[JIRA] (JENKINS-38738) Maven plugin does not use SNI with SSL maven repos

[cheepeero@gmx.net (JIRA)]

Ciprian Ciubotariu created an issue

Jenkins / JENKINS-38738 Maven plugin does not use SNI with SSL maven repos Issue Type: Bug Assignee: Unassigned Components: maven-plugin Created: 2016/Oct/05 2:18 PM Environment: Jenkins 2.7.2 Maven Integration plugin 2.13 Labels: plugins plugin build Priority: Major Reporter: Ciprian Ciubotariu I have an Apache Archiva instance running behind HAProxy. HAProxy acts as a SSL wrapper for more HTTP services, each identified via its DNS name, and each with its own certificate. This setup requires clients to use SNI within the TLS handshake, so HAProxy can send back the proper SSL certificate. This works already for command-line maven builds on my machine. Also curl, firefox and even apache karaf are able to seamlessly communicate with my archiva repo via HTTPS. The jenkins maven plugin seems to not send SNI during handshake, and I infer this from the fact that HAProxy replies with the wrong SSL certificate (the one for the website www.example.com/example com, instead of archiva.example.org) , as presented in the log below. Parsing POMs Failed to transfer Could not transfer artifact org.example:example-parent:pom:4 from/to example-releases (https://archiva.example.org/repository/example-releases): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> Failed to transfer Could not find artifact org.example:example-parent:pom:4 in central (http://repo.maven.apache.org/maven2) ERROR: Failed to parse POMs org.apache.maven.project.ProjectBuildingException: Some problems were encountered while processing the POMs: [FATAL] Non-resolvable parent POM: Could not transfer artifact org.example:example-parent:pom:4 from/to example-releases (https://archiva.example.org/repository/example-releases): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> and 'parent.relativePath' points at wrong local POM @ line 5, column 13 at org.apache.maven.project.DefaultProjectBuilder.build(DefaultProjectBuilder.java:364) at hudson.maven.MavenEmbedder.buildProjects(MavenEmbedder.java:361) at hudson.maven.MavenEmbedder.readProjects(MavenEmbedder.java:331) at hudson.maven.MavenModuleSetBuild$PomParser.invoke(MavenModuleSetBuild.java:1301) at hudson.maven.MavenModuleSetBuild$PomParser.invoke(MavenModuleSetBuild.java:1098) at hudson.FilePath.act(FilePath.java:1018) at hudson.FilePath.act(FilePath.java:996) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.parsePoms(MavenModuleSetBuild.java:960) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:679) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534) at hudson.model.Run.execute(Run.java:1741) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410) I've tried to workaround this by using a proxy repository on the build machine, but this only moved the problem to the deploy step: aven RedeployPublisher use remote maven settings from : /var/lib/jenkins/.m2/settings.xml [INFO] Deployment in https://archiva.example.org/repository/example-snapshots (id=example-snapshots,uniqueVersion=true) Deploying the main artifact my-artifact-5-SNAPSHOT.pom Downloading: https://archiva.example.org/repository/example-snapshots/org/example/my-artifact/5-SNAPSHOT/maven-metadata.xml ERROR: Failed to retrieve remote metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml: Could not transfer metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml from/to example-snapshots (https://archiva.example.org/repository/example-snapshots): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> org.apache.maven.artifact.deployer.ArtifactDeploymentException: Failed to retrieve remote metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml: Could not transfer metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml from/to example-snapshots (https://archiva.example.org/repository/example-snapshots): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> at org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy(DefaultArtifactDeployer.java:143) at hudson.maven.reporters.MavenArtifactRecord.deploy(MavenArtifactRecord.java:193) at hudson.maven.RedeployPublisher.perform(RedeployPublisher.java:176) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779) at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:720) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1047) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:665) at hudson.model.Run.execute(Run.java:1766) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410) Caused by: org.eclipse.aether.deployment.DeploymentException: Failed to retrieve remote metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml: Could not transfer metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml from/to example-snapshots (https://archiva.example.org/repository/example-snapshots): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> at org.eclipse.aether.internal.impl.DefaultDeployer.upload(DefaultDeployer.java:470) at org.eclipse.aether.internal.impl.DefaultDeployer.deploy(DefaultDeployer.java:314) at org.eclipse.aether.internal.impl.DefaultDeployer.deploy(DefaultDeployer.java:269) at org.eclipse.aether.internal.impl.DefaultRepositorySystem.deploy(DefaultRepositorySystem.java:413) at org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy(DefaultArtifactDeployer.java:139) ... 11 more Caused by: org.eclipse.aether.transfer.MetadataTransferException: Could not transfer metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml from/to example-snapshots (https://archiva.example.org/repository/example-snapshots): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$5.wrap(WagonRepositoryConnector.java:995) at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$5.wrap(WagonRepositoryConnector.java:983) at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$GetTask.run(WagonRepositoryConnector.java:725) at org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run(RunnableErrorForwarder.java:67) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.maven.wagon.TransferFailedException: hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.fillInputData(AbstractHttpClientWagon.java:892) at org.apache.maven.wagon.StreamWagon.getInputStream(StreamWagon.java:116) at org.apache.maven.wagon.StreamWagon.getIfNewer(StreamWagon.java:88) at org.apache.maven.wagon.StreamWagon.get(StreamWagon.java:61) at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$GetTask.run(WagonRepositoryConnector.java:660) ... 4 more Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227) at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437) at org.apache.maven.wagon.shared.http4.ConfigurableSSLSocketFactoryDecorator.connectSocket(ConfigurableSSLSocketFactoryDecorator.java:64) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.execute(AbstractHttpClientWagon.java:746) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.fillInputData(AbstractHttpClientWagon.java:886) ... 8 more [INFO] Deployment failed after 0.49 sec Build step 'Deploy artifacts to Maven repository' changed build result to FAILURE I've noticed that both Jenkins' maven plugin and apache karaf 4.0.x (via pax-url) are using org.eclipse.aether to communicate with maven repos, but only karaf uses SNI - maybe using a newer version of org.eclipse.aether would solve this? I've tried looking at the code of maven plugin, but I was unable to make heads or tails of which version is used. Browsing the issues I noticed some Jenkins plugins were recently fixed for SNI (gitlab-oauth-plugin, artifactory plugin etc). I am not sure how come maven-plugin did not encounter this issue yet. How can I help to solve this issue? Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

[aheritier@apache.org (JIRA)]

Arnaud Héritier commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos version 2.15 will upgrade wagon to the latest version. Let us know if it fixes this issue. Thanks

Add Comment

[aheritier@apache.org (JIRA)]

Arnaud Héritier commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

FYI 2.15.1 is out

Add Comment

[stefanotravelli@java.net (JIRA)]

stefanotravelli commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

No luck here with newer version 2.15.1 and nginx TLS/SNI Not sure that the error is the same, though: {{sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target }}

Add Comment

[stefanotravelli@java.net (JIRA)]

stefanotravelli edited a comment on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

No luck here with newer version 2.15.1 and nginx TLS/SNI :(

Not sure that the error is the same, though: {{

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target }}

Add Comment

[aheritier@apache.org (JIRA)]

Arnaud Héritier commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

Do you have the full stacktrace please ?

Add Comment

[stefanotravelli@java.net (JIRA)]

stefanotravelli commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

Previous error was misleading because JDK did'n recognize a LetsEncrypt Certificate. With JDK 1.0.8_112 I get: [INFO] [INFO] [INFO] [INFO] --- maven-deploy-plugin:2.8.2:deploy (default-deploy) @ eui-login --- [INFO] [INFO] Uploading: https://www.entaksi.eu/maven/maintenact-release-local/eu/entaksi/eui/eui-login/1.0.4/eui-login-1.0.4.amp [INFO] [INFO] Uploading: https://www.entaksi.eu/maven/maintenact-release-local/eu/entaksi/eui/eui-login/1.0.4/eui-login-1.0.4.pom [INFO] [INFO] ------------------------------------------------------------------------ [INFO] [INFO] BUILD FAILURE [INFO] [INFO] ------------------------------------------------------------------------ [INFO] [INFO] Total time: 4.035 s [INFO] [INFO] Finished at: 2017-02-17T14:32:24+01:00 [INFO] [INFO] Final Memory: 31M/640M [INFO] [INFO] ------------------------------------------------------------------------ [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project eui-login: Failed to deploy artifacts: Could not transfer artifact eu.entaksi.eui:eui-login:amp:1.0.4 from/to maintenact-release (https://www.entaksi.eu/maven/maintenact-release-local): hostname in certificate didn't match: <www.entaksi.eu> != <console.entaksi.eu> OR <console.entaksi.eu> -> [Help 1] [INFO] [ERROR] [INFO] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [INFO] [ERROR] Re-run Maven using the -X switch to enable full debug logging. [INFO] [ERROR] [INFO] [ERROR] For more information about the errors and possible solutions, please read the following articles: [INFO] [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException This happens only during a maven release. Regular builds that include uploading snapshots to the repository works fine. As a workaround I set an entry in the hosts file in order to point to a dedicated HTTP server with a single certificate.

Add Comment

[aheritier@apache.org (JIRA)]

Arnaud Héritier commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

ok thus here it's at jenkins level. Parsing POM step succeed to get artifacts (which was the error reported in this ticket) It is strange that you have this deployment issue only with releases and not with snapshots (they are uploaded to the same server ?). I'm not sure if Jenkins can be involve in the issue, did you try to reproduce the issue without jenkins ? When you are deploying your snapshots you are also using maven to do it or you are using the post build step provided by jenkins in maven jobs ?

Add Comment

[stefanotravelli@java.net (JIRA)]

stefanotravelli commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

Yes, it's the same server and I'm using the post build step provided by Jenkins. With regard to the scope of this ticket I think it's fixed. My issue seems more like JENKINS-26403 (even if I'm not using the Artifactory plugin). Thanks.

Add Comment

[aheritier@apache.org (JIRA)]

Arnaud Héritier commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

If for SNAPSHOTs you are using the post build step provided by Jenkins then it could explain the difference and thus if parsing POM + SNAPSHOTs deployment are working with you repo using SNI this issue but also JENKINS-40903 could be fixed JENKINS-26403 is different because I think that this is the artifactory plugin which is doing the deployment from jenkins. In your case you are asking to maven to do the deployment with the deploy goal and this is where we have the issue and it should be a pure maven issue Maybe you could try to run your release build with -e or -X (or just a deploy with maven, it should be the same). It may help you to see which wagon provider/version you are using and adapt your maven configuration to use the right one.

Add Comment

[stefano.travelli@gmail.com (JIRA)]

Stefano Travelli commented on JENKINS-38738

Re: Maven plugin does not use SNI with SSL maven repos

You are right. It was a pure maven issue. Upgrading Maven to 3.2.1 and forcing maven-relase-plugin to version 2.5.3 it works. Thank you.

Add Comment

[aheritier@apache.org (JIRA)]

Arnaud Héritier closed an issue as Fixed

Fixed in 2.15

Jenkins / JENKINS-38738

Maven plugin does not use SNI with SSL maven repos

Change By: Arnaud Héritier Status: Open Closed Assignee: Arnaud Héritier Resolution: Fixed

Add Comment