SonarQube 安装 - Github 身份验证插件失败 "PKIX path building failed"
SonarQube Installation - Github Authentication plugin fails with "PKIX path building failed"
我正在尝试让插件正常工作。声纳源 5.6,插件 1.2。我有一个 SSL 错误,我认为这是由我的 github 企业实例引起的,该实例具有从内部因此不受信任的 CA 授予的 SSL 证书(或者可能只是没有正确设置)。日志复制在下面。
我有什么选择?我觉得
- 我可以通过
sudo docker exec <my container id> openssl s_client -connect my-sonarqube-hostname:443 -showcerts
下载证书,然后(如果我知道我在做什么)使用 keytool
来...将其放入商店 (?)
- 我可以禁用证书验证 a) 如果我知道怎么做,以及 b) 如果我认为可以冒 MITM 的风险来获得我的源代码(我不知道)
- 我可以试着理解下面这样的文章,但它们似乎都涉及编译一些东西来获取证书并将其放入商店
- 我可以尝试让拥有 GHE 的团队使用真实证书
- .....?还有什么吗?
我在 Amazon Linux EC2 实例的 docker 容器中使用 运行 sonarqube - 非常容易上手,但现在很难修改(虽然我想我可以提取 Dockerfile 并分叉它 - 我怀疑我的问题对于内部设置来说是独一无二的,所以也许我想出的任何东西都值得回馈?)
日志:
2016.06.10 07:50:01 ERROR web[o.s.s.a.AuthenticationError] Fail to callback authentication with 'github'
com.github.scribejava.core.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service: https://my-github-enterprise-hostname/login/oauth/access_token?client_id=02e2f2cd8f567478c80d&client_secret=68c1ec2fe7d5c99a75e478c476965bdbefdc55dd&code=1b8c6e1323ef66e7a8f0&redirect_uri=https%3A%2F%2Fmy-sonarqube-hostname%2Foauth2%2Fcallback%2Fgithub
at com.github.scribejava.core.model.OAuthRequest.send(OAuthRequest.java:39) ~[na:na]
at com.github.scribejava.core.oauth.OAuth20ServiceImpl.getAccessToken(OAuth20ServiceImpl.java:36) ~[na:na]
at org.sonarsource.auth.github.GitHubIdentityProvider.callback(GitHubIdentityProvider.java:111) ~[na:na]
at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:71) ~[sonar-server-5.6.jar:na]
at org.sonar.server.platform.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:125) [sonar-server-5.6.jar:na]
at org.sonar.server.platform.MasterServletFilter.doFilter(MasterServletFilter.java:94) [sonar-server-5.6.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:59) [sonar-server-5.6.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.sonar.server.platform.ProfilingFilter.doFilter(ProfilingFilter.java:84) [sonar-server-5.6.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.30.jar:8.0.30]
at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:191) [logback-access-1.1.3.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-embed-core-8.0.30.jar:8.0.30]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.30.jar:8.0.30]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_91]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[na:1.8.0_91]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_91]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.8.0_91]
at com.github.scribejava.core.model.Response.<init>(Response.java:30) ~[na:na]
at com.github.scribejava.core.model.OAuthRequest.doSend(OAuthRequest.java:57) ~[na:na]
at com.github.scribejava.core.model.OAuthRequest.send(OAuthRequest.java:37) ~[na:na]
... 28 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_91]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_91]
at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_91]
... 41 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_91]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_91]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_91]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_91]
... 47 common frames omitted
在我看来,您的企业 Github URL 未使用您的应用程序服务器接受的证书签名。
您必须将您的服务器 SSL 密钥添加到您的应用程序服务器密钥库(see corresponding documentation 使用来自 JDK 的密钥工具获取详细信息)。
我最后做了
#!/bin/bash
HOST=my-github-hostname
PORT=443
KEYSTOREFILE=/etc/ssl/certs/java/cacerts
KEYSTOREPASS=changeit
# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert
# copy it into the running docker container
sudo docker cp ${HOST}.cert sonarqube-web:/opt/sonarqube/${HOST}.cert
# import certificate into the container's keystore
sudo docker exec sonarqube-web keytool -import -noprompt -trustcacerts -alias ${HOST} -file /opt/sonarqube/${HOST}.cert -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}
# verify we've got it.
sudo docker exec sonarqube-web keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}
exit 0
我意识到修改 运行 docker 容器可能是我会为之努力的事情,但是 OTOH 该实例每次启动时都会获取证书的新副本,所以...
我正在尝试让插件正常工作。声纳源 5.6,插件 1.2。我有一个 SSL 错误,我认为这是由我的 github 企业实例引起的,该实例具有从内部因此不受信任的 CA 授予的 SSL 证书(或者可能只是没有正确设置)。日志复制在下面。
我有什么选择?我觉得
- 我可以通过
sudo docker exec <my container id> openssl s_client -connect my-sonarqube-hostname:443 -showcerts
下载证书,然后(如果我知道我在做什么)使用keytool
来...将其放入商店 (?) - 我可以禁用证书验证 a) 如果我知道怎么做,以及 b) 如果我认为可以冒 MITM 的风险来获得我的源代码(我不知道)
- 我可以试着理解下面这样的文章,但它们似乎都涉及编译一些东西来获取证书并将其放入商店
- 我可以尝试让拥有 GHE 的团队使用真实证书
- .....?还有什么吗?
我在 Amazon Linux EC2 实例的 docker 容器中使用 运行 sonarqube - 非常容易上手,但现在很难修改(虽然我想我可以提取 Dockerfile 并分叉它 - 我怀疑我的问题对于内部设置来说是独一无二的,所以也许我想出的任何东西都值得回馈?)
日志:
2016.06.10 07:50:01 ERROR web[o.s.s.a.AuthenticationError] Fail to callback authentication with 'github'
com.github.scribejava.core.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service: https://my-github-enterprise-hostname/login/oauth/access_token?client_id=02e2f2cd8f567478c80d&client_secret=68c1ec2fe7d5c99a75e478c476965bdbefdc55dd&code=1b8c6e1323ef66e7a8f0&redirect_uri=https%3A%2F%2Fmy-sonarqube-hostname%2Foauth2%2Fcallback%2Fgithub
at com.github.scribejava.core.model.OAuthRequest.send(OAuthRequest.java:39) ~[na:na]
at com.github.scribejava.core.oauth.OAuth20ServiceImpl.getAccessToken(OAuth20ServiceImpl.java:36) ~[na:na]
at org.sonarsource.auth.github.GitHubIdentityProvider.callback(GitHubIdentityProvider.java:111) ~[na:na]
at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:71) ~[sonar-server-5.6.jar:na]
at org.sonar.server.platform.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:125) [sonar-server-5.6.jar:na]
at org.sonar.server.platform.MasterServletFilter.doFilter(MasterServletFilter.java:94) [sonar-server-5.6.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:59) [sonar-server-5.6.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.sonar.server.platform.ProfilingFilter.doFilter(ProfilingFilter.java:84) [sonar-server-5.6.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.30.jar:8.0.30]
at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:191) [logback-access-1.1.3.jar:na]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-embed-core-8.0.30.jar:8.0.30]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-embed-core-8.0.30.jar:8.0.30]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.30.jar:8.0.30]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_91]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_91]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_91]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[na:1.8.0_91]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.8.0_91]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.8.0_91]
at com.github.scribejava.core.model.Response.<init>(Response.java:30) ~[na:na]
at com.github.scribejava.core.model.OAuthRequest.doSend(OAuthRequest.java:57) ~[na:na]
at com.github.scribejava.core.model.OAuthRequest.send(OAuthRequest.java:37) ~[na:na]
... 28 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_91]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_91]
at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_91]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_91]
... 41 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_91]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_91]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_91]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_91]
... 47 common frames omitted
在我看来,您的企业 Github URL 未使用您的应用程序服务器接受的证书签名。
您必须将您的服务器 SSL 密钥添加到您的应用程序服务器密钥库(see corresponding documentation 使用来自 JDK 的密钥工具获取详细信息)。
我最后做了
#!/bin/bash
HOST=my-github-hostname
PORT=443
KEYSTOREFILE=/etc/ssl/certs/java/cacerts
KEYSTOREPASS=changeit
# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert
# copy it into the running docker container
sudo docker cp ${HOST}.cert sonarqube-web:/opt/sonarqube/${HOST}.cert
# import certificate into the container's keystore
sudo docker exec sonarqube-web keytool -import -noprompt -trustcacerts -alias ${HOST} -file /opt/sonarqube/${HOST}.cert -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}
# verify we've got it.
sudo docker exec sonarqube-web keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}
exit 0
我意识到修改 运行 docker 容器可能是我会为之努力的事情,但是 OTOH 该实例每次启动时都会获取证书的新副本,所以...