Community
Participate
Working Groups
When using the Install New software feature for eclipse 3.6, and trying to access a P2 repository that is using HTTPs with a Self-Signed certificate, P2 refuses to install any components. It would be nice to have P2 either Prompt to install the certificate, or have an option on the command line to have P2 automatically install self signed certificates if specified. In many cases it would be helpful as well if P2 looked in the existing eclipse certificate store to see if that certificate has already been accepted.
Here's an example, trying to install pydev from the command line. Command-line arguments: -os linux -ws gtk -arch x86 -D osgi.support.signature.verify=false -consolelog -application org.eclipse.equinox.p2.director -repository http://pydev.org/updates,http://download.eclipse.org/releases/helios -installiu org.python.pydev.feature.feature.group !ENTRY org.eclipse.equinox.p2.engine 8 0 2010-10-28 16:59:27.828 !MESSAGE One or more certificates rejected. Cannot proceed with installation.
*** This bug has been marked as a duplicate of bug 215929 ***
These comments are in response to Ian's questions on p2 dev list: http://dev.eclipse.org/mhonarc/lists/p2-dev/msg05164.html I'm moderately sure p2 will check the existing "Java store" (or even system store) for trusted certs, have you tried with recent versions of p2? I ask this, just because of other bugs I vaguely recall where at first that wasn't working right. And fixed in Juno, I believe. And, if not that, I think there are "external" parameters that can be used to tell any client which store to use? I've never done any of this myself, and its reasonable to ask for an easy way to do it ... like browsers to .... but ... some simple searches appear to show "how to" do it ... rather than disable the function, as Ian asks in his post. Such as https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/ch15s02s02.html or http://blogs.adobe.com/livecycle/2012/04/rights-management-how-to-get-windows-7-to-trust-a-self-signed-server-certificate.html But, again, not speaking from experience.
(In reply to comment #3) > I'm moderately sure p2 will check the existing "Java store" (or even system > store) for trusted certs, have you tried with recent versions of p2? I ask > this, just because of other bugs I vaguely recall where at first that wasn't > working right. And fixed in Juno, I believe. > > And, if not that, I think there are "external" parameters that can be used > to tell any client which store to use? > > I've never done any of this myself, and its reasonable to ask for an easy > way to do it ... like browsers to .... but ... some simple searches appear > to show "how to" do it ... rather than disable the function, as Ian asks in > his post. > Thank-you David. I think this demonstrates my lack of experience in this area as I assumed that when I 'proceed' to a site with a self signed certificate, I was simply disabling the validation for that site. Yes, importing the self signed certificate into a local store seems like a bunch better approach. The hardest part about searching is knowing what to search for ;-). I will try this out and if it works, I think I have the next topic for my blog post. Thanks again.
