Plugins Manager error

[adrien...@gmail.com]

Hi,

We just enabled firewall access from our Gerrit 3.1.8 server (VM) in order to retrieve plugin details from https://gerrit-ci.gerritforge.com/. 

Note that we are using a self signed SSL certificate for Gerrit.

After restarting Gerrit, we encounter the below error. Not sure whether my hunch is correct that since the gerritforge site's certificate is private, we need to trust it.

Please advise how to do so if this is the case.

[2021-07-08 08:35:00,048] [plugin-manager-preloader] ERROR com.googlesource.gerrit.plugins.manager.OnStartStop : Cannot access plugins list at this time

java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at com.github.benmanes.caffeine.guava.CaffeinatedGuavaLoadingCache.get(CaffeinatedGuavaLoadingCache.java:63)

        at com.googlesource.gerrit.plugins.manager.PluginsCentralCache.availablePlugins(PluginsCentralCache.java:41)

        at com.googlesource.gerrit.plugins.manager.OnStartStop$1.run(OnStartStop.java:54)

        at java.base/java.lang.Thread.run(Thread.java:834)

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)

        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)

        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)

Regards,

Adrien

[Luca Milanesio]

Have you checked if your JVM has the SSL Root CA Certificates?

You can also check with OpenSSL:

$ openssl s_client -host gerrit-ci.gerritforge.com -port 443

The certificate chain is:

Certificate chain

 0 s:/CN=*.gerritforge.com

   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

However, if you have an old Java JVM, it is possible that your truststore doesn’t contain the root CA certificate.

HTH

Luca.

Regards,

Adrien

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/537a053d-6198-495a-aa51-0ae9e76cb872n%40googlegroups.com.

[adrien...@gmail.com]

Hi Luca,

Thanks for the response.

Actually, we are using a more recent OpenJDK version as shown below which is built-in on RHEL8. We actually moved away from manually installed Java so that OS patching will take care of the Java upgrade and we don't have to worry for security vulnerabilities:

OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)

OpenJDK 64-Bit Server VM 18.9 (build 11.0.10+9-LTS, mixed mode, sharing)

I tried to run openssl and has observed the below (I just omitted the server certificate section BEGIN/END):

openssl s_client -host gerrit-ci.gerritforge.com -port 443

CONNECTED(00000003)

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

verify error:num=19:self signed certificate in certificate chain

verify return:1

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

verify return:1

depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018

verify return:1

depth=0 CN = *.gerritforge.com

verify return:1

---

Certificate chain

 0 s:CN = *.gerritforge.com

   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018

 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018

   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

---

Server certificate

-----BEGIN CERTIFICATE-----

-

-

-

-----END CERTIFICATE-----

subject=CN = *.gerritforge.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018

---

No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 4423 bytes and written 449 bytes

Verification error: self signed certificate in certificate chain

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

    Session-ID: B873EDE828DF4196BA7A8A41F72E347610E97B57C2121FD2C1AB9BA926D93679

    Session-ID-ctx:

    Master-Key: 8C152E6EA60B05D2E0F5EC8C8ECD10CA562871FB65FD64E77B188ECFAEF8433AFC66EEF59FD8ABDEBB1E8480614BA5A7

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    0000 - 85 54 46 9d 22 69 6f bc-34 c1 4d df 26 e2 20 2d   .TF."io.4.M.&. -

    0010 - 8b ff 71 ab 10 b1 df 27-d1 fa ed 5d bf 7e 69 22   ..q....'...].~i"

    0020 - 9e da f6 aa e4 c4 d8 e2-3b f7 d9 c7 13 a4 f0 20   ........;......

    0030 - 3c 67 18 6d d5 0c 42 17-66 b4 3c 45 a9 43 d9 5b   <g.m..B.f.<E.C.[

    0040 - f8 ca 5c 80 b2 56 7a 31-ce 83 0d 47 35 ec 9f 2e   ..\..Vz1...G5...

    0050 - ce 30 c6 92 d7 7d b9 d1-55 da a6 9c 56 94 df 7c   .0...}..U...V..|

    0060 - 41 cb 91 de 21 ea f0 db-23 70 5e 35 ec bd 32 66   A...!...#p^5..2f

    0070 - d3 fa f5 0f 68 90 82 47-e3 1d f7 89 5e 22 85 23   ....h..G....^".#

    0080 - d7 88 7e 91 c6 b9 bc 31-de 9e aa 62 d0 bd 32 a2   ..~....1...b..2.

    0090 - 07 92 6a d7 0e fb 2a a9-ce 7f a2 dd 35 b9 a6 6b   ..j...*.....5..k

    00a0 - 3c 03 80 54 26 cd c5 59-83 8e 76 0a 7e ce c0 91   <..T&..Y..v.~...

    00b0 - cd 5d 53 bd fe d6 d9 6a-cf 10 53 32 55 a3 fd ba   .]S....j..S2U...

    00c0 - 90 e9 e1 4d 36 67 e5 ac-81 07 4b 7a f8 18 81 f3   ...M6g....Kz....

    Start Time: 1625757723

    Timeout   : 7200 (sec)

    Verify return code: 19 (self signed certificate in certificate chain)

    Extended master secret: no

Regards,

Adrien

[adrien...@gmail.com]

Hi All,

Just an update. After opening the firewall and ensuring that gerritforge's root ca is in the jvm truststore, the ERROR message went away.

However, it was replaced by a WARN message which seems to refer to the current Gerrit version (3.1.8) that we are using. 

Is there anyone here who can enlighten what is the meaning of "No plugins available for Gerrit version 3.1.8" and what can be the best way to move forward.

It seems like we can just ignore this warning since it's not stopping Gerrit anyway. 

Hope to hear from anyone soon.

 [plugin-manager-preloader] WARN  com.googlesource.gerrit.plugins.manager.repository.JenkinsCiPluginsRepository : No plugins available for Gerrit version 3.1.8

java.io.FileNotFoundException: https://gerrit-ci.gerritforge.com/view/Plugins-stable-3.1/api/json

        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1920)

        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)

        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)

        at java.base/java.net.URL.openStream(URL.java:1140)

Regards,

ADrien

[Luca Milanesio]

On 13 Jul 2021, at 18:29, adrien...@gmail.com <adrien...@gmail.com> wrote:

Hi All,

Just an update. After opening the firewall and ensuring that gerritforge's root ca is in the jvm truststore, the ERROR message went away.

Yeah, the error was:

"Verify return code: 19 (self signed certificate in certificate chain)”

That means that the CA root certificate was not present in the system trust-store.

However, it was replaced by a WARN message which seems to refer to the current Gerrit version (3.1.8) that we are using. 

Is there anyone here who can enlighten what is the meaning of "No plugins available for Gerrit version 3.1.8" and what can be the best way to move forward.

It seems like we can just ignore this warning since it's not stopping Gerrit anyway. 

Yeah, Gerrit v3.1 is EOL and therefore the associated builds aren’t available on the Gerrit-CI anymore.

Glad you managed to fix the issue.

Luca.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/7c1c685b-e828-4134-8a6d-310850b10bc2n%40googlegroups.com.