New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKIX path validation failed #2443
Comments
Replying to [2443 anonymous]:
|
Having same issue with Duck as the ticket creator. I think this is due to having self signed certificate, right? And why should it be "forgotten"? :) As i see, the change to support "any" cert is in trunk already... |
Here is the full transcript, a little bit "anonymized":
The target server is Apache HTTPD 2.2 + mod_dav (Finder does connects nicely to it over DAV). The communication goes over HTTPS, the server user self signed certificate. As you see, there is a redirect permanently from /some/path to collection /some/path/ and then the connection dies, duck is not connected anymore. So, i was wrong about cert (HTTP messages were exchanged nicely), but something else makes Duck to disconnect. |
same here |
Same problem here. Finder works, Cyberduck is unable to connect. |
Same problem with version 3.1.1 (4458) |
Please try the latest nightly build from (http://update.cyberduck.ch/nightly). |
error.png with Cyberduck 3.1.3 (4527) No log Thanks |
Replying to [comment:10 blougou]:
This is helpful. Can you copy and paste the red text from the error dialog here. Also, please let me know (via email if you want) the URL of the WebDAV server. This is a SSL certificate problem; I can analyze this without having a user account on the server. |
I've just sent an email at feedback@cyberduck.ch... |
Replying to [comment:12 blougou]:
I do not get this error here and can initiate the connection to the server successfully. Can you try to remove any certificates from the server from your Keychain or using a different user account and/or OS X installation. |
On an other OS X installations I have the same error... |
Replying to [comment:14 blougou]:
Until we find the cause of this issue please refer ot this [help/en/problems#DisableSSLTLSX.509certificatetrustvalidation workaround]. |
After
in a terminal, always the same problem with same error (3.2 (4648)) |
I am also experiencing this problem. In my case the WebDAV server's certificate is not self-signed, but is signed by an intermediate CA - one that was signed by a widely-trusted CA. Adding the signing CA to my keychain doesn't help, nor does the "acceptAnyCertificate true" workaround. I have tried both 3.3b3 and the latest nightly build. From what I can tell, the problem comes when trying to follow an HTTP redirect. Cyberduck successfully connects to port 443, negotiates a TLS connection, and sends a PROPFIND for the given path. However, since Cyberduck omits the trailing slash from its PROPFIND request, the remote web server sends a 301 redirect to the same path but with the trailing slash added. It's at that point that Cyberduck freaks out. Possibly fixing Cyberduck to include a trailing slash on WebDAV requests would work around the problem. |
Actually, I spoke too soon. I'm not getting the exact same error as above. Instead, I'm seeing: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. |
No news ? |
Is the server publicy reachable to debug this issue? |
The issue (can't connect, and having exactly same transcript as I posted on #comment:4) still persist with using Cyberduck 3.4.1, but the error is now really meaningful: "unable to find valid certification path to requested target.". By inspecting the certificate on that machine, I can tell that it is: a) self-signed (I pointed out that in original comment) For me, this issue is from now on resolved as "not a bug", since the error message does explain what happened (although, if I would be not a Java dev, maybe would not understand it's message). Maybe a little bit more "chatty" error message would do. Thanks for a great tool! |
Replying to [comment:27 t.cservenak@…]: Thanks for your insightful comment. The issue is that we use a custom certificate validation that is based on the certificates and trust setting in the Keychain. There should be no failure from the Java subsystem because the evaluation of the certificates is not based on the Java cert keystore. It would still be helpful if we can find a publicy reachable system that shows this error. |
Hi there, the URL is: https://is-micro.dyndns.org/projects/nexus-gwt/ This is a DAV enabled folder (httpd + mod_dav) and uses the same cert. Use anon login to test. |
Replying to [comment:29 Tamas Cservenak <t.cservenak@…>]: I get the expected warning dialog to trust the certificate which has a hostname mismatch and has expired. But when I accept, the TLS connection is sucessfully negotiated and I end up with a WebDAV failure.
|
Replying to [comment:29 Tamas Cservenak <t.cservenak@…>]: What version of OS X are you running? For further debugging on your side it might help if you post some debug log messages. Increase the log level of Cyberduck by pasting
into a Terminal.app window and restart Cyberduck. Debugging output will be printed to the system.log accessible using Console.app. |
It's Mac OS X 10.6.3 (was always current with Mac OS, and this issue was always present, this issue has more then 20 months of history). HW is 2007 MacBook Pro. I sent the DEBUG logs to you over email. |
We have a bug that the custom trust manager verifying the certificates against the Keychain is not used when the request is redirected by the HTTP server. |
Nice! I believe it was the fact that initial URL was not HTTPS and Commons HttpClient did handle the redirect, but was not equipped with proper SSL setup... Good work, thanks! |
Replying to [comment:35 cstamas]:
A new snapshot build is available now with the fix included. |
I try to connect to WEBDAV HTTPS. Cyberduck connects normally without error and then disconnects directly (non error)
The end of the log (I do not know if this is relevant or sufficient ...)
Thanks
Attachments
Cyberduck-ISM.png
(61.5 KiB)Cyberduck-failure.png
(42.5 KiB)error.png
(28.4 KiB)is-micro.dyndns.org.png
(92.2 KiB)The text was updated successfully, but these errors were encountered: