Authentication using self-signed certificates fails

[dbuchko]

I've created a self-signed cert in Ops Manager. Validating server credentials using the admin account in version 1.81 of the plugin (in STS 3.5.1) results in an authentication error:

Unable to communicate with server - I/O error on GET request for "https://api.system.22x.edu.pivotal.io/info":sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Using the --skip-ssl-validation option on the CLI results in a successful login. For the record, I've downloaded version 1.73 of the plugin and it does successfully authenticate on validation.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/92629418.

[nierajsingh]

Hi,

It looks like we can prompt the user whether to skip SSL validation and continue validating. I'll see if I can add a possible fix for the upcoming 1.8.2 release.

[bfeeny]

I am not sure when this broke, but in 1.7.3 it does (and continues to) work fine. If your using a self signed certificate, its recognized, you are prompted whether you wish to proceed anyway, and if you do, then the integration is completed with no errors.

[bfeeny]

A quick update. Don't use 1.7.3 with the newer PCF versions, as when I removed an application in STS using the integration, it removed my developer console (apps_manager). I know that sounds weird, and it shouldn't even be possible since the credentials I was using did not have any authority over the system org, but all I know is I removed the app and next thing I know apps_manager was gone.

You can use the latest plug-in with self-signed certificates by manually adding the certificate to your java keystore. I have documented it here:

http://www.feeny.org/get-self-signed-certificates-to-work-with-cloud-foundry-integration-for-eclipse-plug-in/

[nierajsingh]

We're currently testing the addition of a "Trust self-signed certificate" checkbox in the URL dialogue. That way users can decide to trust self-signed prior to making the initial URL validation. This will only be available for user-defined URLs, for example as used for PCF, not the branding-defined ones like Pivotal Web Services or BlueMix.

We should have a solution available in the nightly driver within a few days for testing. I'll notify here when it is available. Thanks.

[nierajsingh]

We have committed a fix to the nightly build that allows users to select "Trust self-signed certificate" when adding or editing a Cloud target URL, if you would like to test this and see if it addresses SSL error issues.

NOTE: Because this is a nightly build and still being tested for release, it is strongly recommended that you install on:

1. A clean STS or Eclipse JEE
2. Use a new workspace

It is not recommended that you update your current development environment until after we release 1.8.2, which will contain this fix.

To install this nightly build, in STS/Eclipse please go to:

Help -> Install New Software...

And in the "Work with" control, paste:

http://dist.springsource.com/snapshot/TOOLS/cloudfoundry/nightly

Then select

"Core / Cloud Foundry Integration"

Click "Next" and complete the wizard.

Then restart STS/Eclipse

Once restarted, create a new Cloud Foundry server instance, and in the New Server wizard, in the credentials page, click on "Manage Cloud"

Click "Add" to add your PCF URL

Then in the URL wizard, check "Trust self-signed certificate"

Then click "Finish" until you're back to the credentials page where you can complete creating the server instance or validate the URL.

If you have a chance to test this before Tuesday, May 5, and you notice any issues we would greatly appreciate your feedback.