Agent trust-certs not honored when test the executor (OD-2772)

Agent trust-certs not honored when test the executor #2772

Alejandro Oton Garcia opened 1 month ago

This issue is similar to OD-2239 but OP closed it for some reason.

In my environment, we have internal PKI. I followed the instructions in here. My docker-compose is as follows:

services:
  onedev-agent:
    image: 1dev/agent
    container_name: onedev-agent
    hostname: onedev-agent
    tty: true
    env_file:
      - .env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./agent/work:/agent/work
      - ./agent/conf/trust-certs:/agent/conf/trust-certs
    restart: unless-stopped

In .agent/conf/trust-certs I have the following:

agent
├── conf
│   └── trust-certs
│       ├── ca01_2036.crt
│       ├── subca01_2031.crt
│       └── subca02_2031.crt

I can verify that the agent actually connects to the OneDev server just fine, container logs show

--> Wrapper Started as Console
Java Service Wrapper Standard Edition 64-bit 3.5.51
  Copyright (C) 1999-2022 Tanuki Software, Ltd. All Rights Reserved.
    http://wrapper.tanukisoftware.com
  Licensed to OneDev for Service Wrapping

Launching a JVM...
WrapperManager: Initializing...
22:15:40 INFO  io.onedev.agent.Agent - Cleaning temp directory...
22:15:40 INFO  io.onedev.agent.Agent - Connecting to https://git.domain.com...
22:15:40 INFO  io.onedev.agent.Agent - Connecting to https://git.domain.com...
22:15:40 INFO  io.onedev.agent.AgentSocket - Connected to server

However, if I try to test the job executor from the OneDev server I get the following error:

Please wait...
  Pending resource allocation...
  Testing on agent 'onedev-agent'...
  Connecting to server 'https://git.domain.com'...
  java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed:
  sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at io.onedev.server.ee.clustering.DefaultClusterService.getResult(DefaultClusterService.java:330)
          at io.onedev.server.ee.clustering.DefaultClusterService.runOnServer(DefaultClusterService.java:336)
          at io.onedev.server.service.impl.DefaultResourceService.runAgentJob(DefaultResourceService.java:326)
          at io.onedev.server.plugin.executor.remotedocker.RemoteDockerExecutor.test(RemoteDockerExecutor.java:205)
          at io.onedev.server.plugin.executor.remotedocker.RemoteDockerExecutor.test(RemoteDockerExecutor.java:37)
          at io.onedev.server.web.component.taskbutton.TestButton.runTask(TestButton.java:127)
          at io.onedev.server.web.component.taskbutton.TaskButton$2.call(TaskButton.java:163)
          at io.onedev.server.web.component.taskbutton.TaskButton$2.call(TaskButton.java:132)
          at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
          at io.onedev.server.security.SecurityUtils.lambda$inheritSubject$1(SecurityUtils.java:648)
          at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
          at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
          at java.base/java.lang.Thread.run(Thread.java:1583)
      Caused by: java.util.concurrent.ExecutionException: java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed:
  sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396)
          at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2073)
          at io.onedev.server.ee.clustering.DefaultClusterService.getResult(DefaultClusterService.java:325)
          ... 12 more
      Caused by: java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
  path to requested target
          at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
          at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
          at com.hazelcast.executor.impl.DistributedExecutorService$Processor.run(DistributedExecutorService.java:278)
          at com.hazelcast.internal.util.executor.CachedExecutorServiceDelegate$Worker.run(CachedExecutorServiceDelegate.java:217)
          at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
          at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
          at java.base/java.lang.Thread.run(Thread.java:1583)
          at com.hazelcast.internal.util.executor.HazelcastManagedThread.executeRun(HazelcastManagedThread.java:76)
          at com.hazelcast.internal.util.executor.HazelcastManagedThread.run(HazelcastManagedThread.java:111)
      Caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:270)
          at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:300)
          at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:662)
          at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:697)
          at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:691)
          at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
          at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
          at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
          at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390)
          at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:691)
          at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:661)
          at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:413)
          at org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:313)
          at io.onedev.agent.AgentSocket.lambda$testDockerExecutor$4(AgentSocket.java:918)
          at io.onedev.agent.AgentUtils.callWithDockerConfig(AgentUtils.java:499)
          at io.onedev.agent.AgentUtils.callWithRegistryLogins(AgentUtils.java:512)
          at io.onedev.agent.AgentSocket.testDockerExecutor(AgentSocket.java:894)
          at io.onedev.agent.AgentSocket.service(AgentSocket.java:1004)
          at io.onedev.agent.AgentSocket.lambda$onMessage$2(AgentSocket.java:281)
          at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
          at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
          at java.base/java.lang.Thread.run(Thread.java:840)
      Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
          at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
          at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
          at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1294)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1169)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1112)
          at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
          at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:481)
          at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:459)
          at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206)
          at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
          at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
          at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
          at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
          at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
          at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589)
          at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
          at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1717)
          at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1641)
          at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
          at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:308)
          at org.glassfish.jersey.client.internal.HttpUrlConnector._apply(HttpUrlConnector.java:380)
          at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:268)
          ... 21 more
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
          at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
          at java.base/sun.security.validator.Validator.validate(Validator.java:264)
          at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
          at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
          at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1278)
          ... 40 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
          at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
          at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
          at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
          ... 45 more

  Error executing task

If I run this inside the container, the job executor test works afterwards.

docker exec onedev-agent sh -c 'cp /agent/conf/trust-certs/*.crt /usr/local/share/ca-certificates/ 
update-ca-certificates'

Robin Shen commented 1 month ago

This bug only happens when test the executor. When actually executing the job, the certificate will be loaded correctly.

Will be fixed in next release though.

❤️ 1

Robin Shen changed title 1 month ago

Previous Value	Current Value
Agent trust-certs not honored by Jersey client (executor test fails with PKIX even when trust-certs configured)	Agent trust-certs not honored when test the executor

OneDev commented 2 weeks ago

State changed as build OD-7442 is successful
OneDev changed state to 'Closed' 2 weeks ago
Previous Value Current Value
Open

Closed
Login to comment

Previous Value	Current Value
Open	Closed

Type	Bug
Priority	Normal
Assignee	Robin Shen
Affected Versions	15.0.7
Labels	No labels

Issue Votes (0)

Watchers (3)

Reference

OD-2772