Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discovery GCE test fails on FIPS #85803

Closed
tvernum opened this issue Apr 12, 2022 · 4 comments · Fixed by #85817
Closed

Discovery GCE test fails on FIPS #85803

tvernum opened this issue Apr 12, 2022 · 4 comments · Fixed by #85817
Assignees
@arteam
Labels
:Distributed/Discovery-Plugins Anything related to our integration plugins with EC2, GCP and Azure Team:Distributed Meta label for distributed team >test-failure Triaged test failures from CI

Comments

@tvernum
Copy link
Contributor

tvernum commented Apr 12, 2022

CI Link

https://gradle-enterprise.elastic.co/s/mcboq4te6p7o6

Repro line

./gradlew :plugins:discovery-gce:qa:gce:check -Dtests.fips.enabled=true

Does it reproduce?

Yes

Applicable branches

master

Failure history

No response

Failure excerpt

This seems to have started failing since #85132

[2022-04-12T17:07:29,829][WARN ][o.e.c.g.GceInstancesServiceImpl] [yamlRestTest-1] unable to resolve default zone from metadata server for GCE discovery service
  java.security.KeyStoreException: Uninitialized keystore
       at java.security.KeyStore.size(KeyStore.java:1296) ~[?:?]
       at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.getTrustAnchors(ProvTrustManagerFactorySpi.java:227) ~[bctls-fips-1.0.9.jar:1.0.9]
       at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:163) ~[bctls-fips-1.0.9.jar:1.0.9]
       at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:282) ~[?:?]
       at com.google.api.client.util.SslUtils.initSslContext(SslUtils.java:107) ~[google-http-client-1.41.1.jar:1.41.1]
@tvernum tvernum added >test-failure Triaged test failures from CI :Distributed/Discovery-Plugins Anything related to our integration plugins with EC2, GCP and Azure labels Apr 12, 2022
@elasticmachine elasticmachine added the Team:Distributed Meta label for distributed team label Apr 12, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-distributed (Team:Distributed)

@tvernum
Copy link
Contributor Author

tvernum commented Apr 12, 2022

Debugging FIPS Keystore issues can be tricky.
Feel free to call on @elastic/es-security if you need assistance.

@tvernum tvernum mentioned this issue Apr 12, 2022
Merged
@arteam
Copy link
Contributor

arteam commented Apr 12, 2022

Looking at this one. Seems to be failing on

[2022-04-12T06:40:37,711][WARN ][o.e.c.g.GceInstancesServiceImpl] [yamlRestTest-0] unable to resolve project from metadata server for GCE discovery service	
 java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available	
 	at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:855) ~[?:?]	
 	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2113) ~[?:?]	
 	at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) ~[?:?]	
 	at java.security.KeyStore.load(KeyStore.java:1473) ~[?:?]	
 	at com.google.api.client.util.SecurityUtils.loadKeyStore(SecurityUtils.java:80) ~[google-http-client-1.41.1.jar:1.41.1]	
 	at com.google.api.client.googleapis.GoogleUtils.getCertificateTrustStore(GoogleUtils.java:86) ~[google-api-client-1.33.1.jar:1.33.1]	
 	at com.google.api.client.googleapis.javanet.GoogleNetHttpTransport.newTrustedTransport(GoogleNetHttpTransport.java:87) ~[google-api-client-1.33.1.jar:1.33.1]	
 	at com.google.api.client.googleapis.javanet.GoogleNetHttpTransport.newTrustedTransport(GoogleNetHttpTransport.java:58) ~[google-api-client-1.33.1.jar:1.33.1]

@arteam
Copy link
Contributor

arteam commented Apr 12, 2022

I guess it's reminiscent to #75028. The Google Java SDK changed the trust store format to p12 from JSK due some Android issues: googleapis/google-api-java-client@83f3702

@arteam arteam mentioned this issue Apr 12, 2022
Merged
@ywangd ywangd mentioned this issue Apr 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arteam arteam

Labels
:Distributed/Discovery-Plugins Anything related to our integration plugins with EC2, GCP and Azure Team:Distributed Meta label for distributed team >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[discovery-gce] Fix initialisation of transport in FIPS mode arteam/elasticsearch
3 participants
@arteam @tvernum @elasticmachine