Jira P12 client cert auth silently failing
Issue #412
open
New user to the vscode plugin here. On vscode 1.44.2, atlascode 2.5.1, Jira v7.13.4, NixOS.
I tried to “add custom Jira site” with a client cert configuration, but it is failing to authenticate.
My P12 bundle doesn’t have a password on it, so I tried putting nothing in the password field in the configuration UI. When I do that, I get the following debug logs when I add the site:
[2020-05-02 14:24:37:805] ----------------------------------------------------------------------
[2020-05-02 14:24:37:805] curl -X GET -H "X-Atlassian-Token:no-check" -H "x-atlassian-force-account-id:true" -H "Content-Type:application/json" -H "Authorization:Basic [omitted]" "https://[omitted]/rest/api/2/myself"
[2020-05-02 14:24:37:805] ----------------------------------------------------------------------
[2020-05-02 14:24:37:884] Error: Error authenticating with Jira: Error: socket hang up
[2020-05-02 14:24:37:884] Error: Authentication error: Error authenticating with Jira: Error: socket hang up
This is approximately what happens if I directly run that curl command (since it doesn’t specify the client cert in it, and the TLS handshake fails). If I run the same curl command with --cert-type P12 --cert [path] it works fine.
I tried putting in a bogus password for the P12 file in the UI, and that causes the following to happen:
[2020-05-02 14:25:53:275] ----------------------------------------------------------------------
[2020-05-02 14:25:53:275] curl -X GET -H "X-Atlassian-Token:no-check" -H "x-atlassian-force-account-id:true" -H "Content-Type:application/json" -H "Authorization:Basic [omitted]" "https://[omitted]/rest/api/2/myself"
[2020-05-02 14:25:53:275] ----------------------------------------------------------------------
Which looks like it might be succeeding, but nothing further happens, and the custom Jira site remains unadded. This seems like a silent failure of some sort.
No idea what’s going on here, nor how to get more useful logs, so I’d appreciate any help. Thanks!
Comments (9)
-
-
- changed status to open
-
reporter
Thanks for the response @Nick Rundquist – I was using P12 because the GUI instructs me to “Use custom client-side certificates (CA certificates bundled in PKCS
#12(pfx)”, and “The absolute path to your custom pfx file”.Regarding your suggestion, I tried it with a PEM file, and I got the following:
[2020-05-05 20:38:25:069] ---------------------------------------------------------------------- [2020-05-05 20:38:25:069] curl -X GET -H "X-Atlassian-Token:no-check" -H "x-atlassian-force-account-id:true" -H "Content-Type:application/json" -H "Authorization:Basic [omitted]" "https://[omitted]/rest/api/2/myself" [2020-05-05 20:38:25:069] ----------------------------------------------------------------------and no further output.
Any thoughts?
-
Account Deactivated
@Darius Jahandarie You do indeed need a pfx/p12 file.
I’m not sure what exactly is going on, but you might try providing a bogus pfxpassphrase. If that doesn’t work, you might want to try generating the pfx again using a passphrase and then putting that in the pfxpassphrase box.I believe we have a ticket on our backlog to not require a passphrase.
At any rate, the pfx is used in the http.Agent config:
pfx<string> | <string[]> | <Buffer> | <Buffer[]> | <Object[]> PFX or PKCS12 encoded private key and certificate chain.pfxis an alternative to providingkeyandcertindividually. PFX is usually encrypted, if it is,passphrasewill be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form{buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array.object.passphraseis optional. Encrypted PFX will be decrypted withobject.passphraseif provided, oroptions.passphraseif it is not.from: https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
-
Account Deactivated
@Darius Jahandarie The socket hangup could also be caused by a NO_PROXY entry and/or needing to tunnel https over http.
see these other issues that resolve the same error:
https://bitbucket.org/atlassianlabs/atlascode/issues?q=socket+hang+up
-
reporter
@{557057:3695b794-cde3-43a2-99aa-c0fc6151b754} Hmm:
- I tried creating another p12 file with a password, and using that password, and I get the same socket hang up issue.
- I’m not using any proxies at all, but just in case I tried setting the NO_PROXY variable to the relevant domain, and that had no effect.
- One thing that might be relevant is that the domain’s DNS is specified in my resolv.conf. Is it possible that vscode is doing its own DNS lookup that ignores resolv.conf somehow?
-
Account Deactivated
@Darius Jahandarie I can’t say for sure, but resolv.conf/custom DNS could definitely throw things off. A few things to consider:
- NodeJS only loads resolv.conf on startup and won’t re-read it.
- NodeJS (seemingly) doesn’t consider secondary DNS and only tries the primary
- NodeJS tries to mimic what the system resolver does, but has it’s own implementation
see: https://nodejs.org/api/dns.html#dns_implementation_considerations
Is the entry in your resolv.conf a secondary lookup?
-
reporter
@{557057:3695b794-cde3-43a2-99aa-c0fc6151b754} Err, my brain was not working for a moment there, I meant to say /etc/hosts — and indeed I see in the docs you linked that Node doesn’t read from /etc/hosts, which I think is the answer to this conundrum!
-
Account Deactivated
@Darius Jahandarie Ok, that makes sense. Do you have both IP and hostname in your /etc/hosts ?
Also, have you just tried authenticating using the IP ?
- Log in to comment
I’ve never tried using a certificate in p12 format for this and I’m not not sure if axios, the http library we use, supports it. Can you try converting the certificate to pem format?
The following command should work.
openssl pkcs12 -in path.p12 -out newfile.pemWith a little more context given in this Stack Overflow answer: https://stackoverflow.com/questions/15144046/converting-pkcs12-certificate-into-pem-using-openssl#15144560