Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

-Djib.allowInsecureRegistries=true does not seems to work

See original GitHub issue

Environment: Docker image: gcr.io/cloud-builders/mvn

Jib version: 1.6.1
*Build tool: Maven
OS: Docker Container

Description of the issue:

I am trying to use the -Djib.allowInsecureRegistries=true option to my tool and I am getting an error of this type when using it :

building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am using it while building a sample helloworld application https://github.com/che-samples/console-java-simple

Expected behavior:

Working

Steps to reproduce:

Checkout https://github.com/che-samples/console-java-simple
docker run -v it to /builder/home
Run

    - mvn
    - compile
    - com.google.cloud.tools:jib-maven-plugin:build
    - -Duser.home=/builder/home
    - -Dimage=image-registry.openshift-image-registry.svc:5000/test/image
    - -Djib.allowInsecureRegistries=true

Log output:

Full log output

[INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/com/google/cloud/tools/jib-maven-plugin/maven-metadata.xml
Progress (1): 1.5 kB
Downloaded from central: https://repo.maven.apache.org/maven2/com/google/cloud/tools/jib-maven-plugin/maven-metadata.xml (1.5 kB at 2.5 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/com/google/cloud/tools/jib-maven-plugin/1.6.1/jib-maven-plugin-1.6.1.pom
Progress (1): 2.2/3.5 kB
Progress (1): 3.5 kB
[…]
[INFO] Containerizing application to image-registry.openshift-image-registry.svc:5000/tekton-pipelines/console-java-simple…
[INFO] Retrieving registry credentials for image-registry.openshift-image-registry.svc:5000…
[INFO] Getting base image gcr.io/distroless/java:8…
[INFO] Building resources layer…
[INFO] Building classes layer…
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  16.607 s
[INFO] Finished at: 2019-10-17T14:02:14Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.6.1:build (default-cli) on project console-java-simple: Build image failed: Failed to authenticate with registry image-registry.openshift-image-registry.svc:5000/tekton-pipelines/console-java-simple because: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

Issue Analytics

State:
Created 4 years ago
Comments:20 (11 by maintainers)

Top GitHub Comments

2reactions

chanseokohcommented, Oct 25, 2019

Thanks @chmouel. The cause is what I suspected before, which is more or less an intended behavior that, although Jib allows talking to insecure registries, it won’t allow token exchanges with auth servers which may be a separate auth/login server. But for practical purposes, I am now convinced it is reasonable to lift this restriction. #2100 will fix this.

2reactions

chmouelcommented, Oct 25, 2019

Yes no worries, I can help with that, I have tried again -DsendCredentialsOverHttp=true and I am still getting the :

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.7.0:build (default-cli) on project console-java-simple: Build image failed: Failed to authenticate with registry image-registry.openshift-image-registry.svc:5000/che-console-java-simple because: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

The full debug with -X is here debug-file-X.txt

This is indeed with tekton.

If you have a tekton (kubectl create -f https://raw.githubusercontent.com/openshift/tektoncd-pipeline/release-v0.7.0/openshift/release/tektoncd-pipeline-v0.7.0.yaml) and an openshift (you can get one for free here https://try.openshift.com) installed you can easily test the task with these templates (to apply in order):

task.yaml resources.yaml run.yaml

which would push to the internal openshfit registry

Top Results From Across the Web

Djib.allowInsecureRegistries=true does not seems to work

Environment: Docker image: gcr.io/cloud-builders/mvn. Jib version: 1.6.1. *Build tool: Maven. OS: Docker Container.

google/jib - Gitter

I was just noting that doing something else does not seem to work. That is if I add the command to the deployment...

Failure on Push to Docker Registry using 'mvn compile jib:build '

Looks like some config that I'm missing when using JIB that does not connect to 'example.registry.com' securely. Google Cloud Collective. maven ...

Test an insecure registry - Docker Documentation

This procedure configures Docker to entirely disregard security for your registry. This is very insecure and is not recommended. It exposes your registry...

Container Registries, Minikube and Authorization

Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter 'allowInsecureRegistries'.