Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build failing PwmHttpClientTest #647

Open
blissjoe opened this issue Mar 21, 2022 · 6 comments
Open

Build failing PwmHttpClientTest #647

blissjoe opened this issue Mar 21, 2022 · 6 comments

Comments

@blissjoe
Copy link

Describe the bug
We are trying to build from the latest source and PwmHttpClientTest is failing.

We are running RHEL8 and have tried Open JDK 11 and 17. The build worked on this server around a month ago.

It may be related to this commit? - d9cadfb

To Reproduce
Steps to reproduce the behavior:

  1. Follow the Linux Build instructions

Additional context

[INFO] Running password.pwm.AppPropertyTest
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.AppPropertyTest
[INFO] Running password.pwm.http.client.PwmHttpClientTest
[ERROR] Tests run: 5, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 2.234 s <<< FAILURE! - in password.pwm.http.client.PwmHttpClientTest
[ERROR] password.pwm.http.client.PwmHttpClientTest.testGetHttpClientSslHello  Time elapsed: 0.373 s  <<< ERROR!
password.pwm.error.PwmUnrecoverableException: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: Certificates do not conform to algorithm constraints)
	at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:253)
	at password.pwm.http.client.PwmHttpClientTest.testGetHttpClientSslHello(PwmHttpClientTest.java:200)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:54)
	at com.github.tomakehurst.wiremock.junit.WireMockRule$1.evaluate(WireMockRule.java:79)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
	at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
	at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
	at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:364)
	at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:272)
	at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:237)
	at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:158)
	at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:428)
	at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:162)
	at org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:562)
	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:548)
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:313)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at password.pwm.svc.httpclient.ApachePwmHttpClient.executeRequest(ApachePwmHttpClient.java:392)
	at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequestImpl(ApachePwmHttpClient.java:281)
	at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:249)
	... 31 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1603)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1528)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1472)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
	... 57 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=localhost
	at java.base/sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:898)
	at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:516)
	at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:252)
	at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:198)
	at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:292)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1599)
	... 60 more

[ERROR] password.pwm.http.client.PwmHttpClientTest.testGetHttpClientSslWithCertificates  Time elapsed: 0.307 s  <<< ERROR!
password.pwm.error.PwmUnrecoverableException: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: Certificates do not conform to algorithm constraints)
	at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:253)
	at password.pwm.http.client.PwmHttpClientTest.testGetHttpClientSslWithCertificates(PwmHttpClientTest.java:233)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:54)
	at com.github.tomakehurst.wiremock.junit.WireMockRule$1.evaluate(WireMockRule.java:79)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
	at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
	at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
	at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:364)
	at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:272)
	at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:237)
	at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:158)
	at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:428)
	at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:162)
	at org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:562)
	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:548)
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:313)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at password.pwm.svc.httpclient.ApachePwmHttpClient.executeRequest(ApachePwmHttpClient.java:392)
	at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequestImpl(ApachePwmHttpClient.java:281)
	at password.pwm.svc.httpclient.ApachePwmHttpClient.makeRequest(ApachePwmHttpClient.java:249)
	... 31 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1603)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1528)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1472)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
	... 57 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=localhost
	at java.base/sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:898)
	at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:516)
	at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:252)
	at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:198)
	at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:292)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1599)
	... 60 more

[INFO] Running password.pwm.http.HttpContentTypeTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.http.HttpContentTypeTest
[INFO] Running password.pwm.http.filter.RequestInitializationFilterTest
[INFO] Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.182 s - in password.pwm.http.filter.RequestInitializationFilterTest
[INFO] Running password.pwm.http.PwmURLTest
[INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.029 s - in password.pwm.http.PwmURLTest
[INFO] Running password.pwm.http.servlet.ControlledPwmServletTest
[INFO] Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.98 s - in password.pwm.http.servlet.ControlledPwmServletTest
[INFO] Running password.pwm.http.servlet.oauth.OAuthMachineTest
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.http.servlet.oauth.OAuthMachineTest
[INFO] Running password.pwm.bean.DomainIDTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.bean.DomainIDTest
[INFO] Running password.pwm.ws.server.rest.RestServletTest
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.454 s - in password.pwm.ws.server.rest.RestServletTest
[INFO] Running password.pwm.error.PwmErrorTest
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.error.PwmErrorTest
[INFO] Running password.pwm.tests.PwmPasswordJudgeTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 s - in password.pwm.tests.PwmPasswordJudgeTest
[INFO] 
[INFO] Results:
[INFO] 
[ERROR] Errors: 
[ERROR]   PwmHttpClientTest.testGetHttpClientSslHello:200 » PwmUnrecoverable 5057 ERROR_...
[ERROR]   PwmHttpClientTest.testGetHttpClientSslWithCertificates:233 » PwmUnrecoverable ...
[INFO] 
[ERROR] Tests run: 211, Failures: 0, Errors: 2, Skipped: 0
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT:
[INFO] 
[INFO] PWM Password Self Service .......................... SUCCESS [ 13.409 s]
[INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 17.670 s]
[INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 20.952 s]
[INFO] PWM Password Self Service: Server JAR .............. FAILURE [01:39 min]
[INFO] PWM Password Self Service: Angular Client JAR ...... SKIPPED
[INFO] PWM Password Self Service: Server WAR .............. SKIPPED
[INFO] PWM Password Self Service: Executable Server JAR ... SKIPPED
[INFO] PWM Password Self Service: Data Service WAR ........ SKIPPED
[INFO] PWM Password Self Service: REST Test Server WAR .... SKIPPED
[INFO] PWM Password Self Service: Docker Image ............ SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  02:31 min
[INFO] Finished at: 2022-03-21T11:22:04-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5:test (default-test) on project pwm-server: There are test failures.
[ERROR] 
[ERROR] Please refer to /usr/src/pwm/server/target/surefire-reports for the individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR] 
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <args> -rf :pwm-server
@jrivard
Copy link
Contributor

jrivard commented Mar 21, 2022

Hmm, not getting this issue with a clean install of Cent0S 7 and latest Java 11 installed from the distro. I don't have RHEL to test on. Is there anything else unusual about your server/jvm setup?

[vm@localhost pwm]$ git log -1
commit b9cb0ac
Author: Jason Rivard jrivard@gmail.com
Date: Sun Mar 20 14:01:15 2022 -0400

npm angular dependency updates

[vm@localhost pwm]$ git branch

  • master
    [vm@localhost pwm]$ java -version
    openjdk version "11.0.14.1" 2022-02-08 LTS
    OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS)
    OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)

[vm@localhost pwm]$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[vm@localhost pwm]$ ./mvnw verify

...snip....

INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT:
[INFO]
[INFO] PWM Password Self Service .......................... SUCCESS [04:33 min]
[INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 17.950 s]
[INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 13.934 s]
[INFO] PWM Password Self Service: Server JAR .............. SUCCESS [02:16 min]
[INFO] PWM Password Self Service: Angular Client JAR ...... SUCCESS [ 50.348 s]
[INFO] PWM Password Self Service: Server WAR .............. SUCCESS [02:19 min]
[INFO] PWM Password Self Service: Executable Server JAR ... SUCCESS [ 44.821 s]
[INFO] PWM Password Self Service: Data Service WAR ........ SUCCESS [ 56.567 s]
[INFO] PWM Password Self Service: REST Test Server WAR .... SUCCESS [ 8.749 s]
[INFO] PWM Password Self Service: Docker Image ............ SUCCESS [01:01 min]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 13:23 min
[INFO] Finished at: 2022-03-21T19:41:23-04:00
[INFO] ------------------------------------------------------------------------

@blissjoe
Copy link
Author

Thank you for the response. Here is some additional information from the build above.

I will try my build on CentOS Stream 8 later today and see if it runs into the same problem. I'll also see if I can find any other helpful information.

[user@pwm01-test pwm]# git log -1
commit b9cb0ac (HEAD -> master, origin/master, origin/HEAD)
Author: Jason Rivard jrivard@gmail.com
Date: Sun Mar 20 14:01:15 2022 -0400

npm angular dependency updates

[user@pwm01-test pwm]# git branch

  • master

[user@pwm01-test ~]$ java -version -- test server
openjdk version "17.0.2" 2022-01-18 LTS
OpenJDK Runtime Environment 21.9 (build 17.0.2+8-LTS)
OpenJDK 64-Bit Server VM 21.9 (build 17.0.2+8-LTS, mixed mode, sharing)

[user@pwm01 ~]$ java -version -- production server
openjdk version "11.0.14.1" 2022-02-08 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)

To help verify, I ran, git checkout 437e617cd76c3de8528a6bab939c1cefecabdc94 and was able to build on the same server.

[user@pwm01-test pwm]# git log -1
commit 437e617 (HEAD)
Author: Jason Rivard jrivard@gmail.com
Date: Fri Mar 4 17:29:34 2022 -0500

create lib-data and lib-util submodules and begin move of appropriate code to submodules

[user@pwm01-test pwm]# ./mvnw clean verify

...snip...

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT:
[INFO]
[INFO] PWM Password Self Service .......................... SUCCESS [05:15 min]
[INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 18.501 s]
[INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 21.988 s]
[INFO] PWM Password Self Service: Server JAR .............. SUCCESS [03:11 min]
[INFO] PWM Password Self Service: Angular Client JAR ...... SUCCESS [ 47.298 s]
[INFO] PWM Password Self Service: Server WAR .............. SUCCESS [02:45 min]
[INFO] PWM Password Self Service: Executable Server JAR ... SUCCESS [ 59.189 s]
[INFO] PWM Password Self Service: Data Service WAR ........ SUCCESS [ 29.318 s]
[INFO] PWM Password Self Service: REST Test Server WAR .... SUCCESS [ 10.620 s]
[INFO] PWM Password Self Service: Docker Image ............ SUCCESS [ 45.033 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15:05 min
[INFO] Finished at: 2022-03-22T07:31:54-04:00
[INFO] ------------------------------------------------------------------------

After I ran, git checkout d9cadfbe1a870b107466c6a7648d32d7efd2c0c4 and ran into the build issue.

[user@pwm01-test pwm]# git log -1
commit d9cadfb (HEAD)
Author: Jason Rivard jrivard@gmail.com
Date: Wed Mar 9 17:43:45 2022 -0500

fix test cases, improve docker startup scripts

[user@pwm01-test pwm]# ./mvnw clean verify

...snip...

[INFO] Results:
[INFO]
[ERROR] Errors:
[ERROR] PwmHttpClientTest.testGetHttpClientSslHello:200 » PwmUnrecoverable 5057 ERROR_...
[ERROR] PwmHttpClientTest.testGetHttpClientSslWithCertificates:233 » PwmUnrecoverable ...
[INFO]
[ERROR] Tests run: 211, Failures: 0, Errors: 2, Skipped: 0
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT:
[INFO]
[INFO] PWM Password Self Service .......................... SUCCESS [ 19.567 s]
[INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 21.365 s]
[INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 24.159 s]
[INFO] PWM Password Self Service: Server JAR .............. FAILURE [01:48 min]
[INFO] PWM Password Self Service: Angular Client JAR ...... SKIPPED
[INFO] PWM Password Self Service: Server WAR .............. SKIPPED
[INFO] PWM Password Self Service: Executable Server JAR ... SKIPPED
[INFO] PWM Password Self Service: Data Service WAR ........ SKIPPED
[INFO] PWM Password Self Service: REST Test Server WAR .... SKIPPED
[INFO] PWM Password Self Service: Docker Image ............ SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 02:53 min
[INFO] Finished at: 2022-03-22T07:39:29-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5:test (default-test) on project pwm-server: There are test failures.

@blissjoe
Copy link
Author

blissjoe commented Mar 23, 2022
edited

Hi Jason,

I was able to replicate the issue with CentOS 8 Stream. I setup a new virutal machine with the following settings -

CentOS 8 Stream - Minimal Install

dnf install git java-11-openjdk java-11-openjdk-devel bzip2 unzip wget
export JAVA_HOME="/usr/lib/jvm/java-11-openjdk-11.0.14.1.1-2.el8.x86_64"
git clone https://github.com/pwm-project/pwm
cd pwm
./mvnw clean verify

[root@pwm02-test pwm]# git log -1
commit b9cb0ac (HEAD -> master, origin/master, origin/HEAD)
Author: Jason Rivard jrivard@gmail.com
Date: Sun Mar 20 14:01:15 2022 -0400

npm angular dependency updates

[root@pwm02-test pwm]# git branch

  • master

[root@pwm02-test pwm]# java -version
openjdk version "11.0.14.1" 2022-02-08 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)

[root@pwm02-test pwm]# cat /etc/os-release
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

[root@pwm02-test pwm]# ./mvnw clean verify

...snip...

[ERROR] Errors:
[ERROR] PwmHttpClientTest.testGetHttpClientSslHello:200 » PwmUnrecoverable 5057 ERROR_...
[ERROR] PwmHttpClientTest.testGetHttpClientSslWithCertificates:233 » PwmUnrecoverable ...
[INFO]
[ERROR] Tests run: 211, Failures: 0, Errors: 2, Skipped: 0
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT:
[INFO]
[INFO] PWM Password Self Service .......................... SUCCESS [02:33 min]
[INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 17.190 s]
[INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 12.475 s]
[INFO] PWM Password Self Service: Server JAR .............. FAILURE [01:08 min]
[INFO] PWM Password Self Service: Angular Client JAR ...... SKIPPED
[INFO] PWM Password Self Service: Server WAR .............. SKIPPED
[INFO] PWM Password Self Service: Executable Server JAR ... SKIPPED
[INFO] PWM Password Self Service: Data Service WAR ........ SKIPPED
[INFO] PWM Password Self Service: REST Test Server WAR .... SKIPPED
[INFO] PWM Password Self Service: Docker Image ............ SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 04:12 min
[INFO] Finished at: 2022-03-23T08:33:27-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5:test (default-test) on project pwm-server: There are test failures.

[root@pwm02-test pwm]# git checkout 437e617

[root@pwm02-test pwm]# git log -1
commit 437e617 (HEAD)
Author: Jason Rivard jrivard@gmail.com
Date: Fri Mar 4 17:29:34 2022 -0500

create lib-data and lib-util submodules and begin move of appropriate code to submodules

[root@pwm02-test pwm]# ./mvnw clean verify

...snip...

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT:
[INFO]
[INFO] PWM Password Self Service .......................... SUCCESS [02:14 min]
[INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 10.250 s]
[INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 11.766 s]
[INFO] PWM Password Self Service: Server JAR .............. SUCCESS [01:59 min]
[INFO] PWM Password Self Service: Angular Client JAR ...... SUCCESS [ 47.275 s]
[INFO] PWM Password Self Service: Server WAR .............. SUCCESS [01:57 min]
[INFO] PWM Password Self Service: Executable Server JAR ... SUCCESS [ 40.300 s]
[INFO] PWM Password Self Service: Data Service WAR ........ SUCCESS [ 38.640 s]
[INFO] PWM Password Self Service: REST Test Server WAR .... SUCCESS [ 7.882 s]
[INFO] PWM Password Self Service: Docker Image ............ SUCCESS [ 38.104 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 09:25 min
[INFO] Finished at: 2022-03-23T08:45:14-04:00
[INFO] ------------------------------------------------------------------------

@blissjoe
Copy link
Author

blissjoe commented Mar 23, 2022
edited

It looks like inside server/src/test/java/password/pwm/http/client/PwmHttpClientTest.java a test certificate is created.

Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=localhost

I think if we update server/src/main/java/password/pwm/util/secure/self/SelfCertSettings.java to 2048 then it might resolve the issue.

    @Builder.Default
    private int keySize = 1024;

I can try it on my system and try to do a Pull Request.

@blissjoe
Copy link
Author

blissjoe commented Mar 23, 2022
edited

Updating that keySize did fix the build on CentOS Stream 8. I will test it on RHEL8 and see if I can figure out how to do a Pull Request for it.

[root@pwm02-test pwm]# git log -1
commit b9cb0ac (HEAD -> master, origin/master, origin/HEAD)
Author: Jason Rivard jrivard@gmail.com
Date: Sun Mar 20 14:01:15 2022 -0400

npm angular dependency updates

[root@pwm02-test pwm]# cat server/src/main/java/password/pwm/util/secure/self/SelfCertSettings.java | grep 2048

private int keySize = 2048;

[root@pwm02-test pwm]# ./mvnw clean verify

...snip...

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for PWM Password Self Service 2.1.0-SNAPSHOT:
[INFO]
[INFO] PWM Password Self Service .......................... SUCCESS [ 10.988 s]
[INFO] PWM Password Self Service: Library JAR - Data Objects SUCCESS [ 11.635 s]
[INFO] PWM Password Self Service: Library JAR - Utilities . SUCCESS [ 12.461 s]
[INFO] PWM Password Self Service: Server JAR .............. SUCCESS [02:01 min]
[INFO] PWM Password Self Service: Angular Client JAR ...... SUCCESS [ 44.394 s]
[INFO] PWM Password Self Service: Server WAR .............. SUCCESS [01:48 min]
[INFO] PWM Password Self Service: Executable Server JAR ... SUCCESS [ 39.902 s]
[INFO] PWM Password Self Service: Data Service WAR ........ SUCCESS [ 17.279 s]
[INFO] PWM Password Self Service: REST Test Server WAR .... SUCCESS [ 7.645 s]
[INFO] PWM Password Self Service: Docker Image ............ SUCCESS [ 34.451 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 06:48 min
[INFO] Finished at: 2022-03-23T09:22:15-04:00
[INFO] ------------------------------------------------------------------------

@blissjoe blissjoe mentioned this issue Mar 23, 2022
Open
@jrivard
Copy link
Contributor

jrivard commented Mar 29, 2022

So I've been looking into this for past few days and I'm a bit confused why CentOS Stream 8/9 is having trouble with the 2048 key size. I've tested half dozen other distros default JDK without issue, as well as Win11+Terminum JDK. It took me awhile to figure out CentOS "Stream" replaced CentOS, but after I did I tested 8/9 and saw the same errors as you. However if I grab Azul or Temurin build of 11.0.14 and use on CentOS Stream 8/9 it works fine, so this appears to be an issue purely with the CentOS Stream builds of OpenJDK.

I looked at the java.security properties file of the CentOS Stream JDKs, but I couldn't see any reason why it would limit the keysize to 1024.

I changed the keysize from 1024 in PWM, because best practices are now >= 2048 for RSA keys, and had an issue with WireMock at 1024 - though WireMock is quite fragile and my issue may have been unrelated.

I'm reluctant to downgrade the default self service key back to 1024, but if we can figure out a way to parameterize it for the test that might be a workable solution.....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrivard @blissjoe