Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.6.0.GA
Affects Version/s: 2.5.1.GA
Component/s: deploy: cli, install, machine-exec, operator
Labels:
- cee_high

Blocked:
False
Ready:
False
Release Note Text:
Undefined
Workaround Description:

Hide

We do not have workaround, we were trying to follow:
https://www.eclipse.org/che/docs/che-7/end-user-guide/using-maven-artifact-repositories/#using-self-signed-certificates-in-maven-projects_che

But without success.

Show
We do not have workaround, we were trying to follow: https://www.eclipse.org/che/docs/che-7/end-user-guide/using-maven-artifact-repositories/#using-self-signed-certificates-in-maven-projects_che But without success.
Steps to Reproduce:

Hide

Follow instructions on:
[https://access.redhat.com/documentation/en-us/red_hat_codeready_workspaces/2.4/html/installation_guide/configuring-che_crw#importing-tls-certificates-to-codeready-workspaces-server-java-trustore_crw
]

Use 4 different ca-certificates.

Show
Follow instructions on: [https://access.redhat.com/documentation/en-us/red_hat_codeready_workspaces/2.4/html/installation_guide/configuring-che_crw#importing-tls-certificates-to-codeready-workspaces-server-java-trustore_crw ] Use 4 different ca-certificates.
Market:

SFDC Cases Counter:
SFDC Cases Links:

We are trying to follow instructions on:
https://access.redhat.com/documentation/en-us/red_hat_codeready_workspaces/2.4/html/installation_guide/configuring-che_crw#importing-tls-certificates-to-codeready-workspaces-server-java-trustore_crw

With the following error:

fact descriptor for io.quarkus:quarkus-maven-plugin:jar:1.10.2.Final: Could not transfer artifact io.quarkus:quarkus-maven-plugin:pom:1.10.2.Final from/to dev-rm (https://example.com:8443/repository/maven-public/): Transfer failed for https://example.com:8443/repository/maven-public/io/quarkus/quarkus-maven-plugin/1.10.2.Final/quarkus-maven-plugin-1.10.2.Final.pom: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The checluster crd in openshift-workspaces is patched correctly with 4 custom CA certificates.
But during the creation of coderready pod we can see in logs:

2021-01-20T19:57:40.813504486Z Found a custom cert. Adding it to java trust store /home/user/cacerts
2021-01-20T19:57:41.065438072Z Trust this certificate? [no]: 2021-01-20T19:57:41.066414092Z Certificate was added to keystore
2021-01-20T19:57:41.090583585Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted
2021-01-20T19:57:41.095488949Z Found a custom cert. Adding it to java trust store /home/user/cacerts
2021-01-20T19:57:41.354880984Z Trust this certificate? [no]: 2021-01-20T19:57:41.355786562Z Certificate was added to keystore2021-01-20T19:57:41.355818961Z
2021-01-20T19:57:41.383988348Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted
2021-01-20T19:57:41.387110051Z Found a custom cert. Adding it to java trust store /home/user/cacerts
2021-01-20T19:57:41.608781492Z Certificate already exists in keystore under alias <entrustrootcertificationauthority-g2>
2021-01-20T19:57:41.609458945Z Do you still want to add it? [no]: 2021-01-20T19:57:41.610605344Z Certificate was added to keystore
2021-01-20T19:57:41.638472116Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted
2021-01-20T19:57:41.641139421Z Found a custom cert. Adding it to java trust store /home/user/cacerts
2021-01-20T19:57:41.874250333Z Certificate was added to keystore
2021-01-20T19:57:41.905802245Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted
2021-01-20T19:57:41.908638341Z Found a custom cert. Adding it to java trust store /home/user/cacerts
2021-01-20T19:57:42.162432139Z Trust this certificate? [no]: 2021-01-20T19:57:42.163255819Z Certificate was added to keystore2021-01-20T19:57:42.163270713Z
2021-01-20T19:57:42.187646295Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted

All previous checks are correct:

[rludva@server ~]$ oc get checluster/codeready-workspaces -o json | jq .spec.server.serverTrustStoreConfigMapName
"test"
[rludva@server ~]$ oc get pod codeready-5f98c7fc99-ll5t5 -o json | jq .spec.volumes
[
 {
 "configMap": {
 "defaultMode": 420,
 "name": "test"
 },
 "name": "che-public-certs"
 },
 {
 "name": "che-token-ttf29",
 "secret": {
 "defaultMode": 420,
 "secretName": "che-token-ttf29"
 }
 }
]
[rludva@server ~]$ oc exec codeready-5f98c7fc99-ll5t5 -- ls /public-certs/
ca.crt
caa.crt
caaa.crt
caaaa.crt

We are also a little bit confused about symbolic links in the /public-certs folder.
It looks like they are expected to be linked to ../data/<name>.crt but the '/' before 'data' folder is missing:

It is patched. The keycloak pod and codeready pod is recreated.
But it looks like the symbolic links are not created there correctly, not sure if it is related to described bug for Java TrustStore:

sh-4.4$ cd /
sh-4.4$ ls -ld data public-certs
drwxrwxrwx. 2 root root 6 Nov 6 17:35 data
drwxrwsrwx. 3 root 1000610000 121 Jan 22 15:03 public-certs
sh-4.4$ ls -la data
total 0
drwxrwxrwx. 2 root root 6 Nov 6 17:35 .
drwxr-xr-x. 1 root root 61 Jan 22 15:03 ..
sh-4.4$ ls -la public-certs
total 0
drwxrwsrwx. 3 root 1000610000 121 Jan 22 15:03 .
drwxr-xr-x. 1 root root 61 Jan 22 15:03 ..
drwxr-sr-x. 2 root 1000610000 68 Jan 22 15:03 ..2021_01_22_15_03_15.282434929
lrwxrwxrwx. 1 root root 31 Jan 22 15:03 ..data -> ..2021_01_22_15_03_15.282434929
lrwxrwxrwx. 1 root root 13 Jan 22 15:03 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root 14 Jan 22 15:03 caa.crt -> ..data/caa.crt
lrwxrwxrwx. 1 root root 15 Jan 22 15:03 caaa.crt -> ..data/caaa.crt
lrwxrwxrwx. 1 root root 16 Jan 22 15:03 caaaa.crt -> ..data/caaaa.crt
sh-4.4$ ls -l /data
total 0

links to

https://gitlab.cee.redhat.com/red-hat-developers-documentation/red-hat-devtools/-/merge_requests/1056

upstream issue

Details

Description

Attachments

Issue Links

Activity

People

Dates