SSL problem when downloading plugin from OpenJDK 1.7

Help/Discuss
1

From a Travis openjdk7 image, the downloading of https://plugins.gradle.org/api/gradle/2.2.1/plugin/use/com.jfrog.bintray/1.7.1 started failing with a “peer not authenticated” failure. This started happening the week of July 17, 2017.

The same build works from a OracleJDK 8 image.

The Travis image is launched from github. The failure occurs trying to download the ‘com.jfrog.bintray’ plugin, version 1.7.1.

plugins {
id 'java’
id 'maven’
id 'maven-publish’
id ‘com.jfrog.bintray’ version '1.7.1’
id ‘application’
}

I suspect that the plugins.gradle.org SSL configuration is no longer compatible with with the SSL support offered in OpenJDK 1.7.

The same error occurs when using gradle 4.0.1 from gradle wrapper.

Below is a snippet of the log of the failure. Thanks for any help or information.

OpenJDK 64-Bit Server VM (build 24.121-b00, mixed mode)
$ javac -J-Xmx32m -version
javac 1.7.0_121
travis_time:start:03016c58
e[0K$ for mod in cadc-access-control cadc-access-control-identity cadc-access-control-server cadc-access-control-admin cadc-tomcat; do cd $mod; gradle --info build javadoc install || break -1; cd …; done
e[0mStarting Build
e[1m> Loadinge[22me[1m > Resolving dependencies 'classpath’e[22me[37De[0Ke[9De[0KSettings evaluated using empty settings script.
e[1m> Loadinge[22me[9De[0Ke[1Ae[47C
e[1m> Loadinge[22me[7De[1mConfiguringe[22me[13De[0KProjects loaded. Root project using build file ‘/home/travis/build/opencadc/ac/cadc-access-control/build.gradle’.
e[1m> Configuringe[22me[13De[0Ke[1Ae[113C
e[1m> Configuringe[22me[13De[0KIncluded projects: [root project ‘cadc-access-control’]
e[1m> Configuringe[22me[13De[0Ke[1Ae[55C
e[1m> Configuringe[22me[1m > 0/1 projectse[22me[1m > root projecte[22me[43De[0KEvaluating root project ‘cadc-access-control’ using build file ‘/home/travis/build/opencadc/ac/cadc-access-control/build.gradle’.
e[1m> Configuring > 0/1 projects > root projecte[22me[43De[0Ke[1Ae[129C
e[1m> Configuring > 0/1 projects > root projecte[22me[1m > Compiling script into cachee[22me[73De[0KCompiling build file ‘/home/travis/build/opencadc/ac/cadc-access-control/build.gradle’ using StatementExtractingScriptTransformer.
e[1m> Configuring > 0/1 projects > root project > Compiling script into cachee[22me[73De[0Ke[1Ae[130C
e[1m> Configuring > 0/1 projects > root project > Compiling script into cachee[22me[30De[0Ke[15De[0Ke[12De[1m1/1 projectse[22me[28De[0K
e[1m> Configuring > 1/1 projectse[22me[28De[0Ke[31mFAILURE: e[39m
e[1m> Configuring > 1/1 projectse[22me[28De[0Ke[1Ae[9Ce[31mBuild failed with an exception.e[39m
e[1m> Configuring > 1/1 projectse[22me[28De[0Ke[1Ae[40C
e[1m> Configuring > 1/1 projectse[22me[28De[0K
e[1m> Configuring > 1/1 projectse[22me[28De[0K* Where:
e[1m> Configuring > 1/1 projectse[22me[28De[0KBuild file ‘/home/travis/build/opencadc/ac/cadc-access-control/build.gradle’ line: 5
e[1m> Configuring > 1/1 projectse[22me[28De[0K
e[1m> Configuring > 1/1 projectse[22me[28De[0K* What went wrong:
e[1m> Configuring > 1/1 projectse[22me[28De[0KError resolving plugin [id: ‘com.jfrog.bintray’, version: ‘1.7.1’]
e[1m> Configuring > 1/1 projectse[22me[28De[0Ke[33m> e[39m
e[1m> Configuring > 1/1 projectse[22me[28De[0Ke[1Ae[2CCould not GET ‘https://plugins.gradle.org/api/gradle/2.2.1/plugin/use/com.jfrog.bintray/1.7.1’.
e[1m> Configuring > 1/1 projectse[22me[28De[0K
e[1m> Configuring > 1/1 projectse[22me[28De[0Ke[1Ae[3Ce[33m> e[39m
e[1m> Configuring > 1/1 projectse[22me[28De[0Ke[1Ae[5Cpeer not authenticated

2

Some more information:

When I added SSL debugging to the gradle build, it became obvious that the server certificate used at https://plugins.gradle.org is not trusted by default trustStore in openjdk7:

e[1m> Configuring > 0/1 projects > root projecte[22me[43De[0Kmain, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

So, I guess the server certs were changed at plugins.gradle.org in a way that no longer work with java 1.7?

This is strange though: the firefox certificate inspection tool can’t derive any information for the cert:

plugins.gradle.org.png777×578 39.6 KB

Brian

3

Hi @brianmajor,

We haven’t made any changes to plugins.gradle.org. I’ll check with the service provider we are using for SSL termination.

However, the fact that we aren’t getting more reports about this being broken leads me to believe that this is something environmental on your machine. Could you try on another machine?

4

Thanks for looking into it.

I have found a work-around on my travis openjdk7 container: In the .travis.yml file, I added a before_script block that uses openssl to download the cert from plugins.gradle.org and then uses keytool to install it in the java truststore. The download of the bintray plugin from gradle works with that in place.

Brian