URGENT: SSL Apache configuration for services.gradle.org is bad

slightfoot · April 11, 2015, 7:09am

Hi Guys,
I thought I should make you guys aware people in the #android-dev and #gradle channels on Freenode IRC have noticed that services.gradle.org is failing its cert because its offering a cert for code-review.gradle.org. This certicicate was created 8th April 2015. So I would suppose this has either been an issue since then or just this past night if the server/s were rebooted.

This is obviously an issue for Android development as all new projects in Android Studio will attempt to download the latest gradle wrapper using https://services.gradle.org/distributions/gradle-2.2.1-all.zip and is now failing.

@hansd saw your talk at DroidCon London last October… congratulations it was most enlightening! Didn’t get a chance to say hello and thank you at the time.

Simon

mendhak · April 11, 2015, 7:33am

We’re unable to build either (Travis). One temporary workaround is to replace the distributionUrl URL in the gradle-wrapper.properties with an http one but of course this is awkward.

edwardvflk · April 11, 2015, 9:27am

Seeing the same issues with the following error:
Exception in thread “main” java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching services.gradle.org found.

Rene · April 11, 2015, 10:14am

Thanks for reporting this. We’re working on a fix

jwir3 · April 11, 2015, 11:30pm

It looks as though this might be fixed - my browser is reporting that the cert for services.gradle.org is valid, and when I run:

gradle <command>

in my working directory, everything is fine.

However, if I use my gradle wrapper (./gradlew <command>), I get:

Downloading https://services.gradle.org/distributions/gradle-2.2.1-bin.zip

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at org.gradle.wrapper.Download.downloadInternal(Download.java:56)
    at org.gradle.wrapper.Download.download(Download.java:42)
    at org.gradle.wrapper.Install$1.call(Install.java:57)
    at org.gradle.wrapper.Install$1.call(Install.java:44)
    at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:65)
    at org.gradle.wrapper.Install.createDist(Install.java:44)
    at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:126)
    at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:56)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1421)
    ... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 25 more

I suspect this might be related, but I’m not sure.

jhogan4269 · April 12, 2015, 2:38am

Doing a ./gradlew clean addressed that for me – I think it caches the bad cert somewhere.

jwir3 · April 12, 2015, 3:47am

@jhogan4269 Thanks for the advice, but that seems to still not have worked. ./gradlew clean still wants to download gradle 2.2.1 for some reason for me - that’s the step it can’t seem to get past.

jwir3 · April 12, 2015, 3:47am

@jhogan4269 Well, I’ll be. Actually, it worked this time. My apologies. Thanks for the tip!

jhogan4269 · April 12, 2015, 3:59am

No problem! Glad it worked.

Vouskopes · June 10, 2015, 12:05pm

@jwir3 Hi, I am still not able to get past ./gradlew clean it still requires download which causes same exception as yours above. How did you managed to clean it?

Vouskopes · June 10, 2015, 1:31pm

OK, after couple of hours being desperate I find out that my security suit (new version of ESET) has switch for turning off SSL man-in-the-midle in advanced options. After switching this off everything is working fine.

luke_daley · June 22, 2015, 1:17am

@Vouskopes why was it complaining? As far as I’m aware, our setup is completely valid.

hladysz · August 27, 2015, 1:16pm

I can still see this issue in 2.6 on Ubuntu 14.04 and java 8. Tried to run this:

openssl s_client -connect services.gradle.org:443 > ~/ssl_certs/services.gradle.org.pem

Then cut the unnecessary bit from the pem file and imported in to java cert store:

sudo ${JAVA_HOME}/jre/bin/keytool -import -alias services.gradle.org -keypass changeit -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file ~/ssl_certs/services.gradle.org.pem

but to no avail.

hladysz · August 27, 2015, 1:21pm

Solved thanks to this: Stackoverflow post

Vouskopes · August 27, 2015, 1:54pm

Sorry. I don’t know how this certificate validation works. It’s highly likely issue of ESET security suit NOT Gradle’s, because we had similar problems elsewhere.