Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pushing to a private registry fails due to missing SNI

See original GitHub issue

Description of the issue: If a private registry is hidden behind a reverse proxy using SNI, the request fails with an SSLException. The proxy can not identify the requested host and therefore returns a default page with a different certificate.

Steps to reproduce:

  1. Setup private registry
  2. Front registry with reverse proxy using SNI for determining upstream registry
  3. Provide fallback page on reverse proxy with different SSL certificate domain
  4. Push to private registry

Environment: Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T09:58:13+02:00) Maven home: /usr/local/Cellar/maven/3.5.2/libexec Java version: 1.8.0_112, vendor: Oracle Corporation Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: “mac os x”, version: “10.13.5”, arch: “x86_64”, family: “mac”

jib-maven-plugin Configuration: 

<plugin>
    <groupId>com.google.cloud.tools</groupId>
    <artifactId>jib-maven-plugin</artifactId>
    <version>0.9.4</version>
    <configuration>
        <to>
            <image>${docker.registry}/${docker.image.namespace}/${project.parent.artifactId}</image>
        </to>
    </configuration>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>build</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Log output: 

Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <docker.---.com> != <*.fra.de.---.com> OR <*.fra.de.---.com> OR <fra.de.---.com>
    at org.apache.http.conn.ssl.AbstractVerifier.verify (AbstractVerifier.java:220)
    at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify (BrowserCompatHostnameVerifier.java:54)
    at org.apache.http.conn.ssl.AbstractVerifier.verify (AbstractVerifier.java:149)
    at org.apache.http.conn.ssl.AbstractVerifier.verify (AbstractVerifier.java:130)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket (SSLSocketFactory.java:339)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection (DefaultClientConnectionOperator.java:123)
    at org.apache.http.impl.conn.AbstractPoolEntry.open (AbstractPoolEntry.java:147)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open (AbstractPooledConnAdapter.java:108)
    at org.apache.http.impl.client.DefaultRequestDirector.execute (DefaultRequestDirector.java:415)
    at org.apache.http.impl.client.AbstractHttpClient.execute (AbstractHttpClient.java:641)
    at org.apache.http.impl.client.AbstractHttpClient.execute (AbstractHttpClient.java:576)
    at org.apache.http.impl.client.AbstractHttpClient.execute (AbstractHttpClient.java:554)
    at com.google.api.client.http.apache.ApacheHttpRequest.execute (ApacheHttpRequest.java:65)
    at com.google.api.client.http.HttpRequest.execute (HttpRequest.java:981)
    at com.google.cloud.tools.jib.http.Connection.send (Connection.java:124)
    at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:169)
    at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:139)
    at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:338)
    at com.google.cloud.tools.jib.registry.RegistryClient.getRegistryAuthenticator (RegistryClient.java:194)
    at com.google.cloud.tools.jib.registry.RegistryAuthenticators.forOther (RegistryAuthenticators.java:48)
    at com.google.cloud.tools.jib.builder.steps.AuthenticatePushStep.call (AuthenticatePushStep.java:82)
    at com.google.cloud.tools.jib.builder.steps.AuthenticatePushStep.call (AuthenticatePushStep.java:43)
    at com.google.common.util.concurrent.CombinedFuture$CallableInterruptibleTask.runInterruptibly (CombinedFuture.java:181)
    at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:57)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:617)
    at java.lang.Thread.run (Thread.java:745)

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
fassmuscommented, Jul 13, 2018

Ok I did some more digging and found the issue. It was a bug in Oracle JDK below version 8u141. When using a custom HostnameVerifier SNI was disabled by accident. I upgraded my JDK and now it works.

https://bugs.java.com/view_bug.do?bug_id=JDK-8144566

Thanks for you help.

0reactions
coollogcommented, Jul 13, 2018

Ah right, I missed Provide fallback page on reverse proxy with different SSL certificate domain. This seems a bit off to me though. It doesn’t seem secure to accept a different domain for SSL verification than the domain that was requested. @GoogleContainerTools/java-tools

Read more comments on GitHub >

github_iconTop Results From Across the Web

Push fails when private registry doesn't use port 443 #2862
Symptom: Pushing a new image to a private registry server starts but fails repeatedly. The directory structure is created and the blob folder...
Read more >
Pushing to private docker registry fails - Stack Overflow
Just try to run docker tag base & push to private registry because docker push can't understand anything other then name of image...
Read more >
Configuring a registry - Docker Documentation
Explains how to configure a registry. ... trying to get certificates for random hostnames due to malicious clients connecting with bogus SNI hostnames....
Read more >
1277356 – Fail to push images on env with ha-registry
I coulnd't reproduce it with one replica. Neither with 2 replicas running on the same node sharing a host directory. Now it looks...
Read more >
Quick fix to Git's fatal 'unable to access SSL certificate' error
Here's a quick fix to the Git 'unable to access GitHub or GitLab' SSL certificate settings error when you attempt to clone from...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Credentials for Docker Hub may be stored in different registry entry.

Next page

Jib should handle the absence of source files gracefully