Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support for self signed certificates

See original GitHub issue

Description of the issue: When (internal) Docker registry is using self signed certificates (or certificates signed with corporation’s own root certificate, that’s not trusted by Java), jib tries immediately http-connection (according https://github.com/GoogleContainerTools/jib/blob/master/jib-core/src/main/java/com/google/cloud/tools/jib/registry/RegistryEndpointCaller.java#L219), that’s not available in registry.

Current implementation throws error:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.2:build (default-cli) on project jib-test-project: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter ‘allowInsecureRegistries’: Only secure connections are allowed, but tried to reach URL http://openshift-redhat-registry/v2/testProject/test-container/manifests/latest -> [Help 1]

Expected behavior: allowInsecureRegistries -parameter should allow also https connections with self signed certificates, and not directly drop to http.

Steps to reproduce: mvn compile jib:build with configuration set to point to registry using self signed certificates.

Environment: Apache Maven 3.5.0 (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T22:39:06+03:00) Java version: 1.8.0_131, vendor: Oracle Corporation Default locale: en_US, platform encoding: Cp1252 OS name: “windows 7”, version: “6.1”, arch: “amd64”, family: “windows”

jib-maven-plugin Configuration:

<configuration>
	<from>
		<image>openshift-redhat-registry/testProject/test-container</image>
	</from>
	<to>
		<image>openshift-redhat-registry/testProject/${project.artifactId}:${project.version}</image>
	</to>
	<container>
		<jvmFlags>
			<jvmFlag>-Xms512m</jvmFlag>
		</jvmFlags>
	</container>
</configuration>

Log output:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.2:build (default-cli) on project jib-test-project: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter ‘allowInsecureRegistries’: Only secure connections are allowed, but tried to reach URL http://openshift-redhat-registry/v2/testProject/test-container/manifests/latest -> [Help 1]

Additional Information: The actual error causing change to http is:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.4-SNAPSHOT:build (default-cli) on project jib-test-project: Build image failed: peer not authenticated -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.4-SNAPSHOT:build (default-cli) on project jib-test-project: Build image failed
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: Build image failed
	at com.google.cloud.tools.jib.maven.BuildImageMojo.execute(BuildImageMojo.java:132)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
	... 20 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
	at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
	at com.google.api.client.http.apache.ApacheHttpRequest.execute(ApacheHttpRequest.java:65)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:981)
	at com.google.cloud.tools.jib.http.Connection.send(Connection.java:124)
	at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:169)
	at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:139)
	at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint(RegistryClient.java:321)
	at com.google.cloud.tools.jib.registry.RegistryClient.pullManifest(RegistryClient.java:196)
	at com.google.cloud.tools.jib.registry.RegistryClient.pullManifest(RegistryClient.java:204)
	at com.google.cloud.tools.jib.builder.steps.PullBaseImageStep.pullBaseImage(PullBaseImageStep.java:146)
	at com.google.cloud.tools.jib.builder.steps.PullBaseImageStep.call(PullBaseImageStep.java:105)
	at com.google.cloud.tools.jib.builder.steps.PullBaseImageStep.call(PullBaseImageStep.java:51)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:127)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:57)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:80)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

Issue Analytics

State:
Created 5 years ago
Comments:14 (12 by maintainers)

Top GitHub Comments

3reactions

Hi-Ficommented, Jul 12, 2018

I think that relying on Docker certs is not necessarily the good thing, as at least our use case is to use JIB on the env that are not so easy to make to build docker containers (e.g. Jenkins slaves running on Openhift and developer computers with Windows without admin rights). So best would be some maven configuration parameter, that goes all the way down to used httpClient and ignores the incorrect and also insecure certificates (e.g. SHA-1 using).

@velo That seems to work (tried that yesterday with keytool and it wasn’t working for some reason). This helps checking of things more, but still requires that custom cacerts injection to slave. Thank you for that tool, it’s nicer to use than CLI one.

1reaction

chanseokohcommented, Jul 18, 2018

FTR, #643 will fix this.

@Hi-Fi

Top Results From Across the Web

What is a Self-Signed Certificate? Advantages, Risks ...

Another strategy is to issue self-signed SSL certificates. A self-signed certificate is one that is not signed by a CA at all –...

AWS DataSync adds support for self-signed certificates

AWS DataSync now supports the use of self-signed certificates when connecting to object storage locations via HTTPS.

Adding the self-signed certificate as trusted to a browser

Adding the self-signed certificate as trusted to a browser · Open the Certificates management console, and then run the following command: certmgr. ·...

How do you get Chrome to accept a self-signed certificate?

In the pop-up "Certificates" window, select the "Trusted Root Certification Authorities" tab, and click on the "Import..." button; this will launch the ...

Creating a Self-Signed SSL Certificate - Heroku Dev Center

When using the SSL for non-production applications or other experiments you can use a self-signed SSL certificate. Though the certificate ...