Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26403

SNI Support when using Artifactory behind HTTPS

    XMLWordPrintable

Details

    Description

      When trying to deploy an artifact to artifactory behind HTTPS when there is more than one HTTPS site hosted on the same server/IP address the following error is thrown.

      Need to update Apache HTTPClient/HttpComponents to 4.3.2+. I would recommend 4.3.5.

      This issue means that nothing can be deployed to Artifactory!!!

      Error:

      Deploying artifact: https://repo.build.coy.com/artifactory/cs-snapshot/au/com/coy/skynet/spark-fire_2.10/0.1.0-SNAPSHOT/spark-fire_2.10-0.1.0-SNAPSHOT-sources.jar
      ERROR: hostname in certificate didn't match: <repo.build.coy.com.au> != <docker.build.coy.com.au> OR <docker.build.coy.com.au> OR <www.docker.build.coy.com.au>
      javax.net.ssl.SSLException: hostname in certificate didn't match: <repo.build.coy.com.au> != <docker.build.coy.com.au> OR <docker.build.coy.com.au> OR <www.docker.build.coy.com.au>
      at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
      at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
      at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
      at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
      at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
      at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
      at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
      at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
      at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
      at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
      at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
      at org.jfrog.build.client.PreemptiveHttpClient.execute(PreemptiveHttpClient.java:88)
      at org.jfrog.build.client.ArtifactoryHttpClient.execute(ArtifactoryHttpClient.java:193)
      at org.jfrog.build.client.ArtifactoryHttpClient.upload(ArtifactoryHttpClient.java:189)
      at org.jfrog.build.client.ArtifactoryBuildInfoClient.uploadFile(ArtifactoryBuildInfoClient.java:522)
      at org.jfrog.build.client.ArtifactoryBuildInfoClient.deployArtifact(ArtifactoryBuildInfoClient.java:302)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer$FilesDeployerCallable.deploy(GenericArtifactsDeployer.java:182)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer$FilesDeployerCallable.invoke(GenericArtifactsDeployer.java:154)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer$FilesDeployerCallable.invoke(GenericArtifactsDeployer.java:122)
      at hudson.FilePath.act(FilePath.java:918)
      at hudson.FilePath.act(FilePath.java:896)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer.deploy(GenericArtifactsDeployer.java:82)
      at org.jfrog.hudson.generic.ArtifactoryGenericConfigurator$1.tearDown(ArtifactoryGenericConfigurator.java:276)
      at hudson.model.Build$BuildExecution.doRun(Build.java:171)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
      at hudson.model.Run.execute(Run.java:1759)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:89)
      at hudson.model.Executor.run(Executor.java:240)
      [WARNINGS] Skipping publisher since build result is FAILURE

      Attachments

        Activity

          danielbeck Daniel Beck added a comment -

          Why not just use a valid SSL cert (e.g. for *.build.coy.com.au)? Or simply a cert for repo.build.coy.com.au? Or does SNI not work for some reason?

          danielbeck Daniel Beck added a comment - Why not just use a valid SSL cert (e.g. for *.build.coy.com.au)? Or simply a cert for repo.build.coy.com.au? Or does SNI not work for some reason?
          nightwolfzor Night Wolf added a comment -

          Both Certs are valid. The problem is they both exist on the same host. Typically SSL wants a unique IP per host. Hence the need for SNI.

          This plugin uses artifactory's build info plugin which uses httpclient. Http client only added SNI support in 4.3.2 see https://issues.apache.org/jira/plugins/servlet/mobile#issue/HTTPCLIENT-1119

          So the plugin needs to be updated with a new version on buildinfo which needs a later version of httpclient.

          nightwolfzor Night Wolf added a comment - Both Certs are valid. The problem is they both exist on the same host. Typically SSL wants a unique IP per host. Hence the need for SNI. This plugin uses artifactory's build info plugin which uses httpclient. Http client only added SNI support in 4.3.2 see https://issues.apache.org/jira/plugins/servlet/mobile#issue/HTTPCLIENT-1119 So the plugin needs to be updated with a new version on buildinfo which needs a later version of httpclient.
          danielbeck Daniel Beck added a comment -

          That wasn't clear to me from the report. Thanks for the explanation!

          danielbeck Daniel Beck added a comment - That wasn't clear to me from the report. Thanks for the explanation!
          jplock Justin Plock added a comment -

          This doesn't appear to be specific to just artifactory. Anything using the maven-deploy-plugin and trying to upload artifacts to an SSL host that has multiple certificates sharing the same IP address has this problem.

          jplock Justin Plock added a comment - This doesn't appear to be specific to just artifactory. Anything using the maven-deploy-plugin and trying to upload artifacts to an SSL host that has multiple certificates sharing the same IP address has this problem.
          yossis yossis added a comment -

          We upgraded the http client to support SNI. Please track the issue on the official plugin Jira - https://www.jfrog.com/jira/browse/HAP-556

          yossis yossis added a comment - We upgraded the http client to support SNI. Please track the issue on the official plugin Jira - https://www.jfrog.com/jira/browse/HAP-556

          updated httpcomponents. Will be included in next release

          mreinhardt Martin Reinhardt added a comment - updated httpcomponents. Will be included in next release

          People

            mreinhardt Martin Reinhardt
            nightwolfzor Night Wolf
            Votes:
            4 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: