Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26403

SNI Support when using Artifactory behind HTTPS

    Details

    • Similar Issues:

      Description

      When trying to deploy an artifact to artifactory behind HTTPS when there is more than one HTTPS site hosted on the same server/IP address the following error is thrown.

      Need to update Apache HTTPClient/HttpComponents to 4.3.2+. I would recommend 4.3.5.

      This issue means that nothing can be deployed to Artifactory!!!

      Error:

      Deploying artifact: https://repo.build.coy.com/artifactory/cs-snapshot/au/com/coy/skynet/spark-fire_2.10/0.1.0-SNAPSHOT/spark-fire_2.10-0.1.0-SNAPSHOT-sources.jar
      ERROR: hostname in certificate didn't match: <repo.build.coy.com.au> != <docker.build.coy.com.au> OR <docker.build.coy.com.au> OR <www.docker.build.coy.com.au>
      javax.net.ssl.SSLException: hostname in certificate didn't match: <repo.build.coy.com.au> != <docker.build.coy.com.au> OR <docker.build.coy.com.au> OR <www.docker.build.coy.com.au>
      at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
      at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
      at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
      at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
      at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
      at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
      at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
      at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
      at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
      at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
      at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
      at org.jfrog.build.client.PreemptiveHttpClient.execute(PreemptiveHttpClient.java:88)
      at org.jfrog.build.client.ArtifactoryHttpClient.execute(ArtifactoryHttpClient.java:193)
      at org.jfrog.build.client.ArtifactoryHttpClient.upload(ArtifactoryHttpClient.java:189)
      at org.jfrog.build.client.ArtifactoryBuildInfoClient.uploadFile(ArtifactoryBuildInfoClient.java:522)
      at org.jfrog.build.client.ArtifactoryBuildInfoClient.deployArtifact(ArtifactoryBuildInfoClient.java:302)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer$FilesDeployerCallable.deploy(GenericArtifactsDeployer.java:182)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer$FilesDeployerCallable.invoke(GenericArtifactsDeployer.java:154)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer$FilesDeployerCallable.invoke(GenericArtifactsDeployer.java:122)
      at hudson.FilePath.act(FilePath.java:918)
      at hudson.FilePath.act(FilePath.java:896)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer.deploy(GenericArtifactsDeployer.java:82)
      at org.jfrog.hudson.generic.ArtifactoryGenericConfigurator$1.tearDown(ArtifactoryGenericConfigurator.java:276)
      at hudson.model.Build$BuildExecution.doRun(Build.java:171)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
      at hudson.model.Run.execute(Run.java:1759)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:89)
      at hudson.model.Executor.run(Executor.java:240)
      [WARNINGS] Skipping publisher since build result is FAILURE

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Why not just use a valid SSL cert (e.g. for *.build.coy.com.au)? Or simply a cert for repo.build.coy.com.au? Or does SNI not work for some reason?

          Show
          danielbeck Daniel Beck added a comment - Why not just use a valid SSL cert (e.g. for *.build.coy.com.au)? Or simply a cert for repo.build.coy.com.au? Or does SNI not work for some reason?
          Hide
          nightwolfzor Night Wolf added a comment -

          Both Certs are valid. The problem is they both exist on the same host. Typically SSL wants a unique IP per host. Hence the need for SNI.

          This plugin uses artifactory's build info plugin which uses httpclient. Http client only added SNI support in 4.3.2 see https://issues.apache.org/jira/plugins/servlet/mobile#issue/HTTPCLIENT-1119

          So the plugin needs to be updated with a new version on buildinfo which needs a later version of httpclient.

          Show
          nightwolfzor Night Wolf added a comment - Both Certs are valid. The problem is they both exist on the same host. Typically SSL wants a unique IP per host. Hence the need for SNI. This plugin uses artifactory's build info plugin which uses httpclient. Http client only added SNI support in 4.3.2 see https://issues.apache.org/jira/plugins/servlet/mobile#issue/HTTPCLIENT-1119 So the plugin needs to be updated with a new version on buildinfo which needs a later version of httpclient.
          Hide
          danielbeck Daniel Beck added a comment -

          That wasn't clear to me from the report. Thanks for the explanation!

          Show
          danielbeck Daniel Beck added a comment - That wasn't clear to me from the report. Thanks for the explanation!
          Hide
          jplock Justin Plock added a comment -

          This doesn't appear to be specific to just artifactory. Anything using the maven-deploy-plugin and trying to upload artifacts to an SSL host that has multiple certificates sharing the same IP address has this problem.

          Show
          jplock Justin Plock added a comment - This doesn't appear to be specific to just artifactory. Anything using the maven-deploy-plugin and trying to upload artifacts to an SSL host that has multiple certificates sharing the same IP address has this problem.
          Hide
          yossis yossis added a comment -

          We upgraded the http client to support SNI. Please track the issue on the official plugin Jira - https://www.jfrog.com/jira/browse/HAP-556

          Show
          yossis yossis added a comment - We upgraded the http client to support SNI. Please track the issue on the official plugin Jira - https://www.jfrog.com/jira/browse/HAP-556
          Hide
          mreinhardt Martin Reinhardt added a comment -

          updated httpcomponents. Will be included in next release

          Show
          mreinhardt Martin Reinhardt added a comment - updated httpcomponents. Will be included in next release

            People

            • Assignee:
              mreinhardt Martin Reinhardt
              Reporter:
              nightwolfzor Night Wolf
            • Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: