[RELENG-30] https SSL cert by using StartCom as a CA is a PITA Created: 26/Apr/16 Updated: 28/Nov/17 Resolved: 28/Nov/17 |
|
| Status: | Resolved |
| Project: | releng |
| Component/s: | Autorelease |
| Affects Version/s: | unspecified |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Michael Vorburger | Assignee: | Unassigned |
| Resolution: | Cannot Reproduce | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 5806 |
| Description |
|
Thanh & Co, are you sure that using the https SSL cert on https://nexus.opendaylight.org and https://git.opendaylight.org with StartCom as a CA is a good idea? This is causing PITA issues such as: http://blog2.vorburger.ch/2016/04/how-to-resolve-validatorexception-pkix.html https://bugs.eclipse.org/bugs/show_bug.cgi?id=492014 Couldn't we just use a https SSL cert on *.opendaylight.org issued/signed by a "more standard" CA whose root cert is part of all Java installations, to avoid people wasting time on issues like above? |
| Comments |
| Comment by Michael Vorburger [ 29/Apr/16 ] |
|
FTR: This https://lists.opendaylight.org/pipermail/dev/2016-April/thread.html#1866 thread highlights that other users are having similar problems ... |
| Comment by Andrew Grimberg [ 06/May/16 ] |
|
(In reply to Michael Vorburger from comment #0) Our Nexus system uses a certificate from COMODO because of issues with JAVA. When we had first moved the system into our private cloud there was a mistake with the setup and had applied our * cert to the system. Gerrit on the other hand, uses our * cert and will continue to do so. StartCom is a "more standard" CA, it's recognized by all browsers and Java installations except for Oracle's Java. As long as you're accessing Gerrit from Java via the SSH (preferred) interface you shouldn't have any issues. We have plans to eventually switch all of our certs to using Let's Encrypt, which is also supported by the Oracle Java, but there is still integration work with our management frameworks that has to happen before that's an option. |
| Comment by Michael Vorburger [ 10/May/16 ] |
|
> StartCom is a "more standard" CA, it's recognized by all browsers and Java installations except for Oracle's Java. Oh OK I didn't realize that this was Oracle Java specific, but OK with Open JDK.. perhaps less of a blocking issue then. Thanks for clarifying, noted. > As long as you're accessing Gerrit from Java via the SSH (preferred) interface you shouldn't have any issues. In https://bugs.eclipse.org/bugs/show_bug.cgi?id=492014 I had faced problems accessing Gerrit via https://www.eclipse.org/egerrit/ which talks https to the Gerrit REST API. The git clone ssh always works fine of course, yes. |
| Comment by Michael Vorburger [ 24/May/16 ] |
|
Andrew & Thanh, just FYI: This IS a PITA - I've just had someone else reach out to me on private IRC DM struggling with this AGAIN. Now it was because that user tried to install yangide from https://nexus.opendaylight.org/content/sites/p2repos/org.opendaylight.yangide/snapshot/content.xml using https://github.com/vorburger/opendaylight-eclipse-setup, and hit this.. Just adding actual error message to be able to find this issue more easily again in the future, it's: "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" |
| Comment by Thanh Ha (zxiiro) [ 28/Nov/17 ] |
|
vorburger is this still an issue? I haven't heard of SSL issues recently so thinking perhaps this can be closed now. Also I believe we're now using LetsEncrypt. |
| Comment by Michael Vorburger [ 28/Nov/17 ] |
|
I've not heard of this issue in a long time either, so let us just close it now. |