Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-47037

SSL x509 auth failing for java sdk2

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 7.1.0
    • 7.1.0
    • memcached
    • Untriaged
    • 1
    • Unknown

    Description

      We run YCSB SSL x509 auth tests for the java sdk. When running with sdk3 everything works fine, but running with sdk2 give this erro: 

      javax.net.ssl.SSLHandshakeException: No trusted certificate found

      Both tests use the same cert keystore but sdk2 test sets tls version to 1.2.

      This is the sdk2 ycsb setup code: https://github.com/couchbaselabs/YCSB/blob/tmp-x509/couchbase2/src/main/java/com/yahoo/ycsb/db/couchbase2/Couchbase2Client.java#L174

      This is the sdk3 ycsb setup code: https://github.com/couchbaselabs/YCSB/blob/couchbase3/couchbase3/src/main/java/com/yahoo/ycsb/db/couchbase3/Couchbase3Client.java

       

      I see there are some commits removing bucket SASL... could this be related. Not really sure how to fix. Seems like probably an issue in our ycsb setup. 

       

      This is stack trace from ycsb:

      WARNING: [herc02-sb26.perf.couchbase.com:11207][KeyValueEndpoint]: SSL Handshake Failure during connect: No trusted certificate foundWARNING: [herc02-sb26.perf.couchbase.com:11207][KeyValueEndpoint]: SSL Handshake Failure during connect: No trusted certificate foundJun 18, 2021 3:43:13 PM com.couchbase.client.core.RequestHandler$1$1 onErrorWARNING: Received Error during Reconfiguration.javax.net.ssl.SSLHandshakeException: No trusted certificate found at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:642) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:450) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1078) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1012) at com.couchbase.client.deps.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1365) at com.couchbase.client.deps.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1273) at com.couchbase.client.deps.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1108) at com.couchbase.client.deps.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1151) at com.couchbase.client.deps.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:491) at com.couchbase.client.deps.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:430) at com.couchbase.client.deps.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356) at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342) at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335) at com.couchbase.client.deps.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1304) at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356) at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342) at com.couchbase.client.deps.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:921) at com.couchbase.client.deps.io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:725) at com.couchbase.client.deps.io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:400) at com.couchbase.client.deps.io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:300) at com.couchbase.client.deps.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131) at com.couchbase.client.deps.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:834)Caused by: sun.security.validator.ValidatorException: No trusted certificate found at java.base/sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:411) at java.base/sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:135) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:620) ... 28 more

      This is the job: http://perf.jenkins.couchbase.com/job/hercules/10251/console

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MB-46983 memcached returning not_supported to SslCertsRefresh (0xf2)

          • Major - Major loss of function.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              korrigan.clark Korrigan Clark (Inactive)
              korrigan.clark Korrigan Clark (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty