Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10721

http_instance cannot ignore cert verification in puppetserver

    XMLWordPrintable

Details

    • Bug
    • Status: Accepted
    • Normal
    • Resolution: Unresolved
    • None
    • None
    • None
    • None
    • Coremunity
    • Needs Assessment
    • Needs Assessment

    Description

      Puppet Version: 6.17.0
      Puppet Server Version: 2019.8.0.37
      OS Name/Version: Ubuntu 18.04

      When attempting to use Puppet::Network::HttpPool.http_instance to perform an HTTP request to an HTTPS url, setting the 'verify_peer' parameter false to ignore certificate verification does not work.

      Desired Behavior: This wrapper should be capable of doing HTTPS requests that ignore cert verification. Otherwise it is impossible to use it for doing requests against end points that use self signed certs.

      Actual Behavior:

      The attempt to ignore cert verification results in an error when the call is invoked.

       The following call results in the error text below:

       

      use_ssl = true
      validate_cert = false
      conn = Puppet::Network::HttpPool.http_instance(uri.host,
                                                     uri.port,
                                                     use_ssl,
                                                     validate_cert)
      headers = {
       'Content-Type' => 'application/json'
      }
      conn.post("#{uri.path}?#{uri.query}", body.to_json, headers)

       

      2020-10-19T21:16:18.987Z WARN [qtp2062408424-41] [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
       javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
       at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
       at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
       at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
       at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
       at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
       at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
       at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
       at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
       at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
       at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
       at java.base/java.security.AccessController.doPrivileged(Native Method)
       at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
       at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:281)
       at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:339)
       at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:503)
       at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
       at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
       at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
       at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
       at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
       at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
       at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
       at java.base/java.lang.Thread.run(Thread.java:834)
       Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
       at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
       at java.base/sun.security.validator.Validator.validate(Validator.java:264)
       at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
       at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
       at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
       at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:623)
       ... 19 common frames omitted
       Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
       at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
       at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
       at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
       ... 25 common frames omitted
       Puppet::Server::HttpClientError: Error executing http request
       from uri:classloader:/puppetserver-lib/puppet/server/http_client.rb:202:in `client_post'
       Caused by Java::ComPuppetlabsHttpClient::HttpClientException: Error executing http request
       from com.puppetlabs.http.client.impl.PersistentSyncHttpClient.request(com/puppetlabs/http/client/impl/PersistentSyncHttpClient.java:52)
       Caused by Java::JavaxNetSsl::SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       from java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
       Caused by Java::SunSecurityValidator::ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       from java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
       Caused by Java::SunSecurityProviderCertpath::SunCertPathBuilderException: unable to find valid certification path to requested target
       from java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

      Attachments

        Activity

          People

            Unassigned Unassigned
            william.hurt William Hurt
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Zendesk Support