Eclipse update site does not support TLS, breaking Eclipse 4.28

101 views
Skip to first unread message

Christian Schäfer

unread,
Jun 6, 2023, 12:54:23 PM6/6/23
to JaCoCo and EclEmma Users
Hello,
with Eclipse 4.28 https will be enforced by Eclipse by default. The Eclipse installer is already doing this. See Eclipse Project 4.28 - New and Noteworthy | The Eclipse Foundation and 581914 – Allow HTTP Protocol for P2-Repositories (eclipse.org).

Unfortunately the EclEmma update site is documented to be 
This will be rewritten by Eclipse to

But access fails due to a certificate mismatch, the presented certificate is for *.s3.amazonaws.com.

This broke our automated installation procedure already and will break updates on existing installations once they have been updated to 4.28.

I think it is required to fix TLS setup with a certifacate that matches the domain name.

Evgeny Mandrikov

unread,
Jun 7, 2023, 9:32:46 AM6/7/23
to JaCoCo and EclEmma Users
Hello,

On Tuesday, June 6, 2023 at 6:54:23 PM UTC+2 calle.u...@gmail.com wrote:
Hello,
with Eclipse 4.28 https will be enforced by Eclipse by default. The Eclipse installer is already doing this. See Eclipse Project 4.28 - New and Noteworthy | The Eclipse Foundation and 581914 – Allow HTTP Protocol for P2-Repositories (eclipse.org).

Thank you - we weren't aware of this new feature.
 
Unfortunately the EclEmma update site is documented to be 
This will be rewritten by Eclipse to

But access fails due to a certificate mismatch, the presented certificate is for *.s3.amazonaws.com.

This broke our automated installation procedure already and will break updates on existing installations once they have been updated to 4.28.

According to https://www.eclipse.org/eclipse/news/4.28/platform.php#force-https seems that there is a temporary workaround:

> Adding the line -Dp2.httpRule=allow as the last line of the eclipse.ini can be used to restore the previous behavior.

Or as another option maybe you can temporarily use
https://download.eclipse.org/eclemma/releases/3.1.6/
for your automated installation procedure?

Please also note that EclEmma is part of the "Eclipse IDE for Java Developers" distribution starting from Eclipse Oxygen.
 
I think it is required to fix TLS setup with a certifacate that matches the domain name.

Marc Hoffmann,
I'm wondering if you can setup Cloudfront on top of S3 bucket (https://repost.aws/knowledge-center/cloudfront-https-requests-s3)?
After that we can ask Eclipse Foundation (https://gitlab.eclipse.org/eclipsefdn/it) to do an update of the DNS record for update.eclemma.org to point to Cloudfront.
WDYT?

Marc Hoffmann

unread,
Jun 7, 2023, 1:27:09 PM6/7/23
to JaCoCo and EclEmma Users
Hi Evgeny,

setting up SSL termination on AWS with Cloudfront would be quite eays, I run a couple of sites with this setup. But to issue the AWS SSL Certificate we need to host the domain in our own Route53 Zone. Do you think Eclipse foundation would allow us to host the DNS Zone for eclemma.org ourself?

The other option is that Eclipse.org would provide update.eclemma.org hosting for us.

Cheers,
-marc



--
You received this message because you are subscribed to the Google Groups "JaCoCo and EclEmma Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jacoco+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jacoco/31be4e5d-3dfc-4393-91b5-8573ba0868b9n%40googlegroups.com.

Evgeny Mandrikov

unread,
Jun 8, 2023, 10:48:30 AM6/8/23
to JaCoCo and EclEmma Users
On Wednesday, June 7, 2023 at 7:27:09 PM UTC+2 Marc R. Hoffmann wrote:
setting up SSL termination on AWS with Cloudfront would be quite eays, I run a couple of sites with this setup. But to issue the AWS SSL Certificate we need to host the domain in our own Route53 Zone.

Why? My best guess - the use of "AWS SSL Certificate" (SSL Certificate issues and managed by AWS) requires Route53. In this case question - can CloudFront be configured to use a non "AWS SSL Certificate"?

Do you think Eclipse foundation would allow us to host the DNS Zone for eclemma.org ourself?

I'm not sure.

Recall that during the transfer of the project to Eclipse Foundation, you transferred ownership of eclemma.org domain to Eclipse Foundation at the same time as registration of Eclipse EclEmma trademark - https://www.eclipse.org/legal/trademarks.php
I think these two are tied together, i.e. Eclipse Foundation should own the domain as well as the trademark to be able to provide some guarantees about the future of hosted projects to consumers, i.e. to be able to easily provide/replace project functionality/service/etc in case if current maintainers disappear.

On the other hand
states

Project teams may use services that are not hosted by the Eclipse Foundation ...
The following rules apply: ... One or more project committers must have ownership rights ...
External resources can be used for: ... alternative sources for downloads ...

So maybe
Eclipse Foundation can hold domain ownership, while DNS can be hosted by us,
or maybe we can host at least update.eclemma.org?
 
The other option is that Eclipse.org would provide update.eclemma.org hosting for us.

So probably they can do a redirect from updates.eclemma.org to download.eclipse.org, for example to download.eclipse.org/eclemma/releases
However should be noted that AFAIR we continued with the use of S3 for updates.eclemma.org because a long time ago download.eclipse.org had a quite high rate of unavailability.

All in all:
I don't think that I'm the best person to answer these your questions. And I think we'd better get in touch with Eclipse Foundation - I'm pretty sure together we'll find the best solution.
As you're the owner of S3 bucket and can configure CloudFront if will be needed, then may I ask you to initiate this discussion by describing the situation and our current ideas/thoughts? I think this can be done via https://gitlab.eclipse.org/eclipsefdn/helpdesk


Regards,
Evgeny

Marc Hoffmann

unread,
Jun 8, 2023, 11:10:05 AM6/8/23
to JaCoCo and EclEmma Users
 In this case question - can CloudFront be configured to use a non "AWS SSL Certificate"?

Sure this is possible, you can import your own certificates in AWS certificate manager, which is used by CloudFront. But which certificate would you use for this that does not require regular rotation like let’s encrypt?

Therefore I only see two options:

a) We host the update site. For this we also need to host the eclemma.com DNS Zone so AWS certificate manager can do all the magic automatically for us.

b) Eclipse foundation hosts the site and manages the certificates

Maybe we just ask Eclipse IT what would be their preferred solution.

Cheers,
-marc
.



--
You received this message because you are subscribed to the Google Groups "JaCoCo and EclEmma Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jacoco+un...@googlegroups.com.

Evgeny Mandrikov

unread,
Jun 8, 2023, 11:14:18 AM6/8/23
to jac...@googlegroups.com
On Thu, Jun 8, 2023 at 5:10 PM Marc Hoffmann <hoff...@mountainminds.com> wrote:
 In this case question - can CloudFront be configured to use a non "AWS SSL Certificate"?

Sure this is possible, you can import your own certificates in AWS certificate manager, which is used by CloudFront. But which certificate would you use for this that does not require regular rotation like let’s encrypt?

Therefore I only see two options:

a) We host the update site. For this we also need to host the eclemma.com DNS Zone so AWS certificate manager can do all the magic automatically for us.

Or just the subdomain update.eclemma.org ? 😉 which IMO might be a nice trade-off
 
b) Eclipse foundation hosts the site and manages the certificates

Maybe we just ask Eclipse IT what would be their preferred solution.

👍


Regards,
Evgeny

Marc Hoffmann

unread,
Jun 8, 2023, 11:21:48 AM6/8/23
to jac...@googlegroups.com
Or just the subdomain update.eclemma.org ? 😉 which IMO might be a nice trade-off

Technically that should work. What is the best option to get in touch with EO IT? Opening a ticket?




--
You received this message because you are subscribed to the Google Groups "JaCoCo and EclEmma Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jacoco+un...@googlegroups.com.

Evgeny Mandrikov

unread,
Jun 8, 2023, 11:29:10 AM6/8/23
to JaCoCo and EclEmma Users
On Thursday, June 8, 2023 at 5:21:48 PM UTC+2 Marc R. Hoffmann wrote:
Or just the subdomain update.eclemma.org ? 😉 which IMO might be a nice trade-off

Technically that should work. What is the best option to get in touch with EO IT? Opening a ticket?

As I wrote earlier I think this can be done via the creation of a ticket at https://gitlab.eclipse.org/eclipsefdn/helpdesk

Marc Hoffmann

unread,
Jun 8, 2023, 11:30:09 AM6/8/23
to JaCoCo and EclEmma Users
I will do!

--
You received this message because you are subscribed to the Google Groups "JaCoCo and EclEmma Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jacoco+un...@googlegroups.com.

Evgeny Mandrikov

unread,
Jun 8, 2023, 11:42:30 AM6/8/23
to jac...@googlegroups.com
On Thu, Jun 8, 2023 at 5:30 PM Marc Hoffmann <hoff...@mountainminds.com> wrote:
I will do!

Thanks! ❤
 

Marc Hoffmann

unread,
Jun 8, 2023, 11:47:51 AM6/8/23
to JaCoCo and EclEmma Users

Marc Hoffmann

unread,
Jun 8, 2023, 2:19:33 PM6/8/23
to jac...@googlegroups.com
Hi Evgeny,

according to EO we have two options:

a) Continue hosting update.eclemma.org ourselfs. Eclipse will point to our DNS server.
b) Move the update site to https://download.eclipse.org

Both options work for me. What are your preferences?

Cheers,
-marc

Christian Schäfer

unread,
Jun 12, 2023, 2:56:34 AM6/12/23
to JaCoCo and EclEmma Users
Thank you very much for the quick reaction, suggested workaround and the further actions you take!

Evgeny Mandrikov

unread,
Jun 13, 2023, 4:45:23 PM6/13/23
to jac...@googlegroups.com
On Thu, Jun 8, 2023 at 8:19 PM Marc Hoffmann <hoff...@mountainminds.com> wrote:
Hi Evgeny,

according to EO we have two options:

a) Continue hosting update.eclemma.org ourselfs. Eclipse will point to our DNS server.
b) Move the update site to https://download.eclipse.org

Both options work for me. What are your preferences?
 
Somehow I was believing that
https://github.com/eclipse/eclemma/blob/v3.1.7/org.eclipse.eclemma.feature/feature.xml#L24
might affect the upcoming release of Eclipse 4.28 (2023-06) which is already in a quiet period before GA and to which I already contributed EclEmma 3.1.7,
but apparently this is not the case - update.eclemma.org doesn't appear in the list of update sites in Eclipse when EclEmma is preinstalled as part of EPP.

Also the list of update sites in Eclipse will contain update site defined in Marketplace when installed from Eclipse Marketplace.


In any case I think we don't need to setup https for update.eclemma.org and can keep it as is for a while, in the meantime switching all references to download.eclipse.org
Later this week I'm going to work on the setup of the composite repository at https://download.eclipse.org/eclemma/releases/ and on changes for the website to reference it.

Christian Schäfer

unread,
Jul 19, 2023, 2:32:59 AM7/19/23
to JaCoCo and EclEmma Users
It looks like https://download.eclipse.org/eclemma/releases/ is usable already? 
Can I switch our installation routine there and get rid of the workaround?

Reply all
Reply to author
Forward
0 new messages