Category: English

Java and Wildcard SSL certificate issues

Today I faced a nasty issue using a valid signed wildcard SSL certificate from symantec.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
	at SSLTest.<init>(SSLTest.java:20)
	at SSLTest.main(SSLTest.java:34)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
	... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 23 more

Since the certificate is valid and the ROOT CA was actually in the Java cacerts keystore, it still did not work. First I tried to run my java application with ***-Djavax.net.debug=SSL*** to see what is really going on. I noticed the the intermediate certificate was not in the cacerts keystore.

I had to importing the intermediate certificate to the keystore was causing the cert chain to break. I downloaded the missing intermediate cert from symantec (you can see the download link to the missing cert in the ssl handshake log: http://svrintl-g3-aia.verisign.com/SVRIntlG3.cer in my case).

And I imported the cert in the java keystore. After importing the intermediate certificate my wildcard ssl cert finally started working:

keytool -import -keystore ../jre/lib/security/cacerts -trustcacerts -alias "VeriSign Class 3 International Server CA - G3" -file /pathto/SVRIntlG3.cer

And voila!

Hooking up Cloud Foundry app to New Relic

How to integrate Cloud Foundry and New Relic

New Relic provides indepth insight into your apps. Now how can you befit from it using Cloud Foundry and the Java buildpack? This is easy, read on!

If you are using the hosted version you can easily add new relic to your application using the marketplace.

newrelic_marketplace

After the new relic services has been bound to your application it takes a few minutes before data starts to appear. Eventually your dashboard will show data like this:

image2013-11-15 16-44-40

Users that run a private Cloud Foundry installation or want to hookup and existing New Relic account to their application can do the following. Create a user-provided service (see New Relic contraints described here: https://github.com/cloudfoundry/java-buildpack/blob/master/docs/framework-new-relic.md#configuration). Make sure that the service name contains newrelic. Next, specify your New Relic licenseKey.

cf create-service user-provided
Name?> newrelic-some_unique_string
What credential parameters should applications use to connect to this service instance?
(e.g. hostname, port, password)> licenseKey
licenseKey> newrelic_license_key
Creating service newrelic-some_unique_string... OK

Now bind the service to your app:

cf bind-service newrelic-some_unique_string
1: helloworld
Which application?> 1

Restart your app and you are done!

cf restart helloworld
Using manifest file manifest.yml
Stopping helloworld... OK
Preparing to start helloworld... OK
-----> Downloaded app package (5.5M)
-----> Downloaded app buildpack cache (39M)
Initialized empty Git repository in /tmp/buildpacks/java-buildpack.git/.git/
-----> Downloading OpenJDK 1.7.0_45 from http://download.pivotal.io.s3.amazonaws.com/openjdk/lucid/x86_64/openjdk-1.7.0_45.tar.gz (0.2s)
       Expanding JRE to .java (0.8s)
-----> Downloading New Relic Agent 3.1.1 from http://download.pivotal.io.s3.amazonaws.com/new-relic/new-relic-3.1.1.jar (7.3s)
-----> Downloading Spring Auto-reconfiguration 0.7.2 from http://download.pivotal.io.s3.amazonaws.com/auto-reconfiguration/auto-reconfiguration-0.7.2.jar (0.2s)
       Modifying /WEB-INF/web.xml for Auto Reconfiguration
-----> Downloading Tomcat 7.0.47 from http://download.pivotal.io.s3.amazonaws.com/tomcat/tomcat-7.0.47.tar.gz (0.2s)
       Expanding Tomcat to .tomcat (0.1s)
-----> Downloading Buildpack Tomcat Support 1.1.1 from http://download.pivotal.io.s3.amazonaws.com/tomcat-buildpack-support/tomcat-buildpack-support-1.1.1.jar (0.2s)
-----> Uploading droplet (48M)

After a few minutes data starts appearing in New Relic:

image2013-11-15 16-22-20

You are now ready to do awesome stuff with all this information (smile)

More info on user provided services: http://docs.cloudfoundry.com/docs/using/services/user-provided.html

Some background info for New Relic: https://newrelic.com/about

Funny job requests

Today I received this email, in dutch paas haas means: Easter bunny.

Dear Stephan

We are currently searching for a Cloud Consultant to work in Den Haag, The Netherlands  for 2 months plus extensions. This is a fantastic contract opportunity for a large multi-national client.

The ideal candidate must have the following skills:

Investigate opportunities to develop a PAAS/HAAS service for GF IT projects that allows projects to quickly build up project systems in the cloud that can be easily dismantled once the project is completed or does not require the system any longer.

Nexus installation on Tomcat 7 with JDK7

I tried to install Nexus 1.9.2.2 OSS on my Tomcat 7.0.20 with the new Oracle JDK 7. This was not a big success. Ok first of all make sure to use the unpacked version of the nexus war or else it wont be able to find the NEXUS_PLEXUS_WORK environment variable.

Second, you need to patch the unpacked war. Strip out the xstream-1.3 and add the latest snapshot. Also add the latest xmlpull.org API jar to the WEB-INF/lib of the unpacked nexus war.

More info see this JIRA ticket.

Git server on Windows

DVCS

Distributed version control systems gained a lot of attention over the last few years. There are many hosting providers that offer free DVCS space on the web. But there are situations that you want to run your own private DVCS server and do not want use a publicly and open DVCS like Gitorious, Github or BitBucket. Of-course you can always buy a commercial offering for a private DVCS solution.

The nice thing about a DVCS is that there is not one version, there are multiple ‘versions’ of a source tree. But at some point you do want a central location to store your (releases) sources. In this article I will explain how to setup a Git server on a Windows machine using Apache to server Git request over HTTP.

If you want to know more, Atlassian has an excellent presentation on DVCS, recorded at the Atlassian Summit last June. And Linus Torvalds talk on Git is worth your time: http://www.youtube.com/watch?v=4XpnKHJAok8

msysgit

You will need to install msysgit, I used version msysGit-fullinstall-1.7.6-preview20110708.exe. On my machine I installed msysgit to D:/dev/msysgit

Repositories

Create a directory that contains your Git repositories, for example: D:/dev/repo/git. To get you started, go to the directory and create an empty Git repository.

cd D:/dev/repo/git
git init --bare Test.git

Apache configuration

In this tutorial I use Apache 2.2.19. You need to setup git-http-backend.exe in order to serve Git through Apache. First copy ..\msysgit\mingw\bin\libiconv-2.dll to ..\msysgit\libexec\git-core or else you will get a 500 error from Apache. To test if your setup works run ..\msysgit\libexec\git-core\git-http-backend.exe

Add the following to your Apache conf\httpd.conf:

SetEnv GIT_PROJECT_ROOT D:/dev/repo/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAliasMatch \
        "(?x)^/(.*/(HEAD | \
                        info/refs | \
                        objects/(info/[Apache Git server on Windows^/]+ | \
                                 [0-9a-f]{2}/[0-9a-f]{38} | \
                                 pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                        git-(upload|receive)-pack))$" \
                        "D:/dev/msysgit/libexec/git-core/git-http-backend.exe/$1"

I also made the Apache DocumentRoot point to my Git repos:

DocumentRoot "D:/dev/repo/git"

<Directory "D:/dev/repo/git">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

The result:

Using the repo

You can create a local copy of this git repo using the clone command.

git clone http://localhost/Test.git

Warning

Make sure that you setup authentication if you do not want your sources to become publicly available. This can be done using the regular Apache authentication modules.

Links

Many thanks to: http://www.jeremyskinner.co.uk/2010/07/31/hosting-a-git-server-under-apache-on-windows/