Hi Arvind,
Thank you very much for the advice.
JAVA_HOME is not set. And i am not able to see (after a lot of googling)
how i can install "jrunscript" or run it.
Since the issue, seems to be confusing, i did a clean install of GoCD.
go]# keytool -list -v -keystore keystore -storepass serverKeystorepa55w0rd
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: cruise
Creation date: Oct 24, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: OU=Cruise server webserver certificate,
CN=nl-ams02c-ispctl02.aorta.net
Issuer: OU=Cruise server webserver certificate,
CN=nl-ams02c-ispctl02.aorta.net
Serial number: 5ea8c241be3
Valid from: Thu Jan 01 01:00:00 CET 1970 until: Tue Oct 24 19:29:50 CEST
2028
Certificate fingerprints:
MD5: 38:EE:4A:E3:5D:91:24:A7:44:0F:01:E2:34:C7:18:93
SHA1: 10:9B:AA:43:D8:11:42:49:C2:84:32:70:FB:6D:1D:0E:1F:26:D8:6A
SHA256:
51:D8:E3:6C:C3:17:39:A8:FE:AB:0E:FB:C0:13:31:1D:04:2F:51:F8:AC:84:80:4B:C8:AC:35:96:8E:40:AE:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to
PKCS12 which is an industry standard format using "keytool -importkeystore
-srckeystore keystore -destkeystore keystore -deststoretype pkcs12".
What is different in my case compared to what is described in
https://docs.gocd.org/current/installation/ssl_tls/custom_server_certificate.html
is that
the ca cert is used to make sure the (ldap) server is presenting the right
cert before i send my credentials to it
All we need to do is to import the cacert into the keystore
keytool -importkeystore -srckeystore uim.ip-spotlight.pem -srcstoretype
PKCS12 -destkeystore keystore -srcalias 1 -destalias cruise -deststorepass
serverKeystorepa55w0rd -destkeypass serverKeystorepa55w0rd
Importing keystore uim.ip-spotlight.pem to keystore...
Enter source keystore password:
keytool error: java.io.IOException: toDerInputStream rejects tag type 45
Taking a step back; can you advise what is the exact command to import the
cacert into the keystore ?
In order the connection to LDAP to work ? This is not described in the docs.
In non-java apps, you just point to the certificate and it works.
On Wednesday, October 24, 2018 at 5:31:38 PM UTC+2, Aravind SV wrote:
>
> On Wed, Oct 24, 2018 at 12:43:06 +0200, Nikos Skalis wrote:
> > Seems to make progress, but now am getting a different error:
> >
> > Caused by: javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target
>
> It's still a problem with the certificates and the chain. Still nothing to
> do with GoCD directly.
>
> What is the output of the command I mentioned last time?
>
> --- --- ---
> jrunscript -e
> 'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket("LDAP_SERVER_URL_YOU_ARE_USING",
>
> 636).startHandshake())'
> --- --- ---
>
>
> You can find out the certificates you have in your cacerts by doing this:
>
> --- --- ---
> echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name
> cacerts) | grep 'Owner:'
> --- --- ---
>
>
> You can then find the cert chain used by your LDAP server by doing this:
>
> --- --- ---
> openssl s_client -connect LDAP_SERVER_URL_YOU_ARE_USING:636 | sed -n
> '/Certificate chain/,/^---/p'
> --- --- ---
>
>
> The certs in the chain (especially the last one in that chain) will need
> to be in the list returned by keytool. My guess is that it's not.
>
>
> As an example, google.com's root cert is not in my cacerts and so, Java
> is unable to connect to google.com, for me:
>
> --- --- ---
> $ openssl s_client -connect google.com:443 | sed -n '/Certificate
> chain/,/^---/p'
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
> i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
> 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
> i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
> ---
>
> $ echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name
> cacerts) | grep 'Owner:' | grep GlobalSign
> # Returns no matches.
>
> $ jrunscript -e
> 'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket("
> google.com", 443).startHandshake())'
> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:531)
>
>
> at
> jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:448)
>
>
> at
> jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:405)
>
>
> ...
> --- --- ---
>
> If I add that root cert, the one named GlobalSign, I'm sure Java will be
> able to connect.
>
> Cheers,
> Aravind
>
> PS: Make sure you're using the same Java version for GoCD that you're
> running locally (for JAVA_HOME, keytool, jrunscript, etc)
>
--
You received this message because you are subscribed to the Google Groups
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
