Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-2057

Replication Task Suite fails to build with ValidatorException: PKIX Path building failed

    Details

    • Type: Bug
    • Status: Accepted (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Replication Task Suite
    • Labels:
      None
    • Environment:
      Any
    • Attachments:
      0
    • Comments:
      2
    • Documentation Status:
      Needed

      Description

      The first time you build (mvn package) the DSpace Replication Task Suite (dspace-replicate), it may fail with the following error:

      Could not transfer artifact org.duracloud:storeclient:pom:2.3.1 from/to duracloud-releases (https://m2.duraspace.org/content/repositories/releases): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      ...
      Caused by: org.apache.maven.wagon.TransferFailedException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      Unfortunately, the problem is with the current "m2.duraspace.org" SSL Certificate. https://m2.duraspace.org is the only place the DuraCloud APIs are currently available via Maven (and the Replication Task Suite uses these APIs to communicate with DuraCloud, when it is configured as the backend).

      The problematic SSL certificate is a SHA-2 certificate signed by GoDaddy, and unfortunately these certificates have known issues with Java/Maven. The reason is that GoDaddy has failed to add their signing certificate to the default Java Truststore. So, while our SSL Certificate is completely valid, Java will not trust it as it cannot validate the certificate using the default truststore.

      Here are others who have encountered this same issue with GoDaddy-signed SHA-2 certificates and Java:

      To complicate things, GoDaddy has announced that they are no longer supporting SHA-1 certificates (which work correctly with Java). Because of this new requirement, our certificate was updated from SHA-1 to SHA-2 automatically on the last renewal: http://support.godaddy.com/help/article/4818/information-about-requiring-the-sha-2-hash-function?locale=en

      == WORKAROUND ==

      The only known workaround is to manually add the GoDaddy certificates to your local server's truststore. Unfortunately this must be done on each individual computer/server. Here's details on how to manually install the proper GoDaddy certificate into your 'cacerts' file on each computer:

      http://notes.richdougherty.com/2013/09/adding-godaddy-g2-root-cert-to-jdk-7.html

      NOTE: the two certificates in question (gdroot-g2.crt and gdig2.crt) are both available for download here: https://certs.godaddy.com/anonymous/repository.pki
      (UPDATE: I've found you should only need to manually install the 'gdig2.crt', named "GoDaddy Secure Server Certificate (Intermediate Certificate) - G2". The root certificate should already exist in the truststore by default.)

      DuraSpace is getting in touch with GoDaddy about this issue. If we cannot get a better fix from them, we may consider moving to a different certificate authority. In the meantime, unfortunately using the above workaround seems to be the only way to resolve the issue with the dspace-replicate build process.

        Attachments

          Activity

          Hide
          tdonohue Tim Donohue added a comment -

          Another Workaround option:

          If you are building the Replication Task Suite from source, you can also just modify its "pom.xml" file to reference the DuraCloud Release Repository via HTTP instead of HTTPS. You'd simply change this line to use HTTP:

          https://github.com/DSpace/dspace-replicate/blob/master/pom.xml#L74

          After modifying that POM, just rebuild and everything should be downloaded properly. I'll be working on new releases of the Replication Task Suite with this minor POM change in place, along with some other minor bug fixes.

          Show
          tdonohue Tim Donohue added a comment - Another Workaround option: If you are building the Replication Task Suite from source, you can also just modify its "pom.xml" file to reference the DuraCloud Release Repository via HTTP instead of HTTPS. You'd simply change this line to use HTTP: https://github.com/DSpace/dspace-replicate/blob/master/pom.xml#L74 After modifying that POM, just rebuild and everything should be downloaded properly. I'll be working on new releases of the Replication Task Suite with this minor POM change in place, along with some other minor bug fixes.
          Hide
          tdonohue Tim Donohue added a comment -

          This GoDaddy related SHA-2 certificate issue is supposedly resolved now in the latest versions of Java 7 (Update 75/76) and Java 8 (Update 31), according to the Stack Overflow thread:

          http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java

          So, another workaround is to simply upgrade to the latest version of Oracle Java 7 or 8.

          Show
          tdonohue Tim Donohue added a comment - This GoDaddy related SHA-2 certificate issue is supposedly resolved now in the latest versions of Java 7 (Update 75/76) and Java 8 (Update 31), according to the Stack Overflow thread: http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java So, another workaround is to simply upgrade to the latest version of Oracle Java 7 or 8.

            People

            • Assignee:
              tdonohue Tim Donohue
              Reporter:
              tdonohue Tim Donohue
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: