Danny van Zunderd
Reputation: 1
artifactory certificate error while downloading from jcenter
We are using artifactory oss and since a few days we have some issues with downloading jars from jcenter repository. It is not for all downloads and it is not clear why. When downloading we get the following error:
Failed retrieving resource from http://jcenter.bintray.com/commons-lang/commons-lang/2.6/commons-lang-2.6.jar: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What is strange here is that we are trying to download from http source and not https as should be expected with valid certification.
When looking in the logs we can see that there are 2 different methods which download one is "httpRepo" which works good and the one which always fails is "RemoteRepoBase" but it is not clear why sometimes the one is being used and other times the other.
This is a snipper of the logs of working and non-working downloads:
2018-05-22 16:03:25,928 [https-jsse-nio-8060-exec-6] [INFO ] (o.a.r.HttpRepo :414) - jcenter downloading http://jcenter.bintray.com/commons-lang/commons-lang/2.1/commons-lang-2.1.jar 202.85 KB
2018-05-22 16:03:25,992 [https-jsse-nio-8060-exec-6] [INFO ] (o.a.r.HttpRepo :427) - jcenter downloaded http://jcenter.bintray.com/commons-lang/commons-lang/2.1/commons-lang-2.1.jar 202.85 KB at 3,247.54 KB/sec
2018-05-22 16:03:52,322 [https-jsse-nio-8060-exec-12] [INFO ] (o.a.r.HttpRepo :414) - jcenter downloading http://jcenter.bintray.com/commons-lang/commons-lang/2.5/commons-lang-2.5.jar 272.65 KB
2018-05-22 16:03:52,662 [https-jsse-nio-8060-exec-12] [INFO ] (o.a.r.HttpRepo :427) - jcenter downloaded http://jcenter.bintray.com/commons-lang/commons-lang/2.5/commons-lang-2.5.jar 272.65 KB at 807.36 KB/sec
2018-05-22 16:03:57,121 [art-exec-6] [INFO ] (o.a.s.a.ArchiveIndexerImpl:145) - Indexing archive: jcenter-cache:commons-lang/commons-lang/2.1/commons-lang-2.1.jar
2018-05-22 16:03:57,328 [art-exec-6] [INFO ] (o.a.s.a.ArchiveIndexerImpl:145) - Indexing archive: jcenter-cache:commons-lang/commons-lang/2.5/commons-lang-2.5.jar
2018-05-22 16:07:58,243 [https-jsse-nio-8060-exec-7] [WARN ] (o.a.r.RemoteRepoBase:433) - jcenter: Error in getting information for 'commons-lang/commons-lang/2.6/commons-lang-2.6.jar' (Failed retrieving resource from http://jcenter.bintray.com/commons-lang/commons-lang/2.6/commons-lang-2.6.jar: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target).
2018-05-22 16:08:10,319 [https-jsse-nio-8060-exec-7] [WARN ] (o.a.r.RemoteRepoBase:433) - jcenter: Error in getting information for 'commons-lang/commons-lang/2.6/commons-lang-2.6.jar' (Failed retrieving resource from http://jcenter.bintray.com/commons-lang/commons-lang/2.6/commons-lang-2.6.jar: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target).
2018-05-22 16:08:13,255 [https-jsse-nio-8060-exec-12] [WARN ] (o.a.r.RemoteRepoBase:433) - jcenter: Error in getting information for 'commons-lang/commons-lang/2.6/commons-lang-2.6.jar' (Failed retrieving resource from http://jcenter.bintray.com/commons-lang/commons-lang/2.6/commons-lang-2.6.jar: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target).
2018-05-22 16:08:13,874 [https-jsse-nio-8060-exec-7] [WARN ] (o.a.r.RemoteRepoBase:433) - jcenter: Error in getting information for 'commons-lang/commons-lang/2.6/commons-lang-2.6.jar' (Failed retrieving resource from http://jcenter.bintray.com/commons-lang/commons-lang/2.6/commons-lang-2.6.jar: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target).
2018-05-22 16:08:22,943 [https-jsse-nio-8060-exec-4] [WARN ] (o.a.r.RemoteRepoBase:433) - jcenter: Error in getting information for 'commons-lang/commons-lang/2.3/commons-lang-2.3.jar' (Failed retrieving resource from http://jcenter.bintray.com/commons-lang/commons-lang/2.3/commons-lang-2.3.jar: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target).
2018-05-22 16:08:35,290 [https-jsse-nio-8060-exec-5] [WARN ] (o.a.r.RemoteRepoBase:433) - jcenter: Error in getting information for 'commons-lang/commons-lang/2.3/commons-lang-2.3.jar' (Failed retrieving resource from http://jcenter.bintray.com/commons-lang/commons-lang/2.3/commons-lang-2.3.jar: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target).
2018-05-22 16:08:52,519 [https-jsse-nio-8060-exec-12] [WARN ] (o.a.r.RemoteRepoBase:433) - jcenter: Error in getting information for 'commons-lang/commons-lang/2.2/commons-lang-2.2.jar' (Failed retrieving resource from http://jcenter.bintray.com/commons-lang/commons-lang/2.2/commons-lang-2.2.jar: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target).
Upvotes: 0
Views: 1745
Answers (1)
Uriah L.
Reputation: 621
The certification path error is most likely a result of a redirection to Bintray's CDN over SSL regardless to the remote repo URL being http and not https. If you tried to pull this file using cURL, you'll see that it indeed redirects to https://akamai.bintray.com.
The server certificate appears to be fine, that is, I am personally able to pull the file both through my Artifactory instance and using cURL w/o seeing any SSL validation errors.
That being said, we usually see this type of errors occur due to a few main reasons:
- Someone (sometimes it could be your IT department) has tempered with the 'cacerts' file of your JDK/JRE installation on the server that hosts Artifactory. This file holds a list of trusted CA's just like a browser would, that tells your Java installation which certificates are to be trusted when initiating SSL connections. You can use cURL or 'openssl' to examine the certificate presented by akamai.bintray.com or jcenter.bintray.com when you try to connect to it over SSL. These certificates were issued by standard trusted CA.
- It is less common - but sometimes using a JDK vendor which is not one of the mainstream ones (i.e Oracle, openJDK etc) entails having an outdated/non-standard 'cacerts' file. When such installations come with a 'cacerts' file that does not contain the root certificate of standard trusted CA's, you will most likely see this error.
- Even more far fetched but I have seen this happen - your connections are initiated through a corporate proxy that facilitates something like "ssl-bumping" or behaves as a MITM that tries to spoof your SSL traffic by presenting a fake certificate that mimics the target server certificate, resulting in SSL validation errors on the client.
I Hope this helps
Upvotes: 4
Related Questions
- Artifactory: x509 certificate signed by unknown authority
- Cannot download artifact cas-server-core from https://mvnrepository.com/
- Artifactory jfrog cli: x509: certificate signed by unknown authority
- JFrog Artifactory unable to download jars from remote repository
- Certificate for <jcenter.bintray.com> doesn't match any of the subject alternative names
- How to add certificate for remote repository in JFrog Artifactory
- Jcenter inclsuion: The version control <url> returns 404, worked before
- Trouble downloading my published files on Bintray from JCenter
- Eclipse Aether download artifact from https repository
- Trouble downloading non-JCenter artifacts from bintray