Self signed Certificate issues

[gtrossell]

Using the tool where the S3 target has a self signed certificate and its not liking this. Is there away to say ignore this?

2021-08-09 13:26:26,089 INFO [main] de.jeha.s3pt.Main Use environment value for AWS_ACCESS_KEY.
2021-08-09 13:26:26,094 INFO [main] de.jeha.s3pt.Main Use environment value for AWS_SECRET_KEY.
2021-08-09 13:26:26,746 INFO [pool-1-thread-1] de.jeha.s3pt.operations.Upload Upload: n=1, size=2048 byte
Aug 09, 2021 1:26:26 PM com.amazonaws.http.AmazonHttpClient executeHelper
INFO: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1383)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1291)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:134)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:860)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:631)
at com.amazonaws.http.AmazonHttpClient.doExecute(AmazonHttpClient.java:400)
at com.amazonaws.http.AmazonHttpClient.executeWithTimer(AmazonHttpClient.java:362)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:311)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3673)
at com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1436)
at de.jeha.s3pt.operations.Upload.call(Upload.java:52)
at de.jeha.s3pt.operations.Upload.call(Upload.java:18)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 33 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
... 39 more

[jenshadlich]

Hi @gtrossell if the certificate is self signed - did you add it to our keystore / passed it on? Adding some flag to just ignore it could be a workaround but I'd consider that a bad practice.

[gtrossell]

Hi @jenshadlich,

Do you have any documentation on how to do this? As this would be the ideal route rather than start bad habits!

Thanks

[jenshadlich]

Hi @gtrossell I can try to give you some pointers, welcome to the fun world of java keystores 😄

If you already have a .jks file, just pass it on: -Djavax.net.ssl.trustStore=/path/my-keystore.jks -Djavax.net.ssl.trustStorePassword=changeit (the default passsword is really changeit- don't blame me)

If you don't have a keystore, you need to create one using the famous keytool e.g. for a custom CA:

keytool -import -trustcacerts -alias my-ca -file my-cert.crt -keystore my-keystore.jks

Google will also bring up plenty of pages dealing with this topic.