Channels
#box-products
Title
# box-products
s
seandaniels
04/22/2022, 12:42 PMI'm receiving an error when I
box installConnection failure <https://repo1.maven.org/maven2/com/github/vertical-blank/sql-formatter/2.0.3/sql-formatter-2.0.3.jarPKIX> path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetMy main application is pinned to cbdebugger ^2.0.0 but apparently another module in my app has cbdebugger@stable as a dependency and that's where it goes awry. I modified the module dependency to ^2.0.0 as a workaround and I can get the app installed now.
b
bdw429s
04/22/2022, 3:12 PM@seandaniels really has nothing to do with cbdebugger
The SSL libs in Lucee/java are refusing to connect to the maven server
Copy code
unable to find valid certification pathFirst question is what version of CommandBox you're on, which determines the version of Lucee.
If that's super old, you may have a really old trust store
The more likely scenario however is you are on a network doing some sort of sneaky SSL spying where your firewall swaps out the "real" SSL cert with a self-signed one so they can spy on all your secure traffic
You can usually tell if this is the case by running the following in CommandBox
Copy code
#sslcertificatelist <http://repo1.maven.org|repo1.maven.org>When I run that, I get this
Copy code
[
{
"subject":"CN=<http://repo1.maven.org|repo1.maven.org>",
"issuer":"CN=GlobalSign Atlas R3 DV TLS CA H2 2021, O=GlobalSign nv-sa, C=BE"
},
{
"subject":"CN=GlobalSign Atlas R3 DV TLS CA H2 2021, O=GlobalSign nv-sa, C=BE",
"issuer":"CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3"
}
]s
seandaniels
04/22/2022, 3:29 PMThis is an AWS server in a VPC so I kinda doubt it's the spying scenario? I'm checking the commandbox / lucee version on that server right now
Copy code
CommandBox> #sslcertificatelist <http://repo1.maven.org|repo1.maven.org>
{
"COLUMNS":[
"subject",
"issuer"
],
"DATA":[
[
"CN=<http://repo1.maven.org|repo1.maven.org>",
"CN=GlobalSign Atlas R3 DV TLS CA H2 2021, O=GlobalSign nv-sa, C=BE"
],
[
"CN=GlobalSign Atlas R3 DV TLS CA H2 2021, O=GlobalSign nv-sa, C=BE",
"CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3"
]
]
}CommandBox version on that server farm is 5.2.0+00280 currently.
Actually one of the servers in the farm is slightly newer image with CommandBox 5.4.2 and returns
Copy code
CommandBox> #sslcertificatelist <http://repo1.maven.org|repo1.maven.org>
[
{
"subject":"CN=<http://repo1.maven.org|repo1.maven.org>",
"issuer":"CN=GlobalSign Atlas R3 DV TLS CA H2 2021, O=GlobalSign nv-sa, C=BE"
},
{
"subject":"CN=GlobalSign Atlas R3 DV TLS CA H2 2021, O=GlobalSign nv-sa, C=BE",
"issuer":"CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3"
}
]But my deploy process fails if any of the servers in the farm fail, which at least one of them is with that error during
box installI'll try bumping the rest of the servers up to the newer image and see if that resolves it.
b
bdw429s
04/22/2022, 3:44 PMThe certs looks correct and that's not an ancient version of CommandBox/Lucee so that's good
Now, it doesn't help us find out what's happening, lol
Sometimes you can get a better error message if you try and hit the URL with http directly
Try running this from the CLI
Copy code
repl 'http url="<https://repo1.maven.org/maven2/com/github/vertical-blank/sql-formatter/2.0.3/sql-formatter-2.0.3.jar>"; echo(serializeJSON(cfhttp));'Note, you've got to run that on the actual server that's getting the error in the network it's erroring on.
Also, if you can, you can test the same URL via
curlHowever, curl and your browser will use your OS ca store, so they may work in some cases were Lucee/Java fail
@seandaniels Any progress on this?
s
seandaniels
04/25/2022, 7:58 PMSorry, my workaround of pinning to cbdebugger@^2 solved the deployment issue and I've been to busy to investigate further. But I will go back to cbdebugger@stable and see if I can get this happening again. I'm pretty sure it's just the version of CommandBox I've got on a couple of the servers in the cluster is too old. I have three servers running 5.2 and one server from a newer image running 5.4. I'll do some testing when I get a chance and report back. Thanks for following up.
m
mborn
04/26/2022, 1:40 PMIt's possible the root cause is with my sqlFormatter extension, which points to that Maven package as a dependency.
I can bundle that jar into the sqlFormatter module instead of asking CommandBox to download it from Maven. 🙂
s
seandaniels
04/27/2022, 1:39 PMSo, I tried installing cbdebugger@stable locally and I get the same error. This is with the latest stable version of CommandBox - v5.4.2+00453. It seems like cbdebugger module actually installs but yea, the sqlFormatter module dependency does not complete install, and my application will not start, I assume because of that (I get
Cannot activate module: cbjavaloader. Already processed API,translators,sqlformatter,diff,plaid,textsimilarity,minfraud,paypal,geoIP,cbsecurity,jwtcfml,cloudinary,cbi18n,socketlabs,towerdata,mongoentity,cbauth,awscfml,recaptcha,geonames,HTMLHelper,ekata,cbstorages,mailboxlayer,schemaorg,algolia,cbcommons,cbdebugger,autodeploy,stripecfml,route-visualizer,threatmetrix,libphonenumber,tineye,sitemaputils,linkedin,safebrowsing,convertedplugins,JSONPrettyPrint,webpurify,dotenvsettings,exchangerates,telesign,contentful,numverify,cbvalidation@bdw429s I ran your suggested repl from the CLI and get this:
Copy code
{
"status_text": "Connection Failure",
"charset": "",
"text": true,
"errordetail": "Unknown host: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"filecontent": "Connection Failure",
"responseheader": {},
"statuscode": "Connection Failure. Status code unavailable.",
"header": "",
"status_code": 0,
"mimetype": "Unable to determine MIME type of file."
}b
bdw429s
04/27/2022, 5:44 PM@seandaniels Ok, so pretty much the same info as before. Basically,l the trust store Lucee is using doesn't trust the root SSL cert in use by repo1.maven.org or one of its intermediate certs.
The version of Lucee that CommandBox
5.2.05.3.7.47s
seandaniels
04/27/2022, 5:46 PMRight, but just to be clear I get the same with CommandBox
5.4.2b
bdw429s
04/27/2022, 5:46 PMHere's the cacerts file for that version of Lucee
https://github.com/lucee/Lucee/blob/5.3.7.47/core/src/main/java/resource/security/cacerts
2 years old
🤦 1
root certs are usually issues for a very long time
I'm not sure how recent the SSL cert is that repo1.maven.org is using
m
mborn
04/27/2022, 5:47 PM@bdw429s Weird, do you know why I am able to
box install jar:LINK_TO_MAVENs
seandaniels
04/27/2022, 5:47 PMYup, understood. I'm just confused as to why I seem to be the only one experiencing this issue? Lots of folks use cbdebugger, no?
☝️ 1
b
bdw429s
04/27/2022, 5:47 PMoutch, the intermediate cert is from 2021
That's probably your issue right there
Lucee's cacerts is a couple years out of date and maven "recently" updated to a pretty new cert
now, I'm not entirely sure why it works fine on my machine 🤔
Though I am using the Lucee snapshot builds
And Lucee did literally update their cacerts file this week
Here's the historty of Lucee's cacerts file
https://github.com/lucee/Lucee/commits/5.3/core/src/main/java/resource/security/cacerts
The last update before today was on June 25, 2021 and used whatever trust store shipped with java 11.0.11
s
seandaniels
04/27/2022, 5:50 PMSo you are saying the version of CommandBox you are using uses a snapshot build of Lucee?
b
bdw429s
04/27/2022, 5:50 PMwhy I seem to be the only one experiencing this issueWho knows. I stopped trying to answer questions like that years ago 😆
😂 2
Lots of folks use cbdebugger, no?Not really, IMO. It's also a matter of what version they're using.
the version of CommandBox you are using uses a snapshot build of Lucee?Locally, on my PC, yes.
The CommandBox 5.5.0 alpha
From the JIRA traffic, (and messages from Zac), Lucee 5.3.9 looks to be shipping today
And when it does, CommandBox 5.5.0 will finally ship too
in the mean time , you could just try popping in the laset 5.3.9 jar to CommandBox, wipe the
engineThat may at least rule out a couple things
Unfortunately, CommandBox is just an innocent bystander here. We're dependent on java, and to a greater extent, Lucee to have a current SSL trust store for HTTPS to work 😕
m
mborn
04/27/2022, 5:53 PMIt's also a matter of what version they're using.100%, yes. @seandaniels the sqlFormatter module is only used since cbdebugger 3.3.0. https://github.com/coldbox-modules/cbdebugger/releases
👍 1
s
seandaniels
04/27/2022, 5:53 PMOK. I'll sit tight. @mborn if you wanted to bundle that jar directly in cbdebugger instead of calling out to Maven that would also probably remove the issue. Mean time I'll stick on cbdebugger@2
💥 1
m
mborn
04/27/2022, 5:54 PMWorking on it, @seandaniels. Having a bit of a mid-life crisis with GitHub Actions, so it's taken longer than expected to get the new sqlFormatter version out.
s
seandaniels
04/27/2022, 5:54 PMHeh, no worries.
b
bdw429s
04/27/2022, 5:54 PM@mborn I wouldn't put the jar in the github repo, but you could easily
• just include it in the S3 zip by having it downloaded as part of your build when you run
forgebox pubish🇺🇸 1
In reality, it's only a temp fix since there are a number of things that pull jars from Maven so I would expect it to be biting more people eventually
👍 1
🤔 1
m
mborn
04/27/2022, 5:55 PMNote that we'd have to bump cbdebugger versions too to pull the latest sqlFormatter module... unless I modified the current version of sqlFormatter. And I'd consider that a no-no.
b
bdw429s
04/27/2022, 5:55 PMnot neccessarily
I assume cbdebugger uses a semver range, no?
It's probably pulling the latest minor/patch updates for formatter
m
mborn
04/27/2022, 5:55 PMDoh, you're right - it probably does.
b
bdw429s
04/27/2022, 5:56 PMIf Eric were here, he'd probably grumble something about CommandBox not supporting a package lock file right about now 😆
m
mborn
04/27/2022, 5:56 PMDerp -
"sqlformatter":"^1.0.1"👍 1
b
bdw429s
04/27/2022, 5:56 PMEven though we're about to totally exploit that!
2 Views