You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@netbeans.apache.org by "Michele Costabile (Jira)" <ji...@apache.org> on 2020/02/18 15:51:00 UTC
[jira] [Comment Edited] (NETBEANS-3810) Netbeans 11.3 does not
report clearly certificate problems downloading javafx and nb-javac
[ https://issues.apache.org/jira/browse/NETBEANS-3810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039181#comment-17039181 ]
Michele Costabile edited comment on NETBEANS-3810 at 2/18/20 3:50 PM:
----------------------------------------------------------------------
Geertjan, I propose the following text
IF the certificate error is reported properly
Invalid certificate error downloading plugin, You should import your corporate root CA in the trust store of your JDK installation.
ELSE
Unable to download plugin. You might have to import your corporate root CA in the trust store of your JDK installation.
Perhaps the current JDK location could also be reported.
The long explanation might be this
{quote}NetBeans has settings for a proxy server, but no provision for customizing TLS trust chains, therefore the effective settings are those which are set in the JDK used by NetBeans, which is specified in your settings.
If you are behind a company proxy with deep inspection, certificates will be forged to allow inspection by the proxy of secure traffic. Packets will be repackaged with different certificates and from your workstation, pages seen on an https connection will apppear to be signed by a company root certificate, rather than the original. Therefore, the trust chain will be broken unless you set your company certification authority certificate in the trusted roots. This causes secure connections that verify certificate trust to break, unless you instruct the JDK to trust the new certificate.
To do this, you should open any page with an https prefix with your favorite browser, inspect the trust chain that appears close to the URL box, clicking on a lock icon, or similar indication, then inspect your trust chain and download the root certificate in .cer format.
Once you have the certificate, you should import it with
keytool -import -trustcacerts -alias companyRootCA -file <certificate file name> -keystore <trusted store>
As of OpenJDK 11, the trusted store, on Windows, is in "%JAVA_HOME%\lib\security\cacerts" on unix, in ${JAVA_HOME}/lib/security/cacerts". The default password is "changeit"
{quote}
The number one issue, however, should be to detect and report that the connection breaks because of a trust problem, not any other random network problem.
Hope this helps.
was (Author: mico):
Geertjan, I propose the following text
IF the certificate error is reported properly
Invalid certificate error downloading plugin, You should import your corporate root CA in the trust store of your JDK installation.
ELSE
Unable to download plugin. You might have to import your corporate root CA in the trust store of your JDK installation.
Perhaps the current JDK location could also be reported.
The long explanation might be this
{quote}NetBeans has settings for a proxy server, but no provision for customizing TLS trust chains, therefore the effective settings are those which are set in the JDK used by NetBeans, which specified in your settings.
If you are behind a company proxy with deep inspection, certificates will be forged to allow inspection by the proxy of secure traffic. Packets will be repackaged with different certificates and from your workstation, pages seen on an https connection will apppear to be signed by a company root certificate, rather than the original. Therefore, the trust chain will be broken unless you set your company certification authority certificate in the trusted roots. This causes secure connections that verify certificate trust to break, unless you instruct the JDK to trust the new certificate.
To do this, you should open any page with an https prefix with your favorite browser, inspect the trust chain that appears close to the URL box, clicking on a lock icon, or similar indication, then inspect your trust chain and download the root certificate in .cer format.
Once you have the certificate, you should import it with
keytool -import -trustcacerts -alias companyRootCA -file <certificate file name> -keystore <trusted store>
As of OpenJDK 11, the trusted store, on Windows, is in "%JAVA_HOME%\lib\security\cacerts" on unix, in ${JAVA_HOME}/lib/security/cacerts". The default password is "changeit"
{quote}
The number one issue, however, should be to detect and report that the connection breaks because of a trust problem, not any other random network problem.
Hope this helps.
> Netbeans 11.3 does not report clearly certificate problems downloading javafx and nb-javac
> ------------------------------------------------------------------------------------------
>
> Key: NETBEANS-3810
> URL: https://issues.apache.org/jira/browse/NETBEANS-3810
> Project: NetBeans
> Issue Type: Bug
> Components: platform - Autoupdate
> Affects Versions: 11.3
> Environment: Windows 2016 server, Intel Xeon, 48G RAM.
> Network includes a proxy server with deep packet inspection and certificate rewriting.
> Reporter: Michele Costabile
> Assignee: Michele Costabile
> Priority: Minor
> Labels: documentation, newbie
> Fix For: 11.3
>
> Attachments: Netbeans-11.3_bug.PNG, Netbeans-11.3_plugin-problem.PNG, Netbeans-11.3_plugin.PNG
>
>
> NetBeans cannot get past installation of JavaFX and nb-javac on my installation behind a company firewall. This problem was also in 11.2, but it did not stop the IDE from working. It just kept on quietly asking for nb-javac installation.
> 11.3, on the other hand does not seem to get past this problem. It keeps on asking for installation of javafx and nb-javac and "Loading projects" never comes to an end.
> I tested my proxy setting in options and I have a green light with system settings and also with manual settings.
> In any case I have never been able to install nb-javac and could not find instructions on how to install manually the plugin.
> Note that my proxy has deep packet inspection and can create problems with certificate verification on SSL.
>
> EDIT: the request for installation is not an infinite loop. It appears to be once for every open project. Hitting cancel more times, the progress bar in the status bar eventually gets to 100%, but all the projects are reported broken.
>
> EDIT: as you can see from the comments below, it was really a problem with certificates. When you are behind a proxy with deep inspection, certificates are manipulated in such a way that you have to trust your company root certificate to avoid failure in trust chains.
> This becomes a NetBeans installation problem because:
> * Differently from other IDEs, NetBeans delegates everything to JDK, so it requires that the trust problem is solved in the JDK, not in the IDE preferences. The user should be able to find instructionsto resolve the problem
> * In 11.2 the IDE did not enter a loop waiting for nb'javac installation to validate projects. It just gave up, causing less problems
> * "Test connection" in proxy settings did not report certificate problems. A full https connection should be tested
> * The dialog box of nb-javac installation does not report certificate problems, it rather dies without warning and the installation is stuck with a progress bar at 100% and no notification other than "cannot resolve external references ..." This hides the problem
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@netbeans.apache.org
For additional commands, e-mail: commits-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists