Invalid SSL certificate for dcm4che.org

[Stefan Wehr]

Hi all,

there seems to be a problem with the SSL certificate of dcm4che.org. Our nightly build suddenly stopped working, it fails with resolving the dcm4che dependency:

[info] Resolving dcm4che#dcm4che-core;2.0.29 ...

[warn] module not found: dcm4che#dcm4che-core;2.0.29

[warn] ==== local: tried

[warn]   /root/.ivy2/local/dcm4che/dcm4che-core/2.0.29/ivys/ivy.xml

[warn] ==== dcm4che: tried

[warn]   http://www.dcm4che.org/maven2/dcm4che/dcm4che-core/2.0.29/dcm4che-core-2.0.29.pom

When I try to download the pom file using wget, I get:

$ wget http://www.dcm4che.org/maven2/dcm4che/dcm4che-net/2.0.29/dcm4che-core-2.0.29.pom

--2018-02-28 17:56:41--  http://www.dcm4che.org/maven2/dcm4che/dcm4che-net/2.0.29/dcm4che-core-2.0.29.pom

Resolving www.dcm4che.org... 195.201.27.249

Connecting to www.dcm4che.org|195.201.27.249|:80... connected.

HTTP request sent, awaiting response... 301 Moved Permanently

Location: https://www.dcm4che.org/maven2/dcm4che/dcm4che-net/2.0.29/dcm4che-core-2.0.29.pom [following]

--2018-02-28 17:56:41--  https://www.dcm4che.org/maven2/dcm4che/dcm4che-net/2.0.29/dcm4che-core-2.0.29.pom

Connecting to www.dcm4che.org|195.201.27.249|:443... connected.

ERROR: cannot verify www.dcm4che.org's certificate, issued by 'CN=Let\'s Encrypt Authority X3,O=Let\'s Encrypt,C=US':

  Unable to locally verify the issuer's authority.

To connect to www.dcm4che.org insecurely, use `--no-check-certificate'.

Was there a change in the certificate recently that could cause this problem?

Cheers,

Stefan

[Rick Herrick]

Yes, we're seeing this as well. I think the change happened late last week or over the weekend because we had no issues before then. The problem is that the server is redirecting http://www.dcm4che.org to https://www.dcm4che.org. The site certificate is issued by Let's Encrypt, which works fine for web browsers but has been problematic for tools that run on the JRE like Maven and Gradle (also seems to be a problem with Python as httpie fails as well). I don't know if the SSL support and certificate are new or just the redirect from http to https, but I've had to remove the dcm4che repo from our build configurations.

[Rick Herrick]

Actually, it's not an issue with Let's Encrypt itself but with the dcm4che certificate. I was just able to run a Java app that downloaded a file from my own dev server, which uses Let's Encrypt for SSL. I pulled the certs from that dev server and from www.dcm4che.org:

$ openssl s_client -connect www.dcm4che.org:443 -showcerts

The difference is pretty apparent. Here's the header from the SSL certificate I pulled off my dev server:

CONNECTED(00000005)

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

 0 s:/CN=my.dev.server

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

Here's the header from www.dcm4che.org:

CONNECTED(00000005)

depth=0 CN = dcm4che.org

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = dcm4che.org

verify error:num=27:certificate not trusted

verify return:1

depth=0 CN = dcm4che.org

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

 0 s:/CN=dcm4che.org

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----

So... I'm not sure what's going on there, but it's definitely broken!

I was actually wondering why the dcm4che artifacts aren't just deployed to Maven Central. We have our own hosted Maven repository (https://nrgxnat.jfrog.io/nrgxnat) because of the need to work with dev SNAPSHOT versions of our libraries, so that's another option (I'm also trying to get all of our builds to comply with the requirements for deploying to Maven Central so that if our repo goes down or away our users and developers have  got that to fall back on.

[Stefan Wehr]

When I analyze the SSL certificate at SSL labs I get one warning saying incomplete certificate chain: https://www.ssllabs.com/ssltest/analyze.html?d=dcm4che.org

I guess that's the problem...

[evan...@microcimaging.com]

Hey guys,

Any chance we could fix this certificate chain? The big problem is that it makes it ~impossible to use DCM4CHE using gradle without adjusting the local environment, which is sort of beside the point.

The full error when trying to use the maven repo with grade is:

   > Could not resolve org.dcm4che:dcm4che-core:5.13.0.

      > Could not get resource 'https://www.dcm4che.org/maven2/org/dcm4che/dcm4che-core/5.13.0/dcm4che-core-5.13.0.pom'.

         > Could not GET 'https://www.dcm4che.org/maven2/org/dcm4che/dcm4che-core/5.13.0/dcm4che-core-5.13.0.pom'.

            > sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Thanks!

E

[gunterze]

Just use http://maven.dcm4che.org instead http://www.dcm4che.org/maven2 (which will redirected to https://www.dcm4che.org/maven2).

On Friday, April 6, 2018 at 4:55:46 PM UTC+2, evan...@microcimaging.com wrote:

Hey guys,

Any chance we could fix this certificate chain? The big problem is that it makes it ~impossible to use DCM4CHE using gradle without adjusting the local environment, which is sort of beside the point.

The full error when trying to use the maven repo with grade is:

   > Could not resolve org.dcm4che:dcm4che-core:5.13.0.

      > Could not get resource 'https://www.dcm4che.org/maven2/org/dcm4che/dcm4che-core/5.13.0/dcm4che-core-5.13.0.pom'.

         > Could not GET 'https://www.dcm4che.org/maven2/org/dcm4che/dcm4che-core/5.13.0/dcm4che-core-5.13.0.pom'.

            > sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

http

[Evan Ruff]

G, that fixed the issue for me. Thanks for the help!

I think the issue will be with all the sample POMs out there referencing the old address. That's how I found the old link anyways.

E

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+unsubscribe@googlegroups.com.
To post to this group, send email to dcm...@googlegroups.com.
Visit this group at https://groups.google.com/group/dcm4che.
For more options, visit https://groups.google.com/d/optout.

--

Evan Ruff Chief Executive Officer evan...@microcimaging.com  O: 470.344.9734 • C: 404.939.1254 1230 Peachtree Street NW, Suite 3000 Atlanta, GA 30309

[daley zou]

thanks,it help me!

在 2018年3月1日星期四 UTC+8上午1:08:23，Rick Herrick写道：