[
https://issues.apache.org/jira/browse/NETBEANS-3810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039181#comment-17039181
]
Michele Costabile edited comment on NETBEANS-3810 at 2/18/20 3:53 PM:
----------------------------------------------------------------------
Geertjan, I propose the following text
IF the certificate error is reported properly
Invalid certificate error downloading plugin, You should import your
corporate root CA in the trust store of your JDK installation.
ELSE
Unable to download plugin. You might have to import your corporate root CA
in the trust store of your JDK installation.
Perhaps the current JDK location could also be reported.
The long explanation might be this
{quote}NetBeans has settings for a proxy server, but no provision for
customizing TLS trust chains, therefore the effective settings are those which
are set in the JDK used by NetBeans, which is specified in your settings.
If you are behind a company proxy with deep inspection, certificates will be
forged to allow inspection by the proxy of secure traffic. Packets will be
open, inspected and repackaged with a different certificate. From your
workstation, pages downloaded on an https connection will apppear to be signed
by a company root certificate, rather than the original. Therefore, the trust
chain will be broken and secure connections which verify certificate trust
will break, unless you instruct the JDK to trust the signing certificate.
To do this, you should open any page with an https prefix with your favorite
browser, inspect the trust chain that appears close to the URL box, clicking on
a lock icon, or similar indication, then inspect your trust chain and download
the root certificate in .cer format.
Once you have the certificate, you should import it with
keytool -import -trustcacerts -alias companyRootCA -file <certificate file
name> -keystore <trusted store>
As of OpenJDK 11, the trusted store, on Windows, is in
"%JAVA_HOME%\lib\security\cacerts" on unix, in
${JAVA_HOME}/lib/security/cacerts". The default password is "changeit"
{quote}
The number one issue, however, should be to detect and report that the
connection breaks because of a trust problem, not any other random network
problem.
Hope this helps.
was (Author: mico):
Geertjan, I propose the following text
IF the certificate error is reported properly
Invalid certificate error downloading plugin, You should import your
corporate root CA in the trust store of your JDK installation.
ELSE
Unable to download plugin. You might have to import your corporate root CA
in the trust store of your JDK installation.
Perhaps the current JDK location could also be reported.
The long explanation might be this
{quote}NetBeans has settings for a proxy server, but no provision for
customizing TLS trust chains, therefore the effective settings are those which
are set in the JDK used by NetBeans, which is specified in your settings.
If you are behind a company proxy with deep inspection, certificates will be
forged to allow inspection by the proxy of secure traffic. Packets will be
repackaged with different certificates and from your workstation, pages seen on
an https connection will apppear to be signed by a company root certificate,
rather than the original. Therefore, the trust chain will be broken unless you
set your company certification authority certificate in the trusted roots. This
causes secure connections that verify certificate trust to break, unless you
instruct the JDK to trust the new certificate.
To do this, you should open any page with an https prefix with your favorite
browser, inspect the trust chain that appears close to the URL box, clicking on
a lock icon, or similar indication, then inspect your trust chain and download
the root certificate in .cer format.
Once you have the certificate, you should import it with
keytool -import -trustcacerts -alias companyRootCA -file <certificate file
name> -keystore <trusted store>
As of OpenJDK 11, the trusted store, on Windows, is in
"%JAVA_HOME%\lib\security\cacerts" on unix, in
${JAVA_HOME}/lib/security/cacerts". The default password is "changeit"
{quote}
The number one issue, however, should be to detect and report that the
connection breaks because of a trust problem, not any other random network
problem.
Hope this helps.
> Netbeans 11.3 does not report clearly certificate problems downloading javafx
> and nb-javac
> ------------------------------------------------------------------------------------------
>
> Key: NETBEANS-3810
> URL: https://issues.apache.org/jira/browse/NETBEANS-3810
> Project: NetBeans
> Issue Type: Bug
> Components: platform - Autoupdate
> Affects Versions: 11.3
> Environment: Windows 2016 server, Intel Xeon, 48G RAM.
> Network includes a proxy server with deep packet inspection and certificate
> rewriting.
> Reporter: Michele Costabile
> Assignee: Michele Costabile
> Priority: Minor
> Labels: documentation, newbie
> Fix For: 11.3
>
> Attachments: Netbeans-11.3_bug.PNG, Netbeans-11.3_plugin-problem.PNG,
> Netbeans-11.3_plugin.PNG
>
>
> NetBeans cannot get past installation of JavaFX and nb-javac on my
> installation behind a company firewall. This problem was also in 11.2, but it
> did not stop the IDE from working. It just kept on quietly asking for
> nb-javac installation.
> 11.3, on the other hand does not seem to get past this problem. It keeps on
> asking for installation of javafx and nb-javac and "Loading projects" never
> comes to an end.
> I tested my proxy setting in options and I have a green light with system
> settings and also with manual settings.
> In any case I have never been able to install nb-javac and could not find
> instructions on how to install manually the plugin.
> Note that my proxy has deep packet inspection and can create problems with
> certificate verification on SSL.
>
> EDIT: the request for installation is not an infinite loop. It appears to be
> once for every open project. Hitting cancel more times, the progress bar in
> the status bar eventually gets to 100%, but all the projects are reported
> broken.
>
> EDIT: as you can see from the comments below, it was really a problem with
> certificates. When you are behind a proxy with deep inspection, certificates
> are manipulated in such a way that you have to trust your company root
> certificate to avoid failure in trust chains.
> This becomes a NetBeans installation problem because:
> * Differently from other IDEs, NetBeans delegates everything to JDK, so it
> requires that the trust problem is solved in the JDK, not in the IDE
> preferences. The user should be able to find instructionsto resolve the
> problem
> * In 11.2 the IDE did not enter a loop waiting for nb'javac installation to
> validate projects. It just gave up, causing less problems
> * "Test connection" in proxy settings did not report certificate problems. A
> full https connection should be tested
> * The dialog box of nb-javac installation does not report certificate
> problems, it rather dies without warning and the installation is stuck with a
> progress bar at 100% and no notification other than "cannot resolve external
> references ..." This hides the problem
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
