I am using pyspark and when I initiate my Spark session I fetch some packages from a Nexus internal repository using the spark.jars.package. To fetch the packages I set:
spark.jars.ivySettings to point to a XML file with the locations in the Nexus internal repo to fetch the packages
spark.driver.extraJavaOptions set to -Djavax.net.ssl.trustStore= to point to JKS file containing the certificates needed for SSL verification in the Nexus internal repo
This setup was working well for me until recently, when I started getting SSL authentication errors of the type:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target)
I am checking with platform team what is causing these errors, but meanwhile, I would like to simply disable SSL verification for the purpose of fetching packages using spark.jars.packages, since there is no security risk as the system is properly ringfenced and we already disable SSL authentication for other purposes such as installing pip packages or downloading files from Nexus using wget/curl.
Is there some way to do so via the Spark configuration?
You can pass in SPARK options:
-Dcom.sun.net.ssl.checkRevocation=false
Related
I am using Eclipse Neon 6.4.3 and i am trying to deploy my project to App Engine using the Google Cloud Platform plugin for Eclipse. https://cloud.google.com/eclipse/docs/quickstart
Until the 1st of April i could deploy projects using this plugin. But after that date, i get the following error:
Failed to retrieve projects; An error occurred while retrieving projects:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuiderException: unable to find valid certification path to requested target.
Reason: Failed to retrieve projects.
Details: Failed to retrieve projects
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
After I press OK, I get the same message again. Then I get the "Deploy to App Engine Standard" menu with my account but my project list is blank.
I am working in a company that uses proxies and it's doing a SSL Inspection. I imported these 2 certificates used for SSL Inspection in my Eclipse cacerts file but i get the same error. These two certificates are issued by our internal certificate authority.
I wanted to add this as a comment, but still don't have enough points:
Are you using maven or appcfg? Have you tried using appcfg with --proxy argument?
From Deploying a Java app documentation:
If you are using an HTTP proxy, include the --proxy argument to tell appcfg its address. If you use a different proxy for HTTPS, then also include the --proxy_https argument.
The current certificate for the URL used to retrieve the projects https://cloudresourcemanager.googleapis.com/ was issued on April 5 2017, this may be the reason for the error. If you open that url and check the certificate you can verify whether it's signing CA is in the truststore you use, or you need to add either the CA or the certificate itself to your truststore.
The issue is something tricky. I tried to connect my war file to a Active Directory via LDAPS. While running with Debug Mode from IntelliJ IDEA, the code is working perfectly fine.
When I Install the war files in same or different machine, am facing this error.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The certificates are self-signed. I have added the CA.crt in truststore.jks, LDAP.cer in cacerts. I also tried adding in the `jssecacerts', but same result.
Note: Am using Apache Shiro framework.
How to avoid this error? Why it is not coming in the debug mode?
This is not a Shiro problem. It is a problem with your certificates. I suspect your IDE may be using a different Java install than where your deployed WAR is executing from.
This exception has been handled previously How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?.
Also, I found this article useful PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target..
Definitely its problem with certificates. Thing that worked for me was, placing required certificate in C -> program files-> java -> jre -> lib -> security location. After pasting cerificate at this loaction, build successful
If you are using VPN or a forward proxy, you just need to add the certificate of your proxy to Java cacerts.
check this answer on how to do that. https://stackoverflow.com/a/9619478/4144572
I am facing an issue while trying to run a RestClient through Java.
I am using Apache HttpClient for building a rest client
I have added the required certificates in the jdk cacerts file and also checked that they are present there.
Now when I am running my code from eclipse than the handshake is happening correctly without any error and I am able to send a POST request.
Now when I create a runnable jar file from eclipse with all jars packaged in it than while running I am encountering the error
Error Occurred: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Can you all please help me in resolving this.
Run your application with the following option:
java -Djava.security.debug=all ...
This will turn debugging on.
I'm assuming that your are running the jar file as a standalone application. If that is the case, the cacerts maybe different.
I have a web app running on GlassFish v3 locally. The app connects to a REST web service that is on another server (not local). The connection is done through HTTPS. While trying to connect I get:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I added the cert from the external ws directory to the local java keystore but that did not fix the problem.
Do I have to instruct GlassF to use the local keystore or something ? Or just by adding it to the java keystore it should work for the local GlassF too ?
You have two options:
1.) Replace the cacerts in the $JAVA_HOME/jre/lib/security directory with your keystore.
2.) Change the keystore at runtime like this:
System.setProperty("javax.net.ssl.keyStore", <path to the new keystore>);
System.setProperty("javax.net.ssl.keyStorePassword",<password of the keystore>);
System.setProperty("javax.net.ssl.trustStore",<path to the new keystore>);
Hope that helps!
EDIT: You might find this question helpful as well. The selected answer suggests to:
1.) Copy your keystore file to C:\glassfish3\glassfish\domains\domain1\config\
2.) Configure GlassFish to use SSL
I am somewhat new to SSL/TLS and Java trust/keystores. I am attempting to generate a client to consume a web service from a IIS-hosted WSDL file. This worked fine before the service was configured to require certificates. I now receive a Wsdl url connection exception.
In an attempt to bypass this, I saved a local copy of the WSDL via IE (with the appropriate certs in place via the Certificates MMC snap-in). I then attempted to point IDEA to that location (file:/C:/projects/wsdl/wsdlname.wsdl).
This fails with the following error messages:
parsing WSDL...
[ERROR] sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target unknown location
[ERROR] invalid entity name: "Auth" (in namespace: "******")
line 0 of unknown location
Note: I've starred out the namespace.
Is there a way to configure IntelliJ IDEA to be able to present a valid certificate if I want to use the generation utility/wizard?
Is there a potential issue with the web service that is causing even the local WSDL import to fail?
Thanks in advance.
It should help if you install the certificate into JVM that is used to run IDEA via keytool.