OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.0.6
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-2239
1dev/agent can not trusted self-signed certificate (OD-2239)
conpocutmeo opened 1 year ago 
Hello Onedev team,
I'm re-depoying Remote Docker Executor with 1dev/agent. 

I deploy 1dev/server with a local domain and a self-signed certificate.
When I deploy 1dev/agent after that, I also include the cert in my docker-compose file like this:
services:
    runner:
        image: 1dev/agent
        hostname: onedev-runner-local
        container_name: onedev-runner
        tty: true
        environment:
          - serverUrl=https://onedev.local
          - agentToken=45e56e5f-04dd-4188-91a7-9817461ce931
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - ./agent/work:/agent/work
          - ./agent/conf/trust-certs:/agent/conf/trust-certs
        restart: always
        
But when I create executor and test, I get this error:
java.lang.RuntimeException: java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at io.onedev.server.job.DefaultJobManager.runJob(DefaultJobManager.java:1331)
    	at io.onedev.server.job.DefaultResourceAllocator.runAgentJob(DefaultResourceAllocator.java:321)
    	at io.onedev.server.plugin.executor.remotedocker.RemoteDockerExecutor.test(RemoteDockerExecutor.java:200)
    	at io.onedev.server.plugin.executor.remotedocker.RemoteDockerExecutor.test(RemoteDockerExecutor.java:32)
    	at io.onedev.server.web.page.admin.buildsetting.jobexecutor.JobExecutorEditPanel$3.runTask(JobExecutorEditPanel.java:205)
    	at io.onedev.server.web.component.taskbutton.TaskButton$2.call(TaskButton.java:159)
    	at io.onedev.server.web.component.taskbutton.TaskButton$2.call(TaskButton.java:132)
    	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    	at io.onedev.server.security.SecurityUtils.lambda$inheritSubject$1(SecurityUtils.java:524)
    	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    	at java.base/java.lang.Thread.run(Thread.java:829)
    Caused by: java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
    	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
    	at com.hazelcast.executor.impl.DistributedExecutorService$Processor.run(DistributedExecutorService.java:278)
    	at com.hazelcast.internal.util.executor.CachedExecutorServiceDelegate$Worker.run(CachedExecutorServiceDelegate.java:217)
    	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    	at java.base/java.lang.Thread.run(Thread.java:829)
    	at com.hazelcast.internal.util.executor.HazelcastManagedThread.executeRun(HazelcastManagedThread.java:76)
    	at com.hazelcast.internal.util.executor.HazelcastManagedThread.run(HazelcastManagedThread.java:111)
    Caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:270)
    	at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:300)
    	at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:662)
    	at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:697)
    	at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:691)
    	at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
    	at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
    	at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
    	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390)
    	at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:691)
    	at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:661)
    	at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:413)
    	at org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:313)
    	at io.onedev.agent.AgentSocket.lambda$testDockerExecutor$4(AgentSocket.java:893)
    	at io.onedev.agent.DockerExecutorUtils.callWithDockerConfig(DockerExecutorUtils.java:474)
    	at io.onedev.agent.AgentSocket.testDockerExecutor(AgentSocket.java:869)
    	at io.onedev.agent.AgentSocket.service(AgentSocket.java:979)
    	at io.onedev.agent.AgentSocket.lambda$onMessage$2(AgentSocket.java:212)
    	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    	at java.base/java.lang.Thread.run(Thread.java:829)
    Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:366)
    	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
    	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:304)
    	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
    	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
    	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
    	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:189)
    	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
    	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511)
    	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
    	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)
    	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)
    	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:580)
    	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:201)
    	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1628)
    	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1556)
    	at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527)
    	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:334)
    	at org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:380)
    	at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:268)
    	... 20 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
    	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
    	... 39 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
    	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
    	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    	... 45 more
    
As far as I know, this is because the keystore do not recognize that cert. So I have to exec into the 1dev/agent container and run this command:
keytool -import -trustcacerts -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit -noprompt -alias onedev-local -file /agent/conf/trust-certs/onedev-local.crt
After that the executor test okay. 
Is that a bug or something? I don't want to re-run this command after when I restart the container :)
  • Robin Shen commented 1 year ago
  • conpocutmeo commented 1 year ago

    Please check this:

    https://docs.onedev.io/administration-guide/trust-self-signed-certificates

    I read this part and I'm sure that all the conditions was satisfied but when I test the executor it always show the error I posted above.

  • Robin Shen commented 1 year ago

    Please list detailed steps you are doing (from installing server/agent, setting up reverse proxy and self-signed certificates, and configuring the agent to trust the cert), and I will check what might be the problem.

  • conpocutmeo commented 1 year ago

    Please list detailed steps you are doing (from installing server/agent, setting up reverse proxy and self-signed certificates, and configuring the agent to trust the cert), and I will check what might be the problem.

    Please list detailed steps you are doing (from installing server/agent, setting up reverse proxy and self-signed certificates, and configuring the agent to trust the cert), and I will check what might be the problem.

    Please list detailed steps you are doing (from installing server/agent, setting up reverse proxy and self-signed certificates, and configuring the agent to trust the cert), and I will check what might be the problem.

    The test when create executor fail but it can still running processes in pipeline.
  • conpocutmeo changed state to 'Closed' 12 months ago
    Previous Value Current Value 
    Open
    		 
    Closed
issue 1/1
Type
Question
Priority
Normal
Assignee
Robin Shen
Labels
No labels
Issue Votes (0)
Login to vote
Watchers (2)
Reference
OD-2239
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover