Jira (PUP-10721) http_instance cannot ignore cert verification

3 views

Skip to first unread message

William Hurt (Jira)

unread,

Oct 20, 2020, 4:15:04 PM10/20/20

to puppe...@googlegroups.com

William Hurt created an issue

Puppet /

PUP-10721

http_instance cannot ignore cert verification

Issue Type:	Bug
Assignee:	Unassigned
Created:	2020/10/20 1:14 PM
Priority:	Normal
Reporter:	William Hurt

Puppet Version: 6.17.0
Puppet Server Version: 2019.8.0.37
OS Name/Version: Ubuntu 18.04

When attempting to use Puppet::Network::HttpPool.http_instance to perform an HTTP request to an HTTPS url, setting the 'verify_peer' parameter false to ignore certificate verification does not work.

Desired Behavior: This wrapper should be capable of doing HTTPS requests that ignore cert verification. Otherwise it is impossible to use it for doing requests against end points that use self signed certs.

Actual Behavior:

The attempt to ignore cert verification results in an error when the call is invoked.

The following call results in the error text below:

use_ssl = true

validate_cert = false

conn = Puppet::Network::HttpPool.http_instance(uri.host,

                                                                               uri.port,

                                                                               use_ssl,

                                                                               validate_cert)

headers = {

 'Content-Type' => 'application/json'

conn.post("#{uri.path}?#{uri.query}", body.to_json, headers)

2020-10-19T21:16:18.987Z WARN [qtp2062408424-41] [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request

 javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

 at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)

 at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)

 at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)

 at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)

 at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)

 at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)

 at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)

 at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)

 at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)

 at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)

 at java.base/java.security.AccessController.doPrivileged(Native Method)

 at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)

 at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:281)

 at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:339)

 at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:503)

 at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)

 at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)

 at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)

 at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)

 at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)

 at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)

 at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)

 at java.base/java.lang.Thread.run(Thread.java:834)

 Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)

 at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)

 at java.base/sun.security.validator.Validator.validate(Validator.java:264)

 at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)

 at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)

 at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)

 at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:623)

 ... 19 common frames omitted

 Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

 at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

 at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)

 at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)

 ... 25 common frames omitted

 Puppet::Server::HttpClientError: Error executing http request

 from uri:classloader:/puppetserver-lib/puppet/server/http_client.rb:202:in `client_post'

 Caused by Java::ComPuppetlabsHttpClient::HttpClientException: Error executing http request

 from com.puppetlabs.http.client.impl.PersistentSyncHttpClient.request(com/puppetlabs/http/client/impl/PersistentSyncHttpClient.java:52)

 Caused by Java::JavaxNetSsl::SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 from java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

 Caused by Java::SunSecurityValidator::ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 from java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)

 Caused by Java::SunSecurityProviderCertpath::SunCertPathBuilderException: unable to find valid certification path to requested target

 from java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

William Hurt (Jira)

unread,

Oct 20, 2020, 4:16:03 PM10/20/20

to puppe...@googlegroups.com

William Hurt updated an issue

Puppet /

PUP-10721

http_instance cannot ignore cert verification

Change By:	William Hurt

*Puppet Version: 6.17.0*
*Puppet Server Version: 2019.8.0.37*
*OS Name/Version: Ubuntu 18.04*

When attempting to use [Puppet::Network::HttpPool.http_instance|https://github.com/puppetlabs/puppet/blob/fe73adb22453824c014d7975e30e4fc882e8bbc2/lib/puppet/network/http_pool.rb#L36] to perform an HTTP request to an HTTPS url, setting the 'verify_peer' parameter false to ignore certificate verification does not work.

*Desired Behavior:* This wrapper should be capable of doing HTTPS requests that ignore cert verification. Otherwise it is impossible to use it for doing requests against end points that use self signed certs.

*Actual Behavior:*

The attempt to ignore cert verification results in an error when the call is invoked.

The following call results in the error text below:

{code:ruby}

use_ssl = true
validate_cert = false
conn = Puppet::Network::HttpPool.http_instance(uri.host,
                     uri.port,
                     use_ssl,
                     validate_cert)
headers = {
'Content-Type' => 'application/json'
}

conn.post("#{uri.path}?#{uri.query}", body.to_json, headers){code}

{noformat}

from java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141){noformat}