Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38738

Maven plugin does not use SNI with SSL maven repos

    Details

    • Similar Issues:

      Description

      I have an Apache Archiva instance running behind HAProxy. HAProxy acts as a SSL wrapper for more HTTP services, each identified via its DNS name, and each with its own certificate.

      This setup requires clients to use SNI within the TLS handshake, so HAProxy can send back the proper SSL certificate. This works already for command-line maven builds on my machine. Also curl, firefox and even apache karaf are able to seamlessly communicate with my archiva repo via HTTPS.

      The jenkins maven plugin seems to not send SNI during handshake, and I infer this from the fact that HAProxy replies with the wrong SSL certificate (the one for the website www.example.com/example com, instead of archiva.example.org) , as presented in the log below.

      Parsing POMs
      Failed to transfer Could not transfer artifact org.example:example-parent:pom:4 from/to example-releases (https://archiva.example.org/repository/example-releases): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com>
      Failed to transfer Could not find artifact org.example:example-parent:pom:4 in central (http://repo.maven.apache.org/maven2)
      ERROR: Failed to parse POMs
      org.apache.maven.project.ProjectBuildingException: Some problems were encountered while processing the POMs:
      [FATAL] Non-resolvable parent POM: Could not transfer artifact org.example:example-parent:pom:4 from/to example-releases (https://archiva.example.org/repository/example-releases): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com> and 'parent.relativePath' points at wrong local POM @ line 5, column 13
      
      	at org.apache.maven.project.DefaultProjectBuilder.build(DefaultProjectBuilder.java:364)
      	at hudson.maven.MavenEmbedder.buildProjects(MavenEmbedder.java:361)
      	at hudson.maven.MavenEmbedder.readProjects(MavenEmbedder.java:331)
      	at hudson.maven.MavenModuleSetBuild$PomParser.invoke(MavenModuleSetBuild.java:1301)
      	at hudson.maven.MavenModuleSetBuild$PomParser.invoke(MavenModuleSetBuild.java:1098)
      	at hudson.FilePath.act(FilePath.java:1018)
      	at hudson.FilePath.act(FilePath.java:996)
      	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.parsePoms(MavenModuleSetBuild.java:960)
      	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:679)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
      	at hudson.model.Run.execute(Run.java:1741)
      	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531)
      	at hudson.model.ResourceController.execute(ResourceController.java:98)
      	at hudson.model.Executor.run(Executor.java:410)
      

      I've tried to workaround this by using a proxy repository on the build machine, but this only moved the problem to the deploy step:

      aven RedeployPublisher use remote  maven settings from : /var/lib/jenkins/.m2/settings.xml
      [INFO] Deployment in https://archiva.example.org/repository/example-snapshots (id=example-snapshots,uniqueVersion=true)
      Deploying the main artifact my-artifact-5-SNAPSHOT.pom
      Downloading: https://archiva.example.org/repository/example-snapshots/org/example/my-artifact/5-SNAPSHOT/maven-metadata.xml
      ERROR: Failed to retrieve remote metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml: Could not transfer metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml from/to example-snapshots (https://archiva.example.org/repository/example-snapshots): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com>
      org.apache.maven.artifact.deployer.ArtifactDeploymentException: Failed to retrieve remote metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml: Could not transfer metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml from/to example-snapshots (https://archiva.example.org/repository/example-snapshots): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com>
      	at org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy(DefaultArtifactDeployer.java:143)
      	at hudson.maven.reporters.MavenArtifactRecord.deploy(MavenArtifactRecord.java:193)
      	at hudson.maven.RedeployPublisher.perform(RedeployPublisher.java:176)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:720)
      	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1047)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:665)
      	at hudson.model.Run.execute(Run.java:1766)
      	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531)
      	at hudson.model.ResourceController.execute(ResourceController.java:98)
      	at hudson.model.Executor.run(Executor.java:410)
      Caused by: org.eclipse.aether.deployment.DeploymentException: Failed to retrieve remote metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml: Could not transfer metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml from/to example-snapshots (https://archiva.example.org/repository/example-snapshots): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com>
      	at org.eclipse.aether.internal.impl.DefaultDeployer.upload(DefaultDeployer.java:470)
      	at org.eclipse.aether.internal.impl.DefaultDeployer.deploy(DefaultDeployer.java:314)
      	at org.eclipse.aether.internal.impl.DefaultDeployer.deploy(DefaultDeployer.java:269)
      	at org.eclipse.aether.internal.impl.DefaultRepositorySystem.deploy(DefaultRepositorySystem.java:413)
      	at org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy(DefaultArtifactDeployer.java:139)
      	... 11 more
      Caused by: org.eclipse.aether.transfer.MetadataTransferException: Could not transfer metadata org.example:my-artifact:5-SNAPSHOT/maven-metadata.xml from/to example-snapshots (https://archiva.example.org/repository/example-snapshots): hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com>
      	at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$5.wrap(WagonRepositoryConnector.java:995)
      	at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$5.wrap(WagonRepositoryConnector.java:983)
      	at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$GetTask.run(WagonRepositoryConnector.java:725)
      	at org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run(RunnableErrorForwarder.java:67)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: org.apache.maven.wagon.TransferFailedException: hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com>
      	at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.fillInputData(AbstractHttpClientWagon.java:892)
      	at org.apache.maven.wagon.StreamWagon.getInputStream(StreamWagon.java:116)
      	at org.apache.maven.wagon.StreamWagon.getIfNewer(StreamWagon.java:88)
      	at org.apache.maven.wagon.StreamWagon.get(StreamWagon.java:61)
      	at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$GetTask.run(WagonRepositoryConnector.java:660)
      	... 4 more
      Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <archiva.example.org> != <example.com> OR <example.com> OR <www.example.com>
      	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
      	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
      	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
      	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
      	at org.apache.maven.wagon.shared.http4.ConfigurableSSLSocketFactoryDecorator.connectSocket(ConfigurableSSLSocketFactoryDecorator.java:64)
      	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
      	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
      	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
      	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
      	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
      	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
      	at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.execute(AbstractHttpClientWagon.java:746)
      	at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.fillInputData(AbstractHttpClientWagon.java:886)
      	... 8 more
      [INFO] Deployment failed after 0.49 sec
      Build step 'Deploy artifacts to Maven repository' changed build result to FAILURE
      

      I've noticed that both Jenkins' maven plugin and apache karaf 4.0.x (via pax-url) are using org.eclipse.aether to communicate with maven repos, but only karaf uses SNI - maybe using a newer version of org.eclipse.aether would solve this? I've tried looking at the code of maven plugin, but I was unable to make heads or tails of which version is used.

      Browsing the issues I noticed some Jenkins plugins were recently fixed for SNI (gitlab-oauth-plugin, artifactory plugin etc). I am not sure how come maven-plugin did not encounter this issue yet.

      How can I help to solve this issue?

        Attachments

          Issue Links

            Activity

            cmoh Ciprian Ciubotariu created issue -
            Hide
            aheritier Arnaud Héritier added a comment -

            version 2.15 will upgrade wagon to the latest version. Let us know if it fixes this issue. Thanks

            Show
            aheritier Arnaud Héritier added a comment - version 2.15 will upgrade wagon to the latest version. Let us know if it fixes this issue. Thanks
            Hide
            aheritier Arnaud Héritier added a comment -

            FYI 2.15.1 is out

            Show
            aheritier Arnaud Héritier added a comment - FYI 2.15.1 is out
            Hide
            stefanotravelli Stefano Travelli added a comment - - edited

            No luck here with newer version 2.15.1 and nginx TLS/SNI

            Not sure that the error is the same, though:
            {{
            sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            }}

            Show
            stefanotravelli Stefano Travelli added a comment - - edited No luck here with newer version 2.15.1 and nginx TLS/SNI Not sure that the error is the same, though: {{ sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target }}
            Hide
            aheritier Arnaud Héritier added a comment -

            Do you have the full stacktrace please ?

            Show
            aheritier Arnaud Héritier added a comment - Do you have the full stacktrace please ?
            Hide
            stefanotravelli Stefano Travelli added a comment -

            Previous error was misleading because JDK did'n recognize a LetsEncrypt Certificate. With JDK 1.0.8_112 I get:

            [INFO] [INFO] 
            [INFO] [INFO] --- maven-deploy-plugin:2.8.2:deploy (default-deploy) @ eui-login ---
            [INFO] [INFO] Uploading: https://www.entaksi.eu/maven/maintenact-release-local/eu/entaksi/eui/eui-login/1.0.4/eui-login-1.0.4.amp
            [INFO] [INFO] Uploading: https://www.entaksi.eu/maven/maintenact-release-local/eu/entaksi/eui/eui-login/1.0.4/eui-login-1.0.4.pom
            [INFO] [INFO] ------------------------------------------------------------------------
            [INFO] [INFO] BUILD FAILURE
            [INFO] [INFO] ------------------------------------------------------------------------
            [INFO] [INFO] Total time: 4.035 s
            [INFO] [INFO] Finished at: 2017-02-17T14:32:24+01:00
            
            [INFO] [INFO] Final Memory: 31M/640M
            [INFO] [INFO] ------------------------------------------------------------------------
            [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project eui-login: Failed to deploy artifacts: Could not transfer artifact eu.entaksi.eui:eui-login:amp:1.0.4 from/to maintenact-release (https://www.entaksi.eu/maven/maintenact-release-local): hostname in certificate didn't match: <www.entaksi.eu> != <console.entaksi.eu> OR <console.entaksi.eu> -> [Help 1]
            [INFO] [ERROR] 
            [INFO] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
            [INFO] [ERROR] Re-run Maven using the -X switch to enable full debug logging.
            [INFO] [ERROR] 
            [INFO] [ERROR] For more information about the errors and possible solutions, please read the following articles:
            [INFO] [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
            

            This happens only during a maven release. Regular builds that include uploading snapshots to the repository works fine.
            As a workaround I set an entry in the hosts file in order to point to a dedicated HTTP server with a single certificate.

            Show
            stefanotravelli Stefano Travelli added a comment - Previous error was misleading because JDK did'n recognize a LetsEncrypt Certificate. With JDK 1.0.8_112 I get: [INFO] [INFO] [INFO] [INFO] --- maven-deploy-plugin:2.8.2:deploy (default-deploy) @ eui-login --- [INFO] [INFO] Uploading: https://www.entaksi.eu/maven/maintenact-release-local/eu/entaksi/eui/eui-login/1.0.4/eui-login-1.0.4.amp [INFO] [INFO] Uploading: https://www.entaksi.eu/maven/maintenact-release-local/eu/entaksi/eui/eui-login/1.0.4/eui-login-1.0.4.pom [INFO] [INFO] ------------------------------------------------------------------------ [INFO] [INFO] BUILD FAILURE [INFO] [INFO] ------------------------------------------------------------------------ [INFO] [INFO] Total time: 4.035 s [INFO] [INFO] Finished at: 2017-02-17T14:32:24+01:00 [INFO] [INFO] Final Memory: 31M/640M [INFO] [INFO] ------------------------------------------------------------------------ [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project eui-login: Failed to deploy artifacts: Could not transfer artifact eu.entaksi.eui:eui-login:amp:1.0.4 from/to maintenact-release (https://www.entaksi.eu/maven/maintenact-release-local): hostname in certificate didn't match: <www.entaksi.eu> != <console.entaksi.eu> OR <console.entaksi.eu> -> [Help 1] [INFO] [ERROR] [INFO] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [INFO] [ERROR] Re-run Maven using the -X switch to enable full debug logging. [INFO] [ERROR] [INFO] [ERROR] For more information about the errors and possible solutions, please read the following articles: [INFO] [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException This happens only during a maven release. Regular builds that include uploading snapshots to the repository works fine. As a workaround I set an entry in the hosts file in order to point to a dedicated HTTP server with a single certificate.
            Hide
            aheritier Arnaud Héritier added a comment -

            ok thus here it's at jenkins level.
            Parsing POM step succeed to get artifacts (which was the error reported in this ticket)
            It is strange that you have this deployment issue only with releases and not with snapshots (they are uploaded to the same server ?).
            I'm not sure if Jenkins can be involve in the issue, did you try to reproduce the issue without jenkins ?
            When you are deploying your snapshots you are also using maven to do it or you are using the post build step provided by jenkins in maven jobs ?

            Show
            aheritier Arnaud Héritier added a comment - ok thus here it's at jenkins level. Parsing POM step succeed to get artifacts (which was the error reported in this ticket) It is strange that you have this deployment issue only with releases and not with snapshots (they are uploaded to the same server ?). I'm not sure if Jenkins can be involve in the issue, did you try to reproduce the issue without jenkins ? When you are deploying your snapshots you are also using maven to do it or you are using the post build step provided by jenkins in maven jobs ?
            Hide
            stefanotravelli Stefano Travelli added a comment -

            Yes, it's the same server and I'm using the post build step provided by Jenkins.

            With regard to the scope of this ticket I think it's fixed. My issue seems more like JENKINS-26403 (even if I'm not using the Artifactory plugin).

            Thanks.

            Show
            stefanotravelli Stefano Travelli added a comment - Yes, it's the same server and I'm using the post build step provided by Jenkins. With regard to the scope of this ticket I think it's fixed. My issue seems more like JENKINS-26403 (even if I'm not using the Artifactory plugin). Thanks.
            Hide
            aheritier Arnaud Héritier added a comment -

            If for SNAPSHOTs you are using the post build step provided by Jenkins then it could explain the difference and thus if parsing POM + SNAPSHOTs deployment are working with you repo using SNI this issue but also JENKINS-40903 could be fixed
            JENKINS-26403 is different because I think that this is the artifactory plugin which is doing the deployment from jenkins.

            In your case you are asking to maven to do the deployment with the deploy goal and this is where we have the issue and it should be a pure maven issue

            Maybe you could try to run your release build with -e or -X (or just a deploy with maven, it should be the same). It may help you to see which wagon provider/version you are using and adapt your maven configuration to use the right one.

            Show
            aheritier Arnaud Héritier added a comment - If for SNAPSHOTs you are using the post build step provided by Jenkins then it could explain the difference and thus if parsing POM + SNAPSHOTs deployment are working with you repo using SNI this issue but also JENKINS-40903 could be fixed JENKINS-26403 is different because I think that this is the artifactory plugin which is doing the deployment from jenkins. In your case you are asking to maven to do the deployment with the deploy goal and this is where we have the issue and it should be a pure maven issue Maybe you could try to run your release build with -e or -X (or just a deploy with maven, it should be the same). It may help you to see which wagon provider/version you are using and adapt your maven configuration to use the right one.
            Hide
            stefanotravelli Stefano Travelli added a comment -

            You are right. It was a pure maven issue.
            Upgrading Maven to 3.2.1 and forcing maven-relase-plugin to version 2.5.3 it works.

            Thank you.

            Show
            stefanotravelli Stefano Travelli added a comment - You are right. It was a pure maven issue. Upgrading Maven to 3.2.1 and forcing maven-relase-plugin to version 2.5.3 it works. Thank you.
            Hide
            aheritier Arnaud Héritier added a comment -

            Fixed in 2.15

            Show
            aheritier Arnaud Héritier added a comment - Fixed in 2.15
            aheritier Arnaud Héritier made changes -
            Field Original Value New Value
            Status Open [ 1 ] Closed [ 6 ]
            Assignee Arnaud Héritier [ aheritier ]
            Resolution Fixed [ 1 ]
            aheritier Arnaud Héritier made changes -
            Link This issue is duplicated by JENKINS-40903 [ JENKINS-40903 ]

              People

              • Assignee:
                aheritier Arnaud Héritier
                Reporter:
                cmoh Ciprian Ciubotariu
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: