Skip to content
This repository has been archived by the owner on Jun 9, 2021. It is now read-only.

Cannot send notifications to internal https server that uses a self-signed certificate #353

Open
mrbball17 opened this issue Sep 26, 2019 · 5 comments
Open

Cannot send notifications to internal https server that uses a self-signed certificate #353

mrbball17 opened this issue Sep 26, 2019 · 5 comments

Comments

@mrbball17
Copy link

We are trying to use PR Notifier to send a notification to an internal https server that uses a self-signed certificate, but we are receiving this error in the Bitbucket log:

2019-09-25 14:42:43,115 ERROR [http-nio-8080-exec-11] Gourav.Singla *16FVOE3x882x15594874x4 1ec88op 172.31.192.101,10.153.94.190 "POST /rest/prnfb-admin/1.0/settings/buttons/253f95f3-a613-41e7-bd62-f4e267802442/press/repository/7024/pullrequest/242 HTTP/1.1" se.bjurr.prnfb.http.UrlInvoker 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:325)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at se.bjurr.prnfb.http.UrlInvoker.doInvoke(UrlInvoker.java:376)
	at se.bjurr.prnfb.http.UrlInvoker.invoke(UrlInvoker.java:182)
	at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener$1.invoke(PrnfbPullRequestEventListener.java:100)
	at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener.notify(PrnfbPullRequestEventListener.java:324)
	at se.bjurr.prnfb.service.ButtonsService.doHandlePressed(ButtonsService.java:106)
	at se.bjurr.prnfb.service.ButtonsService.handlePressed(ButtonsService.java:158)
	at se.bjurr.prnfb.presentation.ButtonServlet.press(ButtonServlet.java:176)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:92)
	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
	at com.atlassian.bitbucket.internal.xcode.web.XcodeUserAgentFilter.doFilter(XcodeUserAgentFilter.java:36)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:85)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:112)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75)
	at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94)
	at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.plugin.connect.plugin.auth.oauth2.DefaultSalAuthenticationFilter.doFilter(DefaultSalAuthenticationFilter.java:69)
	at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109)
	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:32)
	at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:38)
	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
	at com.atlassian.bitbucket.internal.scm.git.lfs.servlet.filter.GitLfsLockingFilter.doFilter(GitLfsLockingFilter.java:50)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73)
	at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:90)
	at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
	... 246 frames trimmed
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
	... 58 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	... 64 common frames omitted

Is it possible to use a self-signed certificate on the destination server?

We are using PR Notifier version 4.1 with Bitbucket 5.16.2

Thanks.

-Kent
@tomasbjerre
Copy link
Owner

Did you try to check the checkbox: "Accent any certificate" ?

screenshotprn

@mrbball17
Copy link
Author

Thanks for getting back to me.

I was not aware of that setting. After checking the 'Accept any certificate' box in the configuration, we are now seeing a different error:

2019-09-27 02:22:45,079 WARN  [http-nio-8080-exec-69] Gourav.Singla *16FVOE3x142x16516259x1 dap60t 172.31.192.30,10.153.94.190 "POST /rest/prnfb-admin/1.0/settings/buttons/253f95f3-a613-41e7-bd62-f4e267802442/press/repository/7024/pullrequest/242 HTTP/1.1" c.s.j.s.c.servlet.WebComponent A servlet request, to the URI https://stash.veritas.com/rest/prnfb-admin/1.0/settings/buttons/253f95f3-a613-41e7-bd62-f4e267802442/press/repository/7024/pullrequest/242, contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.
2019-09-27 02:22:46,550 ERROR [http-nio-8080-exec-69] Gourav.Singla *16FVOE3x142x16516259x1 dap60t 172.31.192.30,10.153.94.190 "POST /rest/prnfb-admin/1.0/settings/buttons/253f95f3-a613-41e7-bd62-f4e267802442/press/repository/7024/pullrequest/242 HTTP/1.1" se.bjurr.prnfb.http.UrlInvoker 
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <10.209.246.17> doesn't match any of the subject alternative names: []
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:467)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:325)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
        at se.bjurr.prnfb.http.UrlInvoker.doInvoke(UrlInvoker.java:376)
        at se.bjurr.prnfb.http.UrlInvoker.invoke(UrlInvoker.java:182)
        at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener$1.invoke(PrnfbPullRequestEventListener.java:100)
        at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener.notify(PrnfbPullRequestEventListener.java:324)
        at se.bjurr.prnfb.service.ButtonsService.doHandlePressed(ButtonsService.java:106)
        at se.bjurr.prnfb.service.ButtonsService.handlePressed(ButtonsService.java:158)
        at se.bjurr.prnfb.presentation.ButtonServlet.press(ButtonServlet.java:176)
        at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
        at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
        at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
        at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
        at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
        at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:92)
        at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
        at com.atlassian.bitbucket.internal.xcode.web.XcodeUserAgentFilter.doFilter(XcodeUserAgentFilter.java:36)
        at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
        at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81)
        at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
        at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:85)
        at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:112)
        at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75)
        at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94)
        at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67)
        at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
        at com.atlassian.plugin.connect.plugin.auth.oauth2.DefaultSalAuthenticationFilter.doFilter(DefaultSalAuthenticationFilter.java:69)
        at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109)
        at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:32)
        at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:38)
        at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
        at com.atlassian.bitbucket.internal.scm.git.lfs.servlet.filter.GitLfsLockingFilter.doFilter(GitLfsLockingFilter.java:50)
        at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
        at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90)
        at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73)
        at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:90)
        at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
        ... 246 frames trimmed

@tomasbjerre
Copy link
Owner

You can google that: https://lmgtfy.com/?q=%22javax.net.ssl.SSLPeerUnverifiedException%3A+Certificate+for%22+%22doesn%27t+match+any+of+the+subject+alternative+names%3A%22

@mrbball17
Copy link
Author

Yes, I googled that. Unfortunately, that didn't do me much good. I didn't find much (if any) helpful information, at least none that I could interpret. I'm not any kind of an SSL expert, so it wasn't clear to me if I need to do something on my Bitbucket server or not, or if the user needs to configure something on the server receiving the notification.

@tomasbjerre
Copy link
Owner

Perhaps a change is needed in the plugin. Found this: https://stackoverflow.com/questions/39762760/javax-net-ssl-sslexception-certificate-doesnt-match-any-of-the-subject-alterna

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomasbjerre @mrbball17