infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Takamori (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-13702) issues.apache.org serving problematic certificate
Date Sat, 18 Mar 2017 17:10:42 GMT

    [ https://issues.apache.org/jira/browse/INFRA-13702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15931283#comment-15931283
] 

Daniel Takamori commented on INFRA-13702:
-----------------------------------------

Solved in: https://git-wip-us.apache.org/repos/asf?p=infrastructure-puppet.git;a=commit;h=2ad33a7fa1d9d825b317172979df02bd72ec974c

The infrahelp.a.o redirect didn't include a cert, so openssl/ java was picking up that and
reporting a selfsigned cert.  Browsers didn't have a problem since they knew which cert chain
to look for.

> issues.apache.org serving problematic certificate
> -------------------------------------------------
>
>                 Key: INFRA-13702
>                 URL: https://issues.apache.org/jira/browse/INFRA-13702
>             Project: Infrastructure
>          Issue Type: Bug
>          Components: JIRA
>            Reporter: Richard Eckart de Castilho
>            Assignee: Daniel Takamori
>
> All of a sudden the maven-changes-plugin on my machine fails with a certificate validation
exception:
> {noformat}
> Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://issues.apache.org/jira/rest/api/2/serverInfo:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> {noformat}
> Checking the SSL handshake with issues.apache.org using
> {noformat}
> $ openssl s_client -showcerts -connect issues.apache.org:443
> {noformat}
> from different hosts always yields the same type of result: the certificate returned
by issues.a.o seems to be classified as being self-signed:
> {noformat}
> CONNECTED(00000003)
> depth=0 /CN=jira-lw-us
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /CN=jira-lw-us
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=jira-lw-us
>    i:/CN=jira-lw-us
> -----BEGIN CERTIFICATE-----
> MIICujCCAaKgAwIBAgIJAIQUx5OwkJLaMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV
> BAMMCmppcmEtbHctdXMwHhcNMTcwMTEyMTE1NzA4WhcNMjcwMTEwMTE1NzA4WjAV
> MRMwEQYDVQQDDApqaXJhLWx3LXVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEAtFIuQNLUvM+v8uDZGSqQcStVXvCqtiwZpY60m559SS5KDYJM/dpkwdeS
> eJt52V30WunzADfIddEL1t5n5rLdFHXB13SVUcse7cNEBL3IpqZiOT6hj2Z9z+MT
> UePyxAG1w25YANDa9zq0pcMc3Vu/cL7HATvPnliqURMqg2b462nUJST/Kn4XJblz
> cIRCXBdChA/ao6y8xeKZPOfgLkNF1OlOsWis2m+pn4BeWx9zCOb6Sb6Hze3i9qPh
> Frs+awYRtQDFs6cXF/H7dxRFXdYCoI6xbqJ9ksfYawL7FZf/E54jK/EW3+3i+sHX
> wHwisDj0ZX32ArihKeAqiLI7hN2IvwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqG
> SIb3DQEBCwUAA4IBAQCEaHvm3NFzGp4EMNChiTrcXTFTvDBYS4AIgsgWhWGp6EMW
> C4IUFX7VY0ceBdGH9Ox0C5kC4JZ3W92VH4/APiOWATfFfv7Tzz0n9P7laFhsiVd2
> BWnFPbXSRRKtHTusi+AnvMRo3DZUD1EvMBKxLlzs7gQOW9v0FNfBEYoUrXy/ApNk
> LkajzR/HKAzITNzAdjL76e/+3jfemFzjdp/sYLt4mLbeQ+gfpm8y+l0Jbb1DzImV
> WcMVu6FTZgUj1Oy55QLUGBSJOGihO05FttGK9QyU+oRtCRnXWMhXZ4ArUaH9SqsF
> 338abyk63EVHCGcWdV2yK9UqMHglEqlYsCTwAoR1
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/CN=jira-lw-us
> issuer=/CN=jira-lw-us
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1657 bytes and written 456 bytes
> {noformat}
> Interestingly, Safari does not complain when accessing JIRA's web interface.
> But still, this is strange and something seems to be set up in a wrong way on the server.
Would be great if you could look into this.
> I know that can simply import the cert into my Java keystore to make this work for me
- but that's actually not the problem. The problem is that this should be working without
any manual intervention. It has done so in the past.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message