Missing Certificate Chain to AWS ECR
Issue #18
resolved
I'm not sure were to ask this as there are a lot of moving parts, but since I started with the example hosted here, I'll start here.
Versions Used... Java
#!
openjdk 12.0.2 2019-07-16
OpenJDK Runtime Environment (build 12.0.2+10)
OpenJDK 64-Bit Server VM (build 12.0.2+10, mixed mode, sharing)
Gradle
------------------------------------------------------------
Gradle 5.6
------------------------------------------------------------
Build time: 2019-08-14 21:05:25 UTC
Revision: f0b9d60906c7b8c42cd6c61a39ae7b74767bb012
Kotlin: 1.3.41
Groovy: 2.5.4
Ant: Apache Ant(TM) version 1.9.14 compiled on March 12 2019
JVM: 12.0.2 (Oracle Corporation 12.0.2+10)
OS: Mac OS X 10.14.6 x86_64
Docker: Docker version 18.09.5, build e8ff056
AWS-CLI: aws-cli/1.16.199 Python/2.7.10 Darwin/18.7.0 botocore/1.12.189
build.gradle
plugins {
id "com.bmuschko.docker-remote-api" version "5.0.0"
id "com.patdouble.awsecr" version "0.5.2"
}
docker {
url = 'https://011447054295.dkr.ecr.us-west-2.amazonaws.com'
}
// Import task types
import com.bmuschko.gradle.docker.tasks.image.*
// Use task types
task buildImage(type: DockerBuildImage) {
inputDir = file('../automatic')
tags.add('011447054295.dkr.ecr.us-west-2.amazonaws.com/devops-application:latest')
}
Exception that I receive
11:50:49.137 [ERROR] [com.github.dockerjava.core.async.ResultCallbackTemplate] Error during callback
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at com.github.dockerjava.shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at com.github.dockerjava.shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at com.github.dockerjava.shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at com.github.dockerjava.shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at com.github.dockerjava.shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at com.github.dockerjava.shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at com.github.dockerjava.shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at com.github.dockerjava.shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at com.github.dockerjava.shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at com.github.dockerjava.shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at com.github.dockerjava.shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
at com.github.dockerjava.shaded.org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:450)
at com.github.dockerjava.shaded.org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278)
at com.github.dockerjava.shaded.org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:767)
at com.github.dockerjava.shaded.org.glassfish.jersey.internal.Errors.process(Errors.java:316)
at com.github.dockerjava.shaded.org.glassfish.jersey.internal.Errors.process(Errors.java:298)
at com.github.dockerjava.shaded.org.glassfish.jersey.internal.Errors.process(Errors.java:229)
at com.github.dockerjava.shaded.org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:414)
at com.github.dockerjava.shaded.org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:765)
at com.github.dockerjava.shaded.org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:456)
at com.github.dockerjava.shaded.org.glassfish.jersey.client.JerseyInvocation$Builder.post(JerseyInvocation.java:357)
at com.github.dockerjava.jaxrs.async.POSTCallbackNotifier.response(POSTCallbackNotifier.java:29)
at com.github.dockerjava.jaxrs.async.AbstractCallbackNotifier.call(AbstractCallbackNotifier.java:50)
at com.github.dockerjava.jaxrs.async.AbstractCallbackNotifier.call(AbstractCallbackNotifier.java:24)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:835)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:384)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:289)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625)
... 38 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:379)
... 44 more
https://gist.github.com/gbonk/e4d145552f16ef7767c3a0c0d19b56e1
Things I have tried
I added the certificate chain to the JDK
cd /Library/Java/JavaVirtualMachines/openjdk-12.0.2.jdk/Contents/Home/lib/security
openssl s_client -connect 011447054295.dkr.ecr.us-west-2.amazonaws.com:443 </dev/null -prexit -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > amazon.cert
sudo keytool -importcert -alias amazon -file amazon.cert -cacerts
Comments (2)
-
-
repo owner - changed status to resolved
Closing because this is something that is addressed with the JDK install, not the plugin. I noticed in the SDKMAN java list there is an Amazon provided JDK, perhaps their cert is pre-installed.
- Log in to comment
See my resolution here…
https://github.com/bmuschko/gradle-docker-plugin/issues/847#issuecomment-526422494