Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65941

bfa cannot connect to DocumentDB(mongodb) if tls is enabled

      Currently BFA plugin cannot be used with DocumentDB(mongodb) in AWS if TLS is enabled. With TLS being enabled, we need to pass path of .pem file. With current configuration we cannot pass .pem file and it can be only used if TLS is disabled. Based on latest security practices, TLS should be enable to make sure data is encrypted in Transit. So i will request to add that capability in the plugin as well. I am marking this bug as Blockers because there is no workaround to this and it is mandatory to use TLS connection to enable data encryption in transit 

       

      Error Details

      Could not connectcom.mongodb.MongoTimeoutException: Timed out after 5000 ms while waiting to connect. Client view of cluster state is {type=UNKNOWN, servers=[{address=build-failure-analyzer.cluster-cpp9mkcosz3j.us-west-2.docdb.amazonaws.com:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}}]
      	at com.mongodb.internal.connection.BaseCluster.getDescription(BaseCluster.java:177)
      	at com.mongodb.internal.connection.SingleServerCluster.getDescription(SingleServerCluster.java:42)
      	at com.mongodb.client.internal.MongoClientDelegate.getConnectedClusterDescription(MongoClientDelegate.java:135)
      	at com.mongodb.client.internal.MongoClientDelegate.createClientSession(MongoClientDelegate.java:95)
      	at com.mongodb.client.internal.MongoClientDelegate$DelegateOperationExecutor.getClientSession(MongoClientDelegate.java:266)
      	at com.mongodb.client.internal.MongoClientDelegate$DelegateOperationExecutor.execute(MongoClientDelegate.java:170)
      	at com.mongodb.client.internal.MongoDatabaseImpl.executeCommand(MongoDatabaseImpl.java:194)
      	at com.mongodb.client.internal.MongoDatabaseImpl.runCommand(MongoDatabaseImpl.java:163)
      	at com.mongodb.client.internal.MongoDatabaseImpl.runCommand(MongoDatabaseImpl.java:158)
      	at com.mongodb.client.internal.MongoDatabaseImpl.runCommand(MongoDatabaseImpl.java:148)
      	at com.sonyericsson.jenkins.plugins.bfa.db.MongoDBKnowledgeBase$MongoDBKnowledgeBaseDescriptor.doTestConnection(MongoDBKnowledgeBase.java:854)
      	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
      	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
      	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
      	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
      	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
      	at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694)
      	at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1631)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      	at com.splunk.splunkjenkins.WebPostAccessLogger.doFilter(WebPostAccessLogger.java:39)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at org.jenkinsci.plugins.corsfilter.AccessControlsFilter.doFilter(AccessControlsFilter.java:79)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at com.cloudbees.jenkins.support.slowrequest.SlowRequestFilter.doFilter(SlowRequestFilter.java:37)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at com.smartcodeltd.jenkinsci.plugin.assetbundler.filters.LessCSS.doFilter(LessCSS.java:47)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
      	at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
      	at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:117)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1618)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:549)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1610)
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1369)
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:489)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1580)
      	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1284)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
      	at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:54)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
      	at org.eclipse.jetty.server.Server.handle(Server.java:501)
      	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
      	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
      	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:272)
      	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
      	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
      	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
      	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
      	at java.lang.Thread.run(Thread.java:748)
      

       

       

          [JENKINS-65941] bfa cannot connect to DocumentDB(mongodb) if tls is enabled

          Rajeev added a comment -

          This is currently blocking us from using DocumentDB as knowledgebase, since it is mandatory to use TLS connection to enable data encryption in transit 

          Rajeev added a comment - This is currently blocking us from using DocumentDB as knowledgebase, since it is mandatory to use TLS connection to enable data encryption in transit 

          Carl added a comment -

          Hitting this issue too. There should be a way to use TLS with AWS DocumentDB, if we could configure the PEM.

          Carl added a comment - Hitting this issue too. There should be a way to use TLS with AWS DocumentDB, if we could configure the PEM.

          Rajeev added a comment -

          Any update on this as this is currently blocking us from using this plugin ?

          Rajeev added a comment - Any update on this as this is currently blocking us from using this plugin ?

          I understand that this is blocking you, unfortunately, I can't prioritize solving this anytime soon since we aren't using TLS ourselves in my company.

          I would say that your best bet is creating a pull request that solves the issue yourself, I'd be happy to review it.

          Tomas Westling added a comment - I understand that this is blocking you, unfortunately, I can't prioritize solving this anytime soon since we aren't using TLS ourselves in my company. I would say that your best bet is creating a pull request that solves the issue yourself, I'd be happy to review it.

            t_westling Tomas Westling
            ranjanr Rajeev
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: