| Issue 1239: | OpenID login: I/O transport error: peer not authenticated | |
| 4 people starred this issue and may be notified of changes. | Back to list |
Affected Version: 2.2.1 What steps will reproduce the problem? 1. Sign in with OpenID with google account 2. 3. What is the expected output? What do you see instead? 1. I can't login with OpenID. 2. Error message on GUI. "Provider is not supported, or was incorrectly entered." Please provide any additional information below. error_log: [2012-01-21 09:21:32,539] ERROR com.google.gerrit.httpd.auth.openid.OpenIdServiceImpl : Cannot discover OpenID https://www.google.com/accounts/o8/id?id=AItOawmYJPbgx6MIXMBRckv3AmM2vNHv0yhS2Wg org.openid4java.discovery.yadis.YadisException: 0x704: I/O transport error: peer not authenticated at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:478) at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:248) at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232) at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166) at org.openid4java.discovery.Discovery.discover(Discovery.java:147) at org.openid4java.discovery.Discovery.discover(Discovery.java:129) at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542) at com.google.gerrit.httpd.auth.openid.OpenIdServiceImpl.init(OpenIdServiceImpl.java:510) at com.google.gerrit.httpd.auth.openid.OpenIdServiceImpl.doAuth(OpenIdServiceImpl.java:249) at com.google.gerrit.httpd.auth.openid.OpenIdLoginServlet.doPost(OpenIdLoginServlet.java:50) at com.google.gerrit.httpd.auth.openid.OpenIdLoginServlet.doGet(OpenIdLoginServlet.java:40) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:216) at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:141) at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:63) at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59) at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59) at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59) at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:76) at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:129) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59) at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59) at com.google.gerrit.httpd.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:54) at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:129) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:122) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:110) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1322) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:473) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:921) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:403) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:856) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:114) at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:59) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:114) at org.eclipse.jetty.server.Server.handle(Server.java:352) at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:596) at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1052) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:590) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:212) at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:426) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:510) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.access$000(SelectChannelEndPoint.java:34) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:450) at java.lang.Thread.run(Unknown Source) Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554) at org.openid4java.util.HttpCache.head(HttpCache.java:335) at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:400) ... 52 more [2012-01-21 09:21:52,029] ERROR com.google.gerrit.server.git.PushReplication : Cannot replicate to gerrit2@10.40.2.117:/opt/git/TF1-wrapper.git org.eclipse.jgit.errors.TransportException: gerrit2@10.40.2.117:/opt/git/TF1-wrapper.git: reject HostKey: 10.40.2.117 at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:138) at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:121) at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:248) at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:147) at com.google.gerrit.server.git.PushOp.listRemote(PushOp.java:358) at com.google.gerrit.server.git.PushOp.generateUpdates(PushOp.java:312) at com.google.gerrit.server.git.PushOp.pushVia(PushOp.java:258) at com.google.gerrit.server.git.PushOp.runImpl(PushOp.java:213) at com.google.gerrit.server.git.PushOp.run(PushOp.java:166) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) at com.google.gerrit.server.git.WorkQueue$Task.run(WorkQueue.java:324) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
Mar 5, 2012
#1
mtakem...@gmail.com
Mar 30, 2012
I'm getting the same error on an ubuntu 11 box (running on amazon ec2, which may or may not be an issue here). I played around with it and made some progress, but not a total solution. Here's what I got, in case it helps: The error seems to be with the cacerts -- this file is small on ubuntu by default. You can add some by doing this: $ sudo keytool -alias cacert -import -keystore /etc/ssl/certs/java/cacerts -file /usr/share/ca-certificates/cacert.org/cacert.org.crt You will need to enter the keytool password, which by default is 'changeit' (http://mediakey.dk/~cc/java-default-keystore-password-cacerts/) Once I did this and restarted gerrit, I got a different error: [2012-03-30 18:11:17,094] ERROR com.google.gerrit.httpd.auth.openid.OpenIdServic eImpl : Cannot create OpenID redirect for https://www.google.com/accounts/o8/id org.openid4java.message.MessageException: 0x300: Error verifying return URL in a uth request. Looking at the source code, this *seems* to be because the url is malformed (can't be parsed). I couldn't figure out what the misparsed url was, though -- it looks like I'd have to recompile from source to get that, which I haven't done yet. My guess is it's an error message or something. There's probably an easy solution: I noticed issue 513 , which may be what is happening here as well. But I don't know how to solve this on ubuntu (as opposed to debian). Maybe just need to download the sun-java6-jre package manually.
Apr 2, 2012
} Once I did this and restarted gerrit, I got a different error: } [2012-03-30 18:11:17,094] ERROR com.google.gerrit.httpd.auth.openid.OpenIdServic eImpl : Cannot create OpenID redirect for https://www.google.com/accounts/o8/id org.openid4java.message.MessageException: 0x300: Error verifying return URL in a uth request. It turns out this error was my fault: I had left the 'http://' prefix off canonicalWebUrl when initializing. Once I fixed that, the openid worked. In retrospect, I'm not sure that the keytool command is what fixed it for me. More likely is that I installed the java jdk, which does include a full list of certs, following the instructions here: http://thelinuxexperiment.com/guinea-pigs/tyler-b/how-to-install-sun-java6-jdk-and-netbeans-in-ubuntu-11-10/, and then ran: % sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old % sudo ln -snf /etc/java-6-sun/security/cacerts /etc/ssl/certs/java/cacerts
Apr 15, 2012
Hi. I got more or less the same problem. I don't use the sun version, however, I use the openjdk. I 'fixed' the problem with the following command sudo update-ca-certificates This seemed to update the links correctly.
Apr 28, 2012
nothing of this helps, still getting the same error. i'm on debian x64
Nov 29, 2012
For me solution for 0x300 error was setting canonicalWebUrl.
Mar 28, 2013
(No comment was entered for this change.)
Status:
Invalid
|
|
| ► Sign in to add a comment |