I have a postgres docker image that i am using and I am enabling SSL on it. I want it to verify-full because I have a root.crt and want to make sure all the certs that can use SSL are verified. So, in my docker-compose file, i have mounted my server.crt and server.key to /var/ssl and my root.crt to /root/.postgresql.
volumes:
- ~/server_certs:/var/ssl
- ~/root_certs:/root/.postgresql
and the error i get is
ERROR [2018-07-10 20:28:24,355] org.apache.tomcat.jdbc.pool.ConnectionPool: Unable to create initial connections of pool.
! java.io.FileNotFoundException: /root/.postgresql/root.crt (No such file or directory)
! at java.io.FileInputStream.open0(Native Method)
! at java.io.FileInputStream.open(FileInputStream.java:195)
! at java.io.FileInputStream.<init>(FileInputStream.java:138)
! at java.io.FileInputStream.<init>(FileInputStream.java:93)
! at org.postgresql.ssl.jdbc4.LibPQFactory.<init>(LibPQFactory.java:124)
! ... 32 common frames omitted
! Causing: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
Any help with getting postgres to find the root.crt would be greatly appreciated (postgres 10 btw)
As a workaround you can add sslmode=require (no certificate validation!) or sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory (validate certificate using JRE trust store) to your JDBC url.
This behavior and the mentioned workaround are described in https://github.com/pgjdbc/pgjdbc/issues/1307
Related
MuleSoft version: 4.3.0
AWS-RTF EKS
DB: AWS RDS (Aurora MySQL) 5.7
Able to connect to AWS DB from anypoint studio successfully, but unable to connect from RTF EKS Pod.
org.mule.runtime.api.connection.ConnectionException: Could not obtain connection from data source
Caused by: org.mule.db.commons.shaded.api.exception.connection.ConnectionCreationException: Could not obtain connection from data source
Caused by: org.mule.runtime.extension.api.exception.ModuleException: java.sql.SQLException: Cannot get connection for URL jdbc:mysql://<host>:3306/DBNAME?verifyServerCertificate=false&useSSL=true&requireSSL=true : Communications link failure
The last packet successfully received from the server was 99 milliseconds ago. The last packet sent successfully to the server was 94 milliseconds ago.
Caused by: java.sql.SQLException: Cannot get connection for URL jdbc:mysql://<host>:3306/DBNAME?verifyServerCertificate=false&useSSL=true&requireSSL=true : Communications link failure
I'm able to access the DB from EKS by creating a default pod with --image=mysql:5.7. But not from MuleSoft App.
Use cases tried:
1. verifyServerCertificate=false&useSSL=true&requireSSL=true
2. verifyServerCertificate=true&useSSL=true&requireSSL=true. (passing truststore in java arguments )
-Djavax.net.ssl.trustStore=/opt/mule/apps/test-rds/mySqlKeyStore.jks
-Djavax.net.ssl.trustStoreType=JKS
-Djavax.net.ssl.trustStorePassword=xxxxxx
(Generated jks file from .pem file using below commands)
openssl x509 -outform der -in us-west-2-bundle.pem -out us-west-2-bundle.der
keytool -import -alias mysql -keystore mySqlKeyStore -file us-west-2-bundle.der
What else am i missing here ? please help
I'm able to resolve this .
By adding this jvm argument i came to know that its something related to ssl handshake. -M-Djavax.net.debug=ssl
It gave debug logs like this
javax.net.ssl|SEVERE|43|[MuleRuntime].uber.03: [test-rds].uber#org.mule.runtime.module.extension.internal.runtime.config.LifecycleAwareConfigurationInstance.testConnectivity:179 #3781e9a3|2021-12-23 09:55:53.715 PST|TransportContext.java:316|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
enter code here
After going through this question its clear that i need to pass enabledTLSProtocols=TLSv1.2
Why can Java not connect to MySQL 5.7 after the latest JDK update and how should it be fixed? (ssl.SSLHandshakeException: No appropriate protocol)
So here are the params that i passed in DB Config
<db:connection-properties >
<db:connection-property key="verifyServerCertificate" value="false" />
<db:connection-property key="useSSL" value="true" />
<db:connection-property key="requireSSL" value="true" />
<db:connection-property key="enabledTLSProtocols" value="TLSv1.2" />
</db:connection-properties>
enter code here
Even after adding the enabledTLSProtocols flag ,if you are getting error make sure the DB Version is correct (I had issue with non-prod and prod)
Non-Prod: MySQL 5.7 worked fine
Prod: MySQL 5.6 didn't work even with enabledTLSProtocols. I had to update DB to 5.7 to make it work
Thank you , Hope it helps someone
I setup Rundeck with LDAP/AD auth via JAAS module (vide official documentation).
Auth. works perfectly fine with non-encrypted connection (providerUrl="ldap://AD-FQDN").
When I am trying to switch from LDAP to LDAPS (providerUrl="ldaps://AD-FQDN"), that's where problem begins.
I gathered AD cert along with Sub and Root CA's, added them into rundeck truststore (and keystore afterwards) and restarted rundeckd.
Certs are being validated successfully:
[root#rundeck01 ssl]# openssl verify -CAfile RootCA.cer -untrusted SubCA.cer ad01.cer
ad01.cer: OK
What I can see in service.log:
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Firewall ports are opened (can connect to p. 389,636 from via telnet).
Running on:
rundeck-3.4.0.20210614-1
CentOS 7.9
Kindly advise.
Extract the ldaps server cert:
echo -n | openssl s_client -connect your_ldap_server:636 > cert.out
Import to the Rundeck's truststore:
keytool -importcert -trustcacerts -file cert.out -alias myldap -keystore etc/rundeck/truststore
Add the truststore path on your rundeckd file (-Djavax.net.ssl.trustStore):
RDECK_JVM_OPTS="-Drundeck.jaaslogin=true \
-Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \
-Dloginmodule.name=ldap \
-Djavax.net.ssl.trustStore=/etc/rundeck/truststore"
Same issue solved here.
My existing jenkins master-slave connection got broken . I tried establishing the connection via scp command.
On master:
scp ~/ .ssh/id_rsa.pub jenkins#<my_slave_machine>:/tmp
On slave :
• ssh-keygen –b 2048 –t rsa
• Press enter for " Enter file in which to save the key (/home/jenkins/.ssh/id_rsa) : "
• Press enter for " Enter passphrase (empty for no passphrase):"
• Press enter for " Enter same passphrase again:"
• cd .ssh/
• touch authorized_keys
• chmod 600 authorized_keys
• cat /tmp/id_rsa.pub >> authorized_keys
After trying to connect from UI, getting the below error.
[12/05/16 07:53:48] [SSH] Opening SSH connection to <my_slave_machine>:22.
[12/05/16 07:53:49] [SSH] Authentication successful.
[12/05/16 07:53:49] [SSH] The remote users environment is:
ENV=/home/dx00926/.kshrc
FACTERLIB=/var/lib/puppet/rel_RHEL6_64_670/lib/facter
FCEDIT=ed
HISTCMD=0
HOME=/home/dx00926
IFS=$' \t\n'
JOBMAX=0
KSH_VERSION=.sh.version
LINENO=1
LOGNAME=dx00926
MAIL=/var/mail/dx00926
MAILCHECK=600
OPTIND=1
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/adnssh/bin
PPID=1455663
PS2='> '
PS3='#? '
PS4='+ '
PWD=/home/dx00926
RANDOM=6009
SECONDS=0.000
SFTP_PERMIT_CHMOD=1
SFTP_PERMIT_CHOWN=1
SFTP_UMASK=''
SHELL=/bin/ksh
SHLVL=1
SSH_CLIENT='148.112.120.212 35609 22'
SSH_CONNECTION='148.112.120.212 35609 10.33.70.153 22'
TMOUT=0
USER=dx00926
[12/05/16 07:53:49] [SSH] Starting sftp client.
[12/05/16 07:53:49] [SSH] Copying latest slave.jar...
hudson.util.IOException2: Could not copy slave.jar into '/home/jenkins' on slave
at hudson.plugins.sshslaves.SSHLauncher.copySlaveJar(SSHLauncher.java:1054)
at hudson.plugins.sshslaves.SSHLauncher.access$300(SSHLauncher.java:137)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:723)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:706)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: hudson.util.IOException2: Could not copy slave.jar to '/home/jenkins/slave.jar' on slave
at hudson.plugins.sshslaves.SSHLauncher.copySlaveJar(SSHLauncher.java:1049)
... 7 more
Caused by: com.trilead.ssh2.SFTPException: Permission denied (SSH_FX_PERMISSION_DENIED: The user does not have sufficient permissions to perform the operation.)
at com.trilead.ssh2.SFTPv3Client.openFile(SFTPv3Client.java:1201)
at com.trilead.ssh2.SFTPv3Client.createFile(SFTPv3Client.java:1074)
at com.trilead.ssh2.SFTPv3Client.createFile(SFTPv3Client.java:1055)
at hudson.plugins.sshslaves.SFTPClient.writeToFile(SFTPClient.java:93)
at hudson.plugins.sshslaves.SSHLauncher.copySlaveJar(SSHLauncher.java:1039)
... 7 more
[12/05/16 07:53:49] Launch failed - cleaning up connection
[12/05/16 07:53:49] [SSH] Connection closed.
I have even tried the below posts, but did not get the resolution.
Jenkins Slave Permission Denied while copying slave.jar
https://issues.jenkins-ci.org/browse/JENKINS-26259
https://issues.jenkins-ci.org/browse/JENKINS-22651
Jenkins slave set-up - Both Master and Slave Nodes are Linux machines
ENV=/home/dx00926/.kshrc
...
HOME=/home/dx00926
...
USER=dx00926
...
hudson.util.IOException2: Could not copy slave.jar into '/home/jenkins' on slave
...
Caused by: com.trilead.ssh2.SFTPException: Permission denied (SSH_FX_PERMISSION_DENIED: The user does not have sufficient permissions to perform the operation.)
It looks like you're connecting to this server as a user named "dx00926". The simplest explanation for this error is that this "dx00926" user on the remote system doesn't have permission to create files in the directory /home/jenkins, or there's an existing file named "/home/jenkins/slave.jar" there and this user doesn't have permission to overwrite its contents.
Either modify the permission on the /home/jenkins directory to permit dx00926 to create files there, or connect to the remote system with a user that does have permissions to create files there.
Like if you have a username "jenkins" and home dir is "/home/jenkins"
You have to put this home directory in your node configuration, see "Remote root directory: /home/jenkins"
It resolved my issue.. especially for AWS-ec2 and dont set full permission on home directory, it will affect it.
I was having this error. I removed the existing remote.jar in the remote server and try to recreate the agent. It went well now
https://issues.jenkins.io/browse/JENKINS-67258
"Please note, apparently upgrading SSH Build Agents / SSH Slaves Plugin to version 1.32.0 and beyond helps with resolving this problem."
I was having this error, and I tried the above solutions, but the only way I was able to resolve it was by deleting the node, deleting the /opt/jenkins folder, and recreating the folder and the node. After that it worked fine.
sudo chmod -R 777 /home/jenkins
i got this error after setting a slave node, somebody please help~
i can ssh on the slave node without problem, it only happens on jenkins.
[11/20/14 21:01:30] [SSH] Opening SSH connection to 10.105.5.34:22.
[11/20/14 21:01:30] [SSH] Authentication failed.
hudson.AbortException: Authentication failed.
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1178)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
[11/20/14 21:01:30] Launch failed - cleaning up connection
[11/20/14 21:01:30] [SSH] Connection closed.
jenkins version is the latest 1.59, ssh plugin also is the latest
Try to ssh to the host using this command:
ssh -v -i ~/.ssh/id_rsa remoteuser#server
where the id_rsa (or dsa) is your key. Test it well because that's probably where your problem is. On the server look at the auth.log. You should be able to see errors in case of:
home permissions/ownership are not OK
.ssh permissions/ownership are not OK
keys permissions/ownership are not OK
Key based authentication is very strict towards permissions of the keys, home and the .ssh folder. Especially if strict mode is turned on in the sshd_config of the SSH server. You should have something like that set:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
My webserver, orion 1.5.4, run on jre 1.4.2, when I run
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
the following exception is thrown
java.security.NoSuchAlgorithmException:Algorithm PBKDF2WithHmacSHA1 not available
I google and find need to add Bouncy Castle provider, so I download bcprov-jdk14-150.jar and placed it in classpath, and download the unlimited policy files in the JVM, then when I run the program code, error thrown in line
aesCipher.init(Cipher.DECRYPT_MODE,secretKey, new IvParameterSpec(ivByte));
the error message is
Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
at javax.crypto.SunJCE_b.(DashoA12275)
... 15 more
Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
at javax.crypto.SunJCE_b.a(DashoA12275)
at javax.crypto.SunJCE_b.g(DashoA12275)
at javax.crypto.SunJCE_b.f(DashoA12275)
at javax.crypto.SunJCE_t.run(DashoA12275)
at java.security.AccessController.doPrivileged(Native Method)
... 16 more
how to solve it?
I found the problem, I download the unlimited policy files for java 1.6 wrongly, should download for java 1.4.
thanks