Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52359

Cannot use custom CA Cert with vault plugin

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: hashicorp-vault-plugin
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly.

      Inside the container, I've used SSLPoke (from here: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html ) to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was:

       

      $JAVA_HOME/bin/java SSLPoke 1.2.3.4 1234
       Successfully connected
      

      Note: if it matters I am connecting to the vault IP and not a hostname.

      Inside the container, JAVA_HOME is /docker-java-home and /docker-java-home/jre/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts (which does contain the custom CA cert)

       

      My global configuration looks like (with actual values instead of these dummies):

       

      Vault URL: https://1.2.3.4:1234
      Vault Credential: Vault Jenkins Approle 1

      My pipeline is defined like so:

      node {
          
        // define the secrets and the env variables
          def secrets = [
              [
                  $class: 'VaultSecret', path: 'jenkins/test', secretValues: [
                      [$class: 'VaultSecretValue', envVar: 'blah1', vaultKey: 'value']
                  ]
              ],
          ]  def configuration = [$class: 'VaultConfiguration',
                             vaultCredentialId: 'vault-jenkins-approle-1']    stage('Test') {
              // inside this block your credentials will be available as env variables
              wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
                  sh 'echo "blah1: $blah1"'
              }
          }
      }
      

      And here is the output:

      [Pipeline] {
      [Pipeline] stage
      [Pipeline] { (Test)
      [Pipeline] wrap
      [Pipeline] // wrap
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
      	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
      	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
      	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
      Caused: sun.security.validator.ValidatorException: PKIX path building failed
      	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
      	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
      	at sun.security.validator.Validator.validate(Validator.java:260)
      	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
      	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
      	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
      Caused: javax.net.ssl.SSLHandshakeException
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
      	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
      	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
      	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
      	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
      	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
      	at com.bettercloud.vault.rest.Rest.postOrPutImpl(Rest.java:369)
      Caused: com.bettercloud.vault.rest.RestException
      	at com.bettercloud.vault.rest.Rest.postOrPutImpl(Rest.java:386)
      	at com.bettercloud.vault.rest.Rest.post(Rest.java:276)
      	at com.bettercloud.vault.api.Auth.loginByAppRole(Auth.java:228)
      Caused: com.bettercloud.vault.VaultException
      	at com.bettercloud.vault.api.Auth.loginByAppRole(Auth.java:253)
      	at com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential.authorizeWithVault(VaultAppRoleCredential.java:42)
      	at com.datapipe.jenkins.vault.VaultAccessor.auth(VaultAccessor.java:29)
      	at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:142)
      	at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:91)
      	at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution.start(CoreWrapperStep.java:80)
      	at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:224)
      	at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150)
      	at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108)
      	at sun.reflect.GeneratedMethodAccessor3640.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
      	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
      	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
      	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
      	at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
      	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:157)
      	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133)
      	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:159)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
      	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)
      Caused: com.datapipe.jenkins.vault.exception.VaultPluginException: could not log in into vault
      	at com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential.authorizeWithVault(VaultAppRoleCredential.java:44)
      	at com.datapipe.jenkins.vault.VaultAccessor.auth(VaultAccessor.java:29)
      	at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:142)
      	at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:91)
      	at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution.start(CoreWrapperStep.java:80)
      	at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:224)
      	at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150)
      	at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108)
      	at sun.reflect.GeneratedMethodAccessor3640.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
      	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
      	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
      	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
      	at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
      	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
      	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
      	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:157)
      	at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133)
      	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:159)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129)
      	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)
      	at WorkflowScript.run(WorkflowScript:17)
      	at ___cps.transform___(Native Method)
      	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
      	at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      	at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46)
      	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
      	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:173)
      	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:162)
      	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122)
      	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261)
      	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:162)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32)
      	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:330)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:82)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:242)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:230)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131)
      	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at java.lang.Thread.run(Thread.java:748)
      Finished: FAILURE

       

        Attachments

          Activity

          Hide
          muddyb0y Raphael Pigulla added a comment -

          I'm having the same issue. Did you ever find a solution?

          Show
          muddyb0y Raphael Pigulla added a comment - I'm having the same issue. Did you ever find a solution?
          Hide
          chrishiestand Chris Hiestand added a comment - - edited

          No. I switched to concourse CI which has really good vault integration and supports custom CA certs. But this issue was not the only reason why I switched.

          Show
          chrishiestand Chris Hiestand added a comment - - edited No. I switched to concourse CI which has really good vault integration and supports custom CA certs. But this issue was not the only reason why I switched.
          Hide
          mtabolsky Michael Tabolsky added a comment -

          For anyone bumping into this, the plugin uses better cloud's code to access vault and all the communication stuff is done there. FWIW, you can disable the certificate validation by setting the environment variable VAULT_SSL_VERIFY to "false" or in case of custom CA you have to extend the plugin's capabilities to allow the keystore to be configured as described here

          Show
          mtabolsky Michael Tabolsky added a comment - For anyone bumping into this, the plugin uses better cloud's code to access vault and all the communication stuff is done there. FWIW, you can disable the certificate validation by setting the environment variable VAULT_SSL_VERIFY to "false" or in case of custom CA you have to extend the plugin's capabilities to allow the keystore to be configured as described here
          Hide
          sce81 Simon Elliott added a comment -

          I've hit this same issue. I want to use a Self-Signed Certificate and an internal domain, Vault is happy to talk to itself with this certificate, but i can't retrieve secrets from it using this plug-in. with the same error described above

          Show
          sce81 Simon Elliott added a comment - I've hit this same issue. I want to use a Self-Signed Certificate and an internal domain, Vault is happy to talk to itself with this certificate, but i can't retrieve secrets from it using this plug-in. with the same error described above
          Hide
          xtigyro Xtigyro added a comment -

          Hi Team - I've hit the same issue. Is it going to be fixed any time soon?

          Show
          xtigyro Xtigyro added a comment - Hi Team - I've hit the same issue. Is it going to be fixed any time soon?
          Hide
          yrsurya suryatej yaramada added a comment -

          Any update on this issue as we are also facing a similar problem 

          Show
          yrsurya suryatej yaramada added a comment - Any update on this issue as we are also facing a similar problem 
          Show
          casz Joseph Petersen (old) added a comment - Should be fixed in v3.0.0  https://github.com/jenkinsci/hashicorp-vault-plugin/releases/tag/hashicorp-vault-plugin-3.0.0 For it to work you need to import your certificate into the default truststore. https://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail  

            People

            Assignee:
            jetersen Joseph Petersen
            Reporter:
            chrishiestand Chris Hiestand
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: