Missing Certificate Chain to AWS ECR

Create issue
Issue #18 resolved
Former user created an issue

I'm not sure were to ask this as there are a lot of moving parts, but since I started with the example hosted here, I'll start here.

Versions Used... Java

openjdk 12.0.2 2019-07-16
OpenJDK Runtime Environment (build 12.0.2+10)
OpenJDK 64-Bit Server VM (build 12.0.2+10, mixed mode, sharing)

Gradle

------------------------------------------------------------
Gradle 5.6
------------------------------------------------------------

Build time:   2019-08-14 21:05:25 UTC
Revision:     f0b9d60906c7b8c42cd6c61a39ae7b74767bb012

Kotlin:       1.3.41
Groovy:       2.5.4
Ant:          Apache Ant(TM) version 1.9.14 compiled on March 12 2019
JVM:          12.0.2 (Oracle Corporation 12.0.2+10)
OS:           Mac OS X 10.14.6 x86_64

Docker: Docker version 18.09.5, build e8ff056

AWS-CLI: aws-cli/1.16.199 Python/2.7.10 Darwin/18.7.0 botocore/1.12.189

build.gradle

plugins {
  id "com.bmuschko.docker-remote-api" version "5.0.0"
  id "com.patdouble.awsecr" version "0.5.2"
}

docker {
  url = 'https://011447054295.dkr.ecr.us-west-2.amazonaws.com'
}

// Import task types
import com.bmuschko.gradle.docker.tasks.image.*

// Use task types
task buildImage(type: DockerBuildImage) {
    inputDir = file('../automatic')
    tags.add('011447054295.dkr.ecr.us-west-2.amazonaws.com/devops-application:latest')
}

Exception that I receive

11:50:49.137 [ERROR] [com.github.dockerjava.core.async.ResultCallbackTemplate] Error during callback
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
        at com.github.dockerjava.shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
        at com.github.dockerjava.shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
        at com.github.dockerjava.shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        at com.github.dockerjava.shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
        at com.github.dockerjava.shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
        at com.github.dockerjava.shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
        at com.github.dockerjava.shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
        at com.github.dockerjava.shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at com.github.dockerjava.shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at com.github.dockerjava.shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at com.github.dockerjava.shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
        at com.github.dockerjava.shaded.org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:450)
        at com.github.dockerjava.shaded.org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278)
        at com.github.dockerjava.shaded.org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:767)
        at com.github.dockerjava.shaded.org.glassfish.jersey.internal.Errors.process(Errors.java:316)
        at com.github.dockerjava.shaded.org.glassfish.jersey.internal.Errors.process(Errors.java:298)
        at com.github.dockerjava.shaded.org.glassfish.jersey.internal.Errors.process(Errors.java:229)
        at com.github.dockerjava.shaded.org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414)
        at com.github.dockerjava.shaded.org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:765)
        at com.github.dockerjava.shaded.org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:456)
        at com.github.dockerjava.shaded.org.glassfish.jersey.client.JerseyInvocation$Builder.post(JerseyInvocation.java:357)
        at com.github.dockerjava.jaxrs.async.POSTCallbackNotifier.response(POSTCallbackNotifier.java:29)
        at com.github.dockerjava.jaxrs.async.AbstractCallbackNotifier.call(AbstractCallbackNotifier.java:50)
        at com.github.dockerjava.jaxrs.async.AbstractCallbackNotifier.call(AbstractCallbackNotifier.java:24)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:835)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:384)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:289)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625)
        ... 38 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:379)
        ... 44 more

https://gist.github.com/gbonk/e4d145552f16ef7767c3a0c0d19b56e1

Things I have tried

I added the certificate chain to the JDK

cd /Library/Java/JavaVirtualMachines/openjdk-12.0.2.jdk/Contents/Home/lib/security
openssl s_client -connect 011447054295.dkr.ecr.us-west-2.amazonaws.com:443 </dev/null -prexit -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > amazon.cert
sudo keytool -importcert -alias amazon -file amazon.cert -cacerts

Comments (2)

  1. Patrick Double repo owner

    Closing because this is something that is addressed with the JDK install, not the plugin. I noticed in the SDKMAN java list there is an Amazon provided JDK, perhaps their cert is pre-installed.

  2. Log in to comment