Bugzilla – Full Text Bug Listing
| Summary: | unable to find valid certification path to requested target | ||
|---|---|---|---|
| Product: | [Technology] EGit | Reporter: | Christian Haeussler <christian.haeussler> |
| Component: | GitHub | Assignee: | Project Inbox <egit.github-inbox> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | P3 | CC: | christian.haeussler, christian.halstrick, christian.halstrick, david_kane, matthias.sohn, neylorsousa |
| Version: | 3.6 | ||
| Target Milestone: | 4.0 | ||
| Hardware: | PC | ||
| OS: | Windows 7 | ||
| See Also: |
https://git.eclipse.org/r/44691 https://git.eclipse.org/c/egit/egit.git/commit/?id=8f24faba297f19807ea308090aac06a5d1135e79 |
||
| Whiteboard: | |||
|
Description
Christian Haeussler
Have you tried to set http.sslverify to false? If you like command line then execute "git config --global http.sslverify false". Or in Eclipse goto Preferences->Team->Git->Configuration->User Settings and add the same entry. Yes, this Option is set: http.sslverify=false Clone from GitHub URL still working! Connect with mylyn to GitHub failed! then I need the long stacktrace to see whether it's really jgit/egit or some other communication triggerd by mylyn. When you say "Clone from GitHub URL still working" does this mean that cloning with egit with the github url works? (Or did you try to clone with the github url and native git) Yes, cloning with egit with the github url works! Here the long stacktrace: eclipse.buildId=4.3.0.M20130911-1000 java.version=1.7.0_15 java.vendor=Oracle Corporation BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=de_DE Framework arguments: -product org.eclipse.epp.package.java.product Command-line arguments: -os win32 -ws win32 -arch x86_64 -product org.eclipse.epp.package.java.product Error Thu Jan 08 13:42:08 CET 2015 Unexpected error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.HttpURLConnection.getResponseCode(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source) at org.eclipse.egit.github.core.client.GitHubClient.get(GitHubClient.java:733) at org.eclipse.egit.github.core.client.PageIterator.next(PageIterator.java:173) at org.eclipse.egit.github.core.service.GitHubService.getAll(GitHubService.java:151) at org.eclipse.egit.github.core.service.GitHubService.getAll(GitHubService.java:135) at org.eclipse.egit.github.core.service.LabelService.getLabels(LabelService.java:90) at org.eclipse.egit.github.core.service.LabelService.getLabels(LabelService.java:79) at org.eclipse.mylyn.internal.github.core.issue.IssueConnector.refreshLabels(IssueConnector.java:146) at org.eclipse.mylyn.internal.github.core.issue.IssueConnector.updateRepositoryConfiguration(IssueConnector.java:409) at org.eclipse.mylyn.internal.tasks.core.sync.UpdateRepositoryConfigurationJob.run(UpdateRepositoryConfigurationJob.java:46) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 23 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 29 more If you want to import from github with File -> Import -> Git -> Repositories from GitHub then you get the following error: Error searching repositories: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target What happens if you set http.sslverify=true and then you try to clone from git with plain egit. I guess this fails with a similar exception, right? The thing is that standard EGit/JGit understand the configuration parameter http.sslverify and whenever they open https connections they configure it accordingly. But the code from the optional component GitHub from /home/chris/git/egit-github/.git doesn't do the same. Here https connection are opened and used without looking at http.sslverify. That's a bug which should definitly be fixed. What happens if you set http.sslverify=true and then you try to clone from git with plain egit. I guess this fails with a similar exception, right? The thing is that standard EGit/JGit understand the configuration parameter http.sslverify and whenever they open https connections they configure it accordingly. But the code from the optional component GitHub from /home/chris/git/egit-github/.git doesn't do the same. Here https connection are opened and used without looking at http.sslverify. That's a bug which should definitly be fixed. Exactly, this error must be fixed in any case. I think I found another variant of this bug. I see the error when I am trying to clone a repository over https from a repository that is using a self-signed certificate. As in scenario described before, the jgit component is acting on the sslVerify property, but the egit portion is not. (i.e. I can see the branches from the remote repository when it the sslVerify property is set to false, it seems to go through most of the cloning process) I see the same exception propagating, but the source seems a little different. I observed the error in version 3.7, but not in 3.6. The line triggering this variant of the exception looks like it was just introduced: https://github.com/eclipse/egit/commit/c894996fb6177a4868456e84bf248ed8bd24773f#diff-973a5ba2b298c8239937c8231f1cd64f In both cases however, there does not appear to be visibility or response to the sslVerify property. org.eclipse.core.runtime.CoreException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.eclipse.egit.core.op.ConfigureGerritAfterCloneTask.execute(ConfigureGerritAfterCloneTask.java:89) at org.eclipse.egit.core.op.CloneOperation.run(CloneOperation.java:161) at org.eclipse.egit.ui.internal.clone.AbstractGitCloneWizard.executeCloneOperation(AbstractGitCloneWizard.java:442) at org.eclipse.egit.ui.internal.clone.AbstractGitCloneWizard.access$2(AbstractGitCloneWizard.java:435) at org.eclipse.egit.ui.internal.clone.AbstractGitCloneWizard$6.run(AbstractGitCloneWizard.java:414) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at java.net.HttpURLConnection.getResponseCode(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source) at org.eclipse.egit.core.op.ConfigureGerritAfterCloneTask.isGerrit(ConfigureGerritAfterCloneTask.java:138) at org.eclipse.egit.core.op.ConfigureGerritAfterCloneTask.execute(ConfigureGerritAfterCloneTask.java:83) ... 5 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 20 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 26 more David, I think you are right. In contrast to the first issue which was at least in an optional EGit component your variant is in core EGit. Again the same issue: we are opening a https connection and use it without configuring it according to the git configuration like we would do if we push/fetch over https. Definitely we should fix it. Uploaded the first fix for Davids variant at https://git.eclipse.org/r/44691 (In reply to Christian Halstrick from comment #11) > Uploaded the first fix for Davids variant at https://git.eclipse.org/r/44691 merged as http://git.eclipse.org/c/egit/egit.git/commit/?id=8f24faba297f19807ea308090aac06a5d1135e79 fix was merged How is the new version? http://download.eclipse.org/egit/github/updates-nightly/ (In reply to Christian Haeussler from comment #14) > How is the new version? > http://download.eclipse.org/egit/github/updates-nightly/ this patch is contained in branches stable-4.0 and master, find the corresponding builds here: stable-4.0: http://download.eclipse.org/egit/updates-stable-nightly/ master: http://download.eclipse.org/egit/updates-nightly/ I tried it with the nightly stable build, and it seemed to be working for me. Thanks! But here is only version 3.6.0: http://download.eclipse.org/egit/github/updates-nightly/ In EGit 4.0. I see no github connector... I missed to update this site, will do this later today. In the meantime you can update to 4.0 from http://download.eclipse.org/egit/github/updates-4.0 and to 4.0.1 from http://download.eclipse.org/egit/github/updates-4.0.1 Hi, I'm using Ubuntu 15.10 with the last Eclipse Mars version and OpenJDK 1.8.0_66. Git Team Provider and GitHub integration versions: 4.1.0.201509280440-r The git clone was possible because I configured the http.sslverify entry to false, but the Github Mylyn Connector launch the error below. I have tried import the GITHUB's certificate to cacerts of the JDK, but the problem persists. !ENTRY org.eclipse.epp.logging.aeri.ui 2 29 2015-10-30 00:40:58.362 !MESSAGE Startup failed, AERI is disabled until next restart. Version: 1.0.1.v20150913-0716 !STACK 0 java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.google.common.base.Throwables.propagate(Throwables.java:160) at org.eclipse.epp.internal.logging.aeri.ide.Startup.initializeServerAndConfiguration(Startup.java:219) at org.eclipse.epp.internal.logging.aeri.ide.Startup.access$4(Startup.java:201) at org.eclipse.epp.internal.logging.aeri.ide.Startup$1.run(Startup.java:98) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:290) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:259) at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) at org.apache.http.client.fluent.Executor.execute(Executor.java:206) at org.eclipse.epp.internal.logging.aeri.ui.v2.AeriServer.request(AeriServer.java:57) at org.eclipse.epp.internal.logging.aeri.ui.v2.AeriServer.refreshConfiguration(AeriServer.java:73) at org.eclipse.epp.internal.logging.aeri.ide.Startup.initializeServerAndConfiguration(Startup.java:211) ... 3 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 26 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 32 more |