
>>> ServerRuntime.java:305)
>>> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
>>> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
>>> at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
>>> at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
>>> at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
>>> at org.glassfish.jersey.process.internal.RequestScope.
>>> runInScope(RequestScope.java:317)
>>> at org.glassfish.jersey.server.ServerRuntime.process(
>>> ServerRuntime.java:288)
>>> at org.glassfish.jersey.server.ApplicationHandler.handle(
>>> ApplicationHandler.java:1110)
>>> at org.glassfish.jersey.servlet.WebComponent.service(
>>> WebComponent.java:401)
>>> at org.glassfish.jersey.servlet.ServletContainer.service(
>>> ServletContainer.java:386)
>>> at org.glassfish.jersey.servlet.ServletContainer.service(
>>> ServletContainer.java:335)
>>> at org.glassfish.jersey.servlet.ServletContainer.service(
>>> ServletContainer.java:222)
>>> at org.eclipse.jetty.servlet.ServletHolder.handle(
>>> ServletHolder.java:835)
>>> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>>> doFilter(ServletHandler.java:1685)
>>> at com.thetransactioncompany.cors.CORSFilter.doFilter(
>>> CORSFilter.java:209)
>>> at com.thetransactioncompany.cors.CORSFilter.doFilter(
>>> CORSFilter.java:244)
>>> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>>> doFilter(ServletHandler.java:1668)
>>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(
>>> ServletHandler.java:581)
>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>>> ScopedHandler.java:143)
>>> at org.eclipse.jetty.security.SecurityHandler.handle(
>>> SecurityHandler.java:513)
>>> at org.eclipse.jetty.server.session.SessionHandler.
>>> doHandle(SessionHandler.java:226)
>>> at org.eclipse.jetty.server.handler.ContextHandler.
>>> doHandle(ContextHandler.java:1158)
>>> at org.eclipse.jetty.servlet.ServletHandler.doScope(
>>> ServletHandler.java:511)
>>> at org.eclipse.jetty.server.session.SessionHandler.
>>> doScope(SessionHandler.java:185)
>>> at org.eclipse.jetty.server.handler.ContextHandler.
>>> doScope(ContextHandler.java:1090)
>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>>> ScopedHandler.java:141)
>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
>>> HandlerWrapper.java:119)
>>> at org.eclipse.jetty.server.Server.handle(Server.java:517)
>>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
>>> at org.eclipse.jetty.server.HttpConnection.onFillable(
>>> HttpConnection.java:242)
>>> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
>>> AbstractConnection.java:273)
>>> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
>>> at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
>>> SelectChannelEndPoint.java:75)
>>> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
>>> produceAndRun(ExecuteProduceConsume.java:213)
>>> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
>>> ExecuteProduceConsume.java:147)
>>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
>>> QueuedThreadPool.java:654)
>>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
>>> QueuedThreadPool.java:572)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException:
>>> PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>> Method)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
>>> NativeConstructorAccessorImpl.java:62)
>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
>>> DelegatingConstructorAccessorImpl.java:45)
>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>> at sun.net.www.protocol.http.HttpURLConnection$10.run(
>>> HttpURLConnection.java:1890)
>>> at sun.net.www.protocol.http.HttpURLConnection$10.run(
>>> HttpURLConnection.java:1885)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
>>> HttpURLConnection.java:1884)
>>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>>> HttpURLConnection.java:1457)
>>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>>> HttpURLConnection.java:1441)
>>> at java.net.HttpURLConnection.getResponseCode(
>>> HttpURLConnection.java:480)
>>> at
>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
>>> HttpsURLConnectionImpl.java:338)
>>> at
>>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>>> JavaUrlHttpCommandExecutorService.java:105)
>>> at
>>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>>> JavaUrlHttpCommandExecutorService.java:65)
>>> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>>> BaseHttpCommandExecutorService.java:99)
>>> ... 89 more
>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException:
>>> PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>> at sun.security.ssl.ClientHandshaker.serverCertificate(
>>> ClientHandshaker.java:1509)
>>> at sun.security.ssl.ClientHandshaker.processMessage(
>>> ClientHandshaker.java:216)
>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>>> at
>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>>> SSLSocketImpl.java:1375)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>>> SSLSocketImpl.java:1403)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>>> SSLSocketImpl.java:1387)
>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(
>>> HttpsClient.java:559)
>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
>>> tion.connect(AbstractDelegateHttpsURLConnection.java:185)
>>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>>> HttpURLConnection.java:1513)
>>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>>> HttpURLConnection.java:1441)
>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
>>> HttpsURLConnectionImpl.java:254)
>>> at
>>> org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>>> JavaUrlHttpCommandExecutorService.java:97)
>>> ... 91 more
>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at sun.security.validator.PKIXValidator.doBuild(
>>> PKIXValidator.java:387)
>>> at sun.security.validator.PKIXValidator.engineValidate(
>>> PKIXValidator.java:292)
>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>> at sun.security.ssl.X509TrustManagerImpl.validate(
>>> X509TrustManagerImpl.java:324)
>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>>> X509TrustManagerImpl.java:229)
>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
>>> X509TrustManagerImpl.java:124)
>>> at sun.security.ssl.ClientHandshaker.serverCertificate(
>>> ClientHandshaker.java:1491)
>>> ... 104 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at sun.security.provider.certpath.SunCertPathBuilder.
>>> build(SunCertPathBuilder.java:141)
>>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
>>> SunCertPathBuilder.java:126)
>>> at
>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>>> at sun.security.validator.PKIXValidator.doBuild(
>>> PKIXValidator.java:382)
>>> ... 110 more
>>>
>>>
>
Re: JClouds TLS SNI support?
Posted by cen <im...@gmail.com>.
Sure. Should I open the issue specifically about Apache client and
another one for default Java client?
The unexplained thing is why the default Java client isn't working with
SNI by default, even though it should in theory (Java 8 sends SNI
automatically and by default according to Oracle docs). The closest
thing I found is this:
http://stackoverflow.com/questions/30817934/extended-server-name-sni-extension-not-sent-with-jdk1-8-0-but-send-with-jdk1-7
a possible OpenJDK bug.
A quick dig into JClouds code seems to confirm that
setHostnameVerifier() is used so this could be the case.
Ignasi Barrera je 15. 09. 2016 ob 12:06 napisal:
> Thanks for the feedback and all the details cen!
>
> Would you mind opening an issue in our JIRA so we can track and fix
> the Apache driver?
>
>
>
> On 15 September 2016 at 11:17, cen <im...@gmail.com> wrote:
>> Hi
>>
>> Default driver and Apache driver failed me but OkHTTP worked.
>>
>> For Apache, I found a similar bug in Keycloak JIRA:
>> https://issues.jboss.org/browse/KEYCLOAK-2439
>>
>> The interesting part is:
>>
>> "Client adapter uses a deprecated API when setting up HttpClient object in
>> org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch which is
>> part of HttpClient library since version 4.3.2, and which seems to delegate
>> this part to Java SDK classes, where SNI is automatically set, isn't
>> activated."
>>
>> It's a guess on my part but I assume JClouds instantiates the HttpClient in
>> a way that SNI does not get activated.
>>
>> I digged more into Apache driver and the way SSLSocketFactory is used by
>> JClouds is very similar to pre-patched Keycloak from that Jira issue
>> (according to pull requests). Might be worth looking into.
>>
>> Best regards, cen
>>
>>
>> Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal:
>>
>> Hi!
>>
>> jclouds supports several HTTP drivers. By default it relies on the java
>> HttpUrlConection, but you can also configure it to use the Apache Http
>> client or OkHttp [1]. Using those drivers is as simple as adding the
>> corresponding Guice module when creating the context (have a look at the
>> OkHttp driver readme for an example [2]) so feel free to use the one that
>> is better for your use case.
>>
>> If you need more control on how the http client is configured, you can take
>> the jclouds Docker api as an example. It configures the OkHttp to support
>> TLS connections. You can have a look at its docker http module [3] and
>> create a similar module that initializes the OkHtttpClient as needed, and
>> then pass it to the ContextBuilder when creating the jclouds context.
>>
>> HTH!
>>
>> I.
>>
>> [1] https://github.com/jclouds/jclouds/tree/master/drivers
>> [2] https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
>> [3]
>> https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java
>>
>> El 12 sept. 2016 7:02 p. m., "cen" <im...@gmail.com> escribi�:
>>
>> Hi
>>
>> We have a FakeS3 instance behind a reverse proxy which handles several
>> subdomains over a single IP. We use let's encrypt certificate to sign the
>> subdomains. We have the latest Java 8 installed which has the let's encrypt
>> root in it's truststore. However, JClouds fails to connect to our FakeS3
>> instance over https (http works). We believe it is because TLS SNI is not
>> supported in JClouds since this is the most common problem we found other
>> people having when googling around. I browsed around org.jclouds.http
>> package but I was unable to determine what HTTP client does JClouds use
>> behind the scenes or if it's a custom implementation. Could I get some
>> feedback whether my assumptions are correct and how hard would it be to fix
>> this? This is the stacktrace:
>>
>>
>> PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target connecting to
>> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
>> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>> BaseHttpCommandExecutorService.java:121)
>> at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
>> InvokeHttpMethod.java:90)
>> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>> InvokeHttpMethod.java:73)
>> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>> InvokeHttpMethod.java:44)
>> at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
>> DelegatesToInvocationFunction.java:156)
>> at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
>> DelegatesToInvocationFunction.java:123)
>> at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
>> at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
>> S3BlobStore.java:131)
>> at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
>> at com.redacted.util.storage.BlobStorageImpl.saveBlob(
>> BlobStorageImpl.java:19)
>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
>> ImagesResourceImpl.java:90)
>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
>> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
>> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>> proceed(AroundInvokeInvocationContext.java:77)
>> at com.redacted.api.rest.v1.interceptors.
>> ValidatePermissionsInterceptor.checkOwnership(
>> ValidatePermissionsInterceptor.java:63)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.
>> invoke(Method.java:498)
>> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>> at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
>> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
>> ionContext.java:64)
>> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>> proceed(AroundInvokeInvocationContext.java:77)
>> at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
>> manageTransaction(TransactionalInterceptor.java:34)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>> executeAroundInvoke(InterceptorMethodHandler.java:84)
>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>> executeInterception(InterceptorMethodHandler.java:72)
>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
>> InterceptorMethodHandler.java:56)
>> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>> rStackMethodHandler.java:79)
>> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>> rStackMethodHandler.java:68)
>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.glassfish.jersey.server.model.internal.
>> ResourceMethodInvocationHandlerFactory$1.invoke(
>> ResourceMethodInvocationHandlerFactory.java:81)
>> at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
>> atcher.java:164)
>> at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
>> atcher.java:181)
>> at org.glassfish.jersey.server.model.internal.
>> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
>> JavaResourceMethodDispatcherProvider.java:158)
>> at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher.dispatch(
>> AbstractJavaResourceMethodDispatcher.java:101)
>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> invoke(ResourceMethodInvoker.java:389)
>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> apply(ResourceMethodInvoker.java:347)
>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> apply(ResourceMethodInvoker.java:102)
>> at org.glassfish.jersey.server.ServerRuntime$2.run(
>> ServerRuntime.java:305)
>> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
>> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
>> at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
>> at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
>> at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
>> at org.glassfish.jersey.process.internal.RequestScope.
>> runInScope(RequestScope.java:317)
>> at org.glassfish.jersey.server.ServerRuntime.process(
>> ServerRuntime.java:288)
>> at org.glassfish.jersey.server.ApplicationHandler.handle(
>> ApplicationHandler.java:1110)
>> at org.glassfish.jersey.servlet.WebComponent.service(
>> WebComponent.java:401)
>> at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:386)
>> at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:335)
>> at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:222)
>> at org.eclipse.jetty.servlet.ServletHolder.handle(
>> ServletHolder.java:835)
>> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>> doFilter(ServletHandler.java:1685)
>> at com.thetransactioncompany.cors.CORSFilter.doFilter(
>> CORSFilter.java:209)
>> at com.thetransactioncompany.cors.CORSFilter.doFilter(
>> CORSFilter.java:244)
>> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>> doFilter(ServletHandler.java:1668)
>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(
>> ServletHandler.java:581)
>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>> ScopedHandler.java:143)
>> at org.eclipse.jetty.security.SecurityHandler.handle(
>> SecurityHandler.java:513)
>> at org.eclipse.jetty.server.session.SessionHandler.
>> doHandle(SessionHandler.java:226)
>> at org.eclipse.jetty.server.handler.ContextHandler.
>> doHandle(ContextHandler.java:1158)
>> at org.eclipse.jetty.servlet.ServletHandler.doScope(
>> ServletHandler.java:511)
>> at org.eclipse.jetty.server.session.SessionHandler.
>> doScope(SessionHandler.java:185)
>> at org.eclipse.jetty.server.handler.ContextHandler.
>> doScope(ContextHandler.java:1090)
>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>> ScopedHandler.java:141)
>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
>> HandlerWrapper.java:119)
>> at org.eclipse.jetty.server.Server.handle(Server.java:517)
>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
>> at org.eclipse.jetty.server.HttpConnection.onFillable(
>> HttpConnection.java:242)
>> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
>> AbstractConnection.java:273)
>> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
>> at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
>> SelectChannelEndPoint.java:75)
>> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
>> produceAndRun(ExecuteProduceConsume.java:213)
>> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
>> ExecuteProduceConsume.java:147)
>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
>> QueuedThreadPool.java:654)
>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
>> QueuedThreadPool.java:572)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException:
>> PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
>> NativeConstructorAccessorImpl.java:62)
>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
>> DelegatingConstructorAccessorImpl.java:45)
>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> at sun.net.www.protocol.http.HttpURLConnection$10.run(
>> HttpURLConnection.java:1890)
>> at sun.net.www.protocol.http.HttpURLConnection$10.run(
>> HttpURLConnection.java:1885)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
>> HttpURLConnection.java:1884)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1457)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> HttpURLConnection.java:1441)
>> at java.net.HttpURLConnection.getResponseCode(
>> HttpURLConnection.java:480)
>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
>> HttpsURLConnectionImpl.java:338)
>> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:105)
>> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:65)
>> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>> BaseHttpCommandExecutorService.java:99)
>> ... 89 more
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException:
>> PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> at sun.security.ssl.ClientHandshaker.serverCertificate(
>> ClientHandshaker.java:1509)
>> at sun.security.ssl.ClientHandshaker.processMessage(
>> ClientHandshaker.java:216)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>> SSLSocketImpl.java:1375)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1403)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1387)
>> at sun.net.www.protocol.https.HttpsClient.afterConnect(
>> HttpsClient.java:559)
>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
>> tion.connect(AbstractDelegateHttpsURLConnection.java:185)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1513)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> HttpURLConnection.java:1441)
>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
>> HttpsURLConnectionImpl.java:254)
>> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:97)
>> ... 91 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:387)
>> at sun.security.validator.PKIXValidator.engineValidate(
>> PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at sun.security.ssl.X509TrustManagerImpl.validate(
>> X509TrustManagerImpl.java:324)
>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>> X509TrustManagerImpl.java:229)
>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
>> X509TrustManagerImpl.java:124)
>> at sun.security.ssl.ClientHandshaker.serverCertificate(
>> ClientHandshaker.java:1491)
>> ... 104 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.provider.certpath.SunCertPathBuilder.
>> build(SunCertPathBuilder.java:141)
>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
>> SunCertPathBuilder.java:126)
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:382)
>> ... 110 more
>>
>>
Re: JClouds TLS SNI support?
Posted by Ignasi Barrera <na...@apache.org>.
Thanks for the feedback and all the details cen!
Would you mind opening an issue in our JIRA so we can track and fix
the Apache driver?
On 15 September 2016 at 11:17, cen <im...@gmail.com> wrote:
> Hi
>
> Default driver and Apache driver failed me but OkHTTP worked.
>
> For Apache, I found a similar bug in Keycloak JIRA:
> https://issues.jboss.org/browse/KEYCLOAK-2439
>
> The interesting part is:
>
> "Client adapter uses a deprecated API when setting up HttpClient object in
> org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch which is
> part of HttpClient library since version 4.3.2, and which seems to delegate
> this part to Java SDK classes, where SNI is automatically set, isn't
> activated."
>
> It's a guess on my part but I assume JClouds instantiates the HttpClient in
> a way that SNI does not get activated.
>
> I digged more into Apache driver and the way SSLSocketFactory is used by
> JClouds is very similar to pre-patched Keycloak from that Jira issue
> (according to pull requests). Might be worth looking into.
>
> Best regards, cen
>
>
> Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal:
>
> Hi!
>
> jclouds supports several HTTP drivers. By default it relies on the java
> HttpUrlConection, but you can also configure it to use the Apache Http
> client or OkHttp [1]. Using those drivers is as simple as adding the
> corresponding Guice module when creating the context (have a look at the
> OkHttp driver readme for an example [2]) so feel free to use the one that
> is better for your use case.
>
> If you need more control on how the http client is configured, you can take
> the jclouds Docker api as an example. It configures the OkHttp to support
> TLS connections. You can have a look at its docker http module [3] and
> create a similar module that initializes the OkHtttpClient as needed, and
> then pass it to the ContextBuilder when creating the jclouds context.
>
> HTH!
>
> I.
>
> [1] https://github.com/jclouds/jclouds/tree/master/drivers
> [2] https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
> [3]
> https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java
>
> El 12 sept. 2016 7:02 p. m., "cen" <im...@gmail.com> escribió:
>
> Hi
>
> We have a FakeS3 instance behind a reverse proxy which handles several
> subdomains over a single IP. We use let's encrypt certificate to sign the
> subdomains. We have the latest Java 8 installed which has the let's encrypt
> root in it's truststore. However, JClouds fails to connect to our FakeS3
> instance over https (http works). We believe it is because TLS SNI is not
> supported in JClouds since this is the most common problem we found other
> people having when googling around. I browsed around org.jclouds.http
> package but I was unable to determine what HTTP client does JClouds use
> behind the scenes or if it's a custom implementation. Could I get some
> feedback whether my assumptions are correct and how hard would it be to fix
> this? This is the stacktrace:
>
>
> PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target connecting to
> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
> BaseHttpCommandExecutorService.java:121)
> at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
> InvokeHttpMethod.java:90)
> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
> InvokeHttpMethod.java:73)
> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
> InvokeHttpMethod.java:44)
> at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
> DelegatesToInvocationFunction.java:156)
> at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
> DelegatesToInvocationFunction.java:123)
> at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
> at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
> S3BlobStore.java:131)
> at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
> at com.redacted.util.storage.BlobStorageImpl.saveBlob(
> BlobStorageImpl.java:19)
> at com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
> ImagesResourceImpl.java:90)
> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
> proceed(AroundInvokeInvocationContext.java:77)
> at com.redacted.api.rest.v1.interceptors.
> ValidatePermissionsInterceptor.checkOwnership(
> ValidatePermissionsInterceptor.java:63)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.
> invoke(Method.java:498)
> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
> at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
> ionContext.java:64)
> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
> proceed(AroundInvokeInvocationContext.java:77)
> at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
> manageTransaction(TransactionalInterceptor.java:34)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
> executeAroundInvoke(InterceptorMethodHandler.java:84)
> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
> executeInterception(InterceptorMethodHandler.java:72)
> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
> InterceptorMethodHandler.java:56)
> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
> rStackMethodHandler.java:79)
> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
> rStackMethodHandler.java:68)
> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
> Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.glassfish.jersey.server.model.internal.
> ResourceMethodInvocationHandlerFactory$1.invoke(
> ResourceMethodInvocationHandlerFactory.java:81)
> at org.glassfish.jersey.server.model.internal.
> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
> atcher.java:164)
> at org.glassfish.jersey.server.model.internal.
> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
> atcher.java:181)
> at org.glassfish.jersey.server.model.internal.
> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
> JavaResourceMethodDispatcherProvider.java:158)
> at org.glassfish.jersey.server.model.internal.
> AbstractJavaResourceMethodDispatcher.dispatch(
> AbstractJavaResourceMethodDispatcher.java:101)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
> invoke(ResourceMethodInvoker.java:389)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
> apply(ResourceMethodInvoker.java:347)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
> apply(ResourceMethodInvoker.java:102)
> at org.glassfish.jersey.server.ServerRuntime$2.run(
> ServerRuntime.java:305)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
> at org.glassfish.jersey.process.internal.RequestScope.
> runInScope(RequestScope.java:317)
> at org.glassfish.jersey.server.ServerRuntime.process(
> ServerRuntime.java:288)
> at org.glassfish.jersey.server.ApplicationHandler.handle(
> ApplicationHandler.java:1110)
> at org.glassfish.jersey.servlet.WebComponent.service(
> WebComponent.java:401)
> at org.glassfish.jersey.servlet.ServletContainer.service(
> ServletContainer.java:386)
> at org.glassfish.jersey.servlet.ServletContainer.service(
> ServletContainer.java:335)
> at org.glassfish.jersey.servlet.ServletContainer.service(
> ServletContainer.java:222)
> at org.eclipse.jetty.servlet.ServletHolder.handle(
> ServletHolder.java:835)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
> doFilter(ServletHandler.java:1685)
> at com.thetransactioncompany.cors.CORSFilter.doFilter(
> CORSFilter.java:209)
> at com.thetransactioncompany.cors.CORSFilter.doFilter(
> CORSFilter.java:244)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
> doFilter(ServletHandler.java:1668)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(
> ServletHandler.java:581)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
> ScopedHandler.java:143)
> at org.eclipse.jetty.security.SecurityHandler.handle(
> SecurityHandler.java:513)
> at org.eclipse.jetty.server.session.SessionHandler.
> doHandle(SessionHandler.java:226)
> at org.eclipse.jetty.server.handler.ContextHandler.
> doHandle(ContextHandler.java:1158)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(
> ServletHandler.java:511)
> at org.eclipse.jetty.server.session.SessionHandler.
> doScope(SessionHandler.java:185)
> at org.eclipse.jetty.server.handler.ContextHandler.
> doScope(ContextHandler.java:1090)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
> ScopedHandler.java:141)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
> HandlerWrapper.java:119)
> at org.eclipse.jetty.server.Server.handle(Server.java:517)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
> at org.eclipse.jetty.server.HttpConnection.onFillable(
> HttpConnection.java:242)
> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
> AbstractConnection.java:273)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
> at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
> SelectChannelEndPoint.java:75)
> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
> produceAndRun(ExecuteProduceConsume.java:213)
> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
> ExecuteProduceConsume.java:147)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
> QueuedThreadPool.java:654)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
> QueuedThreadPool.java:572)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException:
> PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
> NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
> DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at sun.net.www.protocol.http.HttpURLConnection$10.run(
> HttpURLConnection.java:1890)
> at sun.net.www.protocol.http.HttpURLConnection$10.run(
> HttpURLConnection.java:1885)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
> HttpURLConnection.java:1884)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1457)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:1441)
> at java.net.HttpURLConnection.getResponseCode(
> HttpURLConnection.java:480)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
> HttpsURLConnectionImpl.java:338)
> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
> JavaUrlHttpCommandExecutorService.java:105)
> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
> JavaUrlHttpCommandExecutorService.java:65)
> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
> BaseHttpCommandExecutorService.java:99)
> ... 89 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException:
> PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ClientHandshaker.serverCertificate(
> ClientHandshaker.java:1509)
> at sun.security.ssl.ClientHandshaker.processMessage(
> ClientHandshaker.java:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(
> HttpsClient.java:559)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
> tion.connect(AbstractDelegateHttpsURLConnection.java:185)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1513)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:1441)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
> HttpsURLConnectionImpl.java:254)
> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
> JavaUrlHttpCommandExecutorService.java:97)
> ... 91 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImpl.java:229)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
> X509TrustManagerImpl.java:124)
> at sun.security.ssl.ClientHandshaker.serverCertificate(
> ClientHandshaker.java:1491)
> ... 104 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.
> build(SunCertPathBuilder.java:141)
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
> SunCertPathBuilder.java:126)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:382)
> ... 110 more
>
>
Re: JClouds TLS SNI support?
Posted by cen <im...@gmail.com>.
Hi
Default driver and Apache driver failed me but OkHTTP worked.
For Apache, I found a similar bug in Keycloak JIRA:
https://issues.jboss.org/browse/KEYCLOAK-2439
The interesting part is:
"Client adapter uses a deprecated API when setting up HttpClient object
in org.keycloak.adapters.HttpClientBuilder. As a result, a SNI patch
<https://issues.apache.org/jira/browse/HTTPCLIENT-1119> which is part of
HttpClient library since version 4.3.2
<http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.5.x.txt>,
and which seems to delegate this part to Java SDK classes, where SNI is
automatically set, isn't activated."
It's a guess on my part but I assume JClouds instantiates the HttpClient
in a way that SNI does not get activated.
I digged more into Apache driver and the way SSLSocketFactory is used by
JClouds is very similar to pre-patched Keycloak from that Jira issue
(according to pull requests). Might be worth looking into.
Best regards, cen
Ignasi Barrera je 12. 09. 2016 ob 21:04 napisal:
> Hi!
>
> jclouds supports several HTTP drivers. By default it relies on the java
> HttpUrlConection, but you can also configure it to use the Apache Http
> client or OkHttp [1]. Using those drivers is as simple as adding the
> corresponding Guice module when creating the context (have a look at the
> OkHttp driver readme for an example [2]) so feel free to use the one that
> is better for your use case.
>
> If you need more control on how the http client is configured, you can take
> the jclouds Docker api as an example. It configures the OkHttp to support
> TLS connections. You can have a look at its docker http module [3] and
> create a similar module that initializes the OkHtttpClient as needed, and
> then pass it to the ContextBuilder when creating the jclouds context.
>
> HTH!
>
> I.
>
> [1] https://github.com/jclouds/jclouds/tree/master/drivers
> [2] https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
> [3]
> https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java
>
> El 12 sept. 2016 7:02 p. m., "cen" <im...@gmail.com> escribi�:
>
>> Hi
>>
>> We have a FakeS3 instance behind a reverse proxy which handles several
>> subdomains over a single IP. We use let's encrypt certificate to sign the
>> subdomains. We have the latest Java 8 installed which has the let's encrypt
>> root in it's truststore. However, JClouds fails to connect to our FakeS3
>> instance over https (http works). We believe it is because TLS SNI is not
>> supported in JClouds since this is the most common problem we found other
>> people having when googling around. I browsed around org.jclouds.http
>> package but I was unable to determine what HTTP client does JClouds use
>> behind the scenes or if it's a custom implementation. Could I get some
>> feedback whether my assumptions are correct and how hard would it be to fix
>> this? This is the stacktrace:
>>
>>
>> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target connecting to
>> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
>> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>> BaseHttpCommandExecutorService.java:121)
>> at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
>> InvokeHttpMethod.java:90)
>> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>> InvokeHttpMethod.java:73)
>> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
>> InvokeHttpMethod.java:44)
>> at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
>> DelegatesToInvocationFunction.java:156)
>> at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
>> DelegatesToInvocationFunction.java:123)
>> at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
>> at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
>> S3BlobStore.java:131)
>> at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
>> at com.redacted.util.storage.BlobStorageImpl.saveBlob(
>> BlobStorageImpl.java:19)
>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
>> ImagesResourceImpl.java:90)
>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
>> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
>> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>> proceed(AroundInvokeInvocationContext.java:77)
>> at com.redacted.api.rest.v1.interceptors.
>> ValidatePermissionsInterceptor.checkOwnership(
>> ValidatePermissionsInterceptor.java:63)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>> at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
>> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
>> ionContext.java:64)
>> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
>> proceed(AroundInvokeInvocationContext.java:77)
>> at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
>> manageTransaction(TransactionalInterceptor.java:34)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
>> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>> executeAroundInvoke(InterceptorMethodHandler.java:84)
>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
>> executeInterception(InterceptorMethodHandler.java:72)
>> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
>> InterceptorMethodHandler.java:56)
>> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>> rStackMethodHandler.java:79)
>> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
>> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
>> rStackMethodHandler.java:68)
>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
>> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
>> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(
>> NativeMethodAccessorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.glassfish.jersey.server.model.internal.
>> ResourceMethodInvocationHandlerFactory$1.invoke(
>> ResourceMethodInvocationHandlerFactory.java:81)
>> at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
>> atcher.java:164)
>> at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
>> atcher.java:181)
>> at org.glassfish.jersey.server.model.internal.
>> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
>> JavaResourceMethodDispatcherProvider.java:158)
>> at org.glassfish.jersey.server.model.internal.
>> AbstractJavaResourceMethodDispatcher.dispatch(
>> AbstractJavaResourceMethodDispatcher.java:101)
>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> invoke(ResourceMethodInvoker.java:389)
>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> apply(ResourceMethodInvoker.java:347)
>> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
>> apply(ResourceMethodInvoker.java:102)
>> at org.glassfish.jersey.server.ServerRuntime$2.run(
>> ServerRuntime.java:305)
>> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
>> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
>> at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
>> at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
>> at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
>> at org.glassfish.jersey.process.internal.RequestScope.
>> runInScope(RequestScope.java:317)
>> at org.glassfish.jersey.server.ServerRuntime.process(
>> ServerRuntime.java:288)
>> at org.glassfish.jersey.server.ApplicationHandler.handle(
>> ApplicationHandler.java:1110)
>> at org.glassfish.jersey.servlet.WebComponent.service(
>> WebComponent.java:401)
>> at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:386)
>> at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:335)
>> at org.glassfish.jersey.servlet.ServletContainer.service(
>> ServletContainer.java:222)
>> at org.eclipse.jetty.servlet.ServletHolder.handle(
>> ServletHolder.java:835)
>> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>> doFilter(ServletHandler.java:1685)
>> at com.thetransactioncompany.cors.CORSFilter.doFilter(
>> CORSFilter.java:209)
>> at com.thetransactioncompany.cors.CORSFilter.doFilter(
>> CORSFilter.java:244)
>> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
>> doFilter(ServletHandler.java:1668)
>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(
>> ServletHandler.java:581)
>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>> ScopedHandler.java:143)
>> at org.eclipse.jetty.security.SecurityHandler.handle(
>> SecurityHandler.java:513)
>> at org.eclipse.jetty.server.session.SessionHandler.
>> doHandle(SessionHandler.java:226)
>> at org.eclipse.jetty.server.handler.ContextHandler.
>> doHandle(ContextHandler.java:1158)
>> at org.eclipse.jetty.servlet.ServletHandler.doScope(
>> ServletHandler.java:511)
>> at org.eclipse.jetty.server.session.SessionHandler.
>> doScope(SessionHandler.java:185)
>> at org.eclipse.jetty.server.handler.ContextHandler.
>> doScope(ContextHandler.java:1090)
>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
>> ScopedHandler.java:141)
>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
>> HandlerWrapper.java:119)
>> at org.eclipse.jetty.server.Server.handle(Server.java:517)
>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
>> at org.eclipse.jetty.server.HttpConnection.onFillable(
>> HttpConnection.java:242)
>> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
>> AbstractConnection.java:273)
>> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
>> at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
>> SelectChannelEndPoint.java:75)
>> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
>> produceAndRun(ExecuteProduceConsume.java:213)
>> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
>> ExecuteProduceConsume.java:147)
>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
>> QueuedThreadPool.java:654)
>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
>> QueuedThreadPool.java:572)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
>> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
>> NativeConstructorAccessorImpl.java:62)
>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
>> DelegatingConstructorAccessorImpl.java:45)
>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> at sun.net.www.protocol.http.HttpURLConnection$10.run(
>> HttpURLConnection.java:1890)
>> at sun.net.www.protocol.http.HttpURLConnection$10.run(
>> HttpURLConnection.java:1885)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
>> HttpURLConnection.java:1884)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1457)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> HttpURLConnection.java:1441)
>> at java.net.HttpURLConnection.getResponseCode(
>> HttpURLConnection.java:480)
>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
>> HttpsURLConnectionImpl.java:338)
>> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:105)
>> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:65)
>> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
>> BaseHttpCommandExecutorService.java:99)
>> ... 89 more
>> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
>> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>> at sun.security.ssl.ClientHandshaker.serverCertificate(
>> ClientHandshaker.java:1509)
>> at sun.security.ssl.ClientHandshaker.processMessage(
>> ClientHandshaker.java:216)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
>> SSLSocketImpl.java:1375)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1403)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(
>> SSLSocketImpl.java:1387)
>> at sun.net.www.protocol.https.HttpsClient.afterConnect(
>> HttpsClient.java:559)
>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
>> tion.connect(AbstractDelegateHttpsURLConnection.java:185)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1513)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> HttpURLConnection.java:1441)
>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
>> HttpsURLConnectionImpl.java:254)
>> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
>> JavaUrlHttpCommandExecutorService.java:97)
>> ... 91 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:387)
>> at sun.security.validator.PKIXValidator.engineValidate(
>> PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at sun.security.ssl.X509TrustManagerImpl.validate(
>> X509TrustManagerImpl.java:324)
>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
>> X509TrustManagerImpl.java:229)
>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
>> X509TrustManagerImpl.java:124)
>> at sun.security.ssl.ClientHandshaker.serverCertificate(
>> ClientHandshaker.java:1491)
>> ... 104 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.provider.certpath.SunCertPathBuilder.
>> build(SunCertPathBuilder.java:141)
>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
>> SunCertPathBuilder.java:126)
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> at sun.security.validator.PKIXValidator.doBuild(
>> PKIXValidator.java:382)
>> ... 110 more
>>
Re: JClouds TLS SNI support?
Posted by Ignasi Barrera <na...@apache.org>.
Hi!
jclouds supports several HTTP drivers. By default it relies on the java
HttpUrlConection, but you can also configure it to use the Apache Http
client or OkHttp [1]. Using those drivers is as simple as adding the
corresponding Guice module when creating the context (have a look at the
OkHttp driver readme for an example [2]) so feel free to use the one that
is better for your use case.
If you need more control on how the http client is configured, you can take
the jclouds Docker api as an example. It configures the OkHttp to support
TLS connections. You can have a look at its docker http module [3] and
create a similar module that initializes the OkHtttpClient as needed, and
then pass it to the ContextBuilder when creating the jclouds context.
HTH!
I.
[1] https://github.com/jclouds/jclouds/tree/master/drivers
[2] https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/README.md
[3]
https://github.com/jclouds/jclouds/blob/master/apis/docker/src/main/java/org/jclouds/docker/config/DockerHttpApiModule.java
El 12 sept. 2016 7:02 p. m., "cen" <im...@gmail.com> escribió:
> Hi
>
> We have a FakeS3 instance behind a reverse proxy which handles several
> subdomains over a single IP. We use let's encrypt certificate to sign the
> subdomains. We have the latest Java 8 installed which has the let's encrypt
> root in it's truststore. However, JClouds fails to connect to our FakeS3
> instance over https (http works). We believe it is because TLS SNI is not
> supported in JClouds since this is the most common problem we found other
> people having when googling around. I browsed around org.jclouds.http
> package but I was unable to determine what HTTP client does JClouds use
> behind the scenes or if it's a custom implementation. Could I get some
> feedback whether my assumptions are correct and how hard would it be to fix
> this? This is the stacktrace:
>
>
> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target connecting to
> HEAD https://s3.demo.mydomain.com/productname HTTP/1.1
> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
> BaseHttpCommandExecutorService.java:121)
> at org.jclouds.rest.internal.InvokeHttpMethod.invoke(
> InvokeHttpMethod.java:90)
> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
> InvokeHttpMethod.java:73)
> at org.jclouds.rest.internal.InvokeHttpMethod.apply(
> InvokeHttpMethod.java:44)
> at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(
> DelegatesToInvocationFunction.java:156)
> at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(
> DelegatesToInvocationFunction.java:123)
> at com.sun.proxy.$Proxy146.bucketExists(Unknown Source)
> at org.jclouds.s3.blobstore.S3BlobStore.containerExists(
> S3BlobStore.java:131)
> at com.redacted.util.storage.S3Storage.saveBlob(S3Storage.java:42)
> at com.redacted.util.storage.BlobStorageImpl.saveBlob(
> BlobStorageImpl.java:19)
> at com.redacted.api.rest.v1.resources.ImagesResourceImpl.createTenant(
> ImagesResourceImpl.java:90)
> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
> Proxy$_$$_WeldSubclass.createTenant$$super(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocation
> Context.proceedInternal(TerminalAroundInvokeInvocationContext.java:49)
> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
> proceed(AroundInvokeInvocationContext.java:77)
> at com.redacted.api.rest.v1.interceptors.
> ValidatePermissionsInterceptor.checkOwnership(
> ValidatePermissionsInterceptor.java:63)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
> at org.jboss.weld.interceptor.proxy.NonTerminalAroundInvokeInvocat
> ionContext.proceedInternal(NonTerminalAroundInvokeInvocat
> ionContext.java:64)
> at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.
> proceed(AroundInvokeInvocationContext.java:77)
> at com.redacted.api.rest.v1.interceptors.TransactionalInterceptor.
> manageTransaction(TransactionalInterceptor.java:34)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$
> SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
> executeAroundInvoke(InterceptorMethodHandler.java:84)
> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.
> executeInterception(InterceptorMethodHandler.java:72)
> at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(
> InterceptorMethodHandler.java:56)
> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
> rStackMethodHandler.java:79)
> at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecorato
> rStackMethodHandler.invoke(CombinedInterceptorAndDecorato
> rStackMethodHandler.java:68)
> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
> Proxy$_$$_WeldSubclass.createTenant(Unknown Source)
> at com.redacted.api.rest.v1.resources.ImagesResourceImpl$
> Proxy$_$$_WeldClientProxy.createTenant(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.glassfish.jersey.server.model.internal.
> ResourceMethodInvocationHandlerFactory$1.invoke(
> ResourceMethodInvocationHandlerFactory.java:81)
> at org.glassfish.jersey.server.model.internal.
> AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDisp
> atcher.java:164)
> at org.glassfish.jersey.server.model.internal.
> AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDisp
> atcher.java:181)
> at org.glassfish.jersey.server.model.internal.
> JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(
> JavaResourceMethodDispatcherProvider.java:158)
> at org.glassfish.jersey.server.model.internal.
> AbstractJavaResourceMethodDispatcher.dispatch(
> AbstractJavaResourceMethodDispatcher.java:101)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
> invoke(ResourceMethodInvoker.java:389)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
> apply(ResourceMethodInvoker.java:347)
> at org.glassfish.jersey.server.model.ResourceMethodInvoker.
> apply(ResourceMethodInvoker.java:102)
> at org.glassfish.jersey.server.ServerRuntime$2.run(
> ServerRuntime.java:305)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
> at org.glassfish.jersey.process.internal.RequestScope.
> runInScope(RequestScope.java:317)
> at org.glassfish.jersey.server.ServerRuntime.process(
> ServerRuntime.java:288)
> at org.glassfish.jersey.server.ApplicationHandler.handle(
> ApplicationHandler.java:1110)
> at org.glassfish.jersey.servlet.WebComponent.service(
> WebComponent.java:401)
> at org.glassfish.jersey.servlet.ServletContainer.service(
> ServletContainer.java:386)
> at org.glassfish.jersey.servlet.ServletContainer.service(
> ServletContainer.java:335)
> at org.glassfish.jersey.servlet.ServletContainer.service(
> ServletContainer.java:222)
> at org.eclipse.jetty.servlet.ServletHolder.handle(
> ServletHolder.java:835)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
> doFilter(ServletHandler.java:1685)
> at com.thetransactioncompany.cors.CORSFilter.doFilter(
> CORSFilter.java:209)
> at com.thetransactioncompany.cors.CORSFilter.doFilter(
> CORSFilter.java:244)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.
> doFilter(ServletHandler.java:1668)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(
> ServletHandler.java:581)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
> ScopedHandler.java:143)
> at org.eclipse.jetty.security.SecurityHandler.handle(
> SecurityHandler.java:513)
> at org.eclipse.jetty.server.session.SessionHandler.
> doHandle(SessionHandler.java:226)
> at org.eclipse.jetty.server.handler.ContextHandler.
> doHandle(ContextHandler.java:1158)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(
> ServletHandler.java:511)
> at org.eclipse.jetty.server.session.SessionHandler.
> doScope(SessionHandler.java:185)
> at org.eclipse.jetty.server.handler.ContextHandler.
> doScope(ContextHandler.java:1090)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(
> ScopedHandler.java:141)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(
> HandlerWrapper.java:119)
> at org.eclipse.jetty.server.Server.handle(Server.java:517)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:308)
> at org.eclipse.jetty.server.HttpConnection.onFillable(
> HttpConnection.java:242)
> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(
> AbstractConnection.java:273)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
> at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(
> SelectChannelEndPoint.java:75)
> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.
> produceAndRun(ExecuteProduceConsume.java:213)
> at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(
> ExecuteProduceConsume.java:147)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(
> QueuedThreadPool.java:654)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(
> QueuedThreadPool.java:572)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
> NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
> DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at sun.net.www.protocol.http.HttpURLConnection$10.run(
> HttpURLConnection.java:1890)
> at sun.net.www.protocol.http.HttpURLConnection$10.run(
> HttpURLConnection.java:1885)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
> HttpURLConnection.java:1884)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1457)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:1441)
> at java.net.HttpURLConnection.getResponseCode(
> HttpURLConnection.java:480)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(
> HttpsURLConnectionImpl.java:338)
> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
> JavaUrlHttpCommandExecutorService.java:105)
> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
> JavaUrlHttpCommandExecutorService.java:65)
> at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(
> BaseHttpCommandExecutorService.java:99)
> ... 89 more
> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ClientHandshaker.serverCertificate(
> ClientHandshaker.java:1509)
> at sun.security.ssl.ClientHandshaker.processMessage(
> ClientHandshaker.java:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(
> HttpsClient.java:559)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
> tion.connect(AbstractDelegateHttpsURLConnection.java:185)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1513)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:1441)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
> HttpsURLConnectionImpl.java:254)
> at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.invoke(
> JavaUrlHttpCommandExecutorService.java:97)
> ... 91 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:387)
> at sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImpl.java:229)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
> X509TrustManagerImpl.java:124)
> at sun.security.ssl.ClientHandshaker.serverCertificate(
> ClientHandshaker.java:1491)
> ... 104 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.
> build(SunCertPathBuilder.java:141)
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
> SunCertPathBuilder.java:126)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at sun.security.validator.PKIXValidator.doBuild(
> PKIXValidator.java:382)
> ... 110 more
>