Servoy Forum

Recently having an issue with synchronizing workspace in Eclipse to Git and uncertain as to the resolution.

Error message is
'Can't connect to any URI: https://company.unfuddle.com/git/code_repos/
https://company.unfuddle.com/git/code_repos/:cannot open git-receive-pack'

It works when sslVerify=false in Git config, but that is something that would preferably be avoided.

The git bash command line doesn't appear to throw the same error.

>git status works on the git bash shell, but not sure whether that is a good enough test

.git/config (Windows Servoy 7.4.8 )
[http]
sslVerify = false

Any ideas on how to restore the https access for the .git repository access?

Looks to be _related_ to the SSL Cert on the repository website:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Thanks,
--Joe.

More .log information on unfuddle access:

!SUBENTRY 1 org.eclipse.egit.ui 4 0 2017-04-26 09:00:31.249
!MESSAGE https://company.unfuddle.com/git/code_repos/: cannot open git-upload-pack
!STACK 0
org.eclipse.jgit.api.errors.TransportException: https://company.unfuddle.com/git/code_repos/: cannot open git-upload-pack
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:224)
at org.eclipse.egit.core.op.FetchOperation.run(FetchOperation.java:132)
at org.eclipse.egit.ui.internal.fetch.FetchOperationUI.execute(FetchOperationUI.java:108)
at org.eclipse.egit.ui.internal.synchronize.SynchronizeFetchJob.runInWorkspace(SynchronizeFetchJob.java:76)
at org.eclipse.core.internal.resources.InternalWorkspaceJob.run(InternalWorkspaceJob.java:38)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53)
Caused by: org.eclipse.jgit.errors.TransportException: https://company.unfuddle.com/git/code_repos/: cannot open git-upload-pack
at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:566)
at org.eclipse.jgit.transport.TransportHttp.openFetch(TransportHttp.java:326)
at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136)
at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122)
at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1236)
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:213)
... 5 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at org.eclipse.jgit.transport.http.JDKHttpConnection.getResponseCode(JDKHttpConnection.java:99)
at org.eclipse.jgit.util.HttpSupport.response(HttpSupport.java:202)
at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:504)
... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 32 more

Attempted to resolve with:

https://github.com/escline/InstallCert

But it's a good cert, so that wasn't successful.

Hi Joe,

I checked their SSL cert using Qualys SSL Labs and they get a solid A rating so the cert seems fine:


What Git client do you use?
Also you say 'how to restore functionality', does this mean it did work with this same URL before? What has changed in your configuration? What updates did you apply?

Hi Robert,

I use eGit. In 'restore functionality', means to be able to push and pull from my git repository. No updates or changes have been made to Servoy or the plugins. Those updates seem to affect code with which I don't want to deal.

I'm searching for any other changes that may have been made by other programs. Nothing so far.

I did leave my machine plugged into a switched outlet in a hotel room, and that caused the machine to hibernate when the battery ran low. And I always connect home to my VPN when on a hotel wireless.

--Joe.

Robert,

It turns out that the servoy.ini was reading a local keystore that I added to account for expired keys within Servoy's structure for key re-signing.

It has been that way for a while, and it is surprising that it took so long to bite back. Perhaps a Java update or something exposed my error. Some sites are still giving me update fits (new stuff like mylyn, etc), and now have more tools to resolve those issues.

Thanks for helping with my stupidity.

--Joe.

Hi Joe,

Have you just updated your Java 8 to update 131 perhaps?
I have seen issues with that update. It looks like Oracle dropped support for certain (weak) signature algorithms in that update.

Hi Robert,

Yes, it was updated. I was using a private keystore for plugins following the wiki documentation, but in Developer, setting the keystore blocked updating from an https site.

It wasn't straight to 131, though. The comms just shut down and, frankly, I don't update much while coding.

It seems more about control than security. While I agree there are vulnerabilities in everything we do on the 'net, and am a proponent of strong encryption, I'm not impressed with what's out there, especially with recent announcements.

--Joe.