My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 1239: OpenID login: I/O transport error: peer not authenticated
4 people starred this issue and may be notified of changes. Back to list
Status:  Invalid
Owner:  ----
Closed:  Mar 2013


Sign in to add a comment
 
Reported by bryan.Leong.g@gmail.com, Jan 21, 2012
Affected Version: 2.2.1

What steps will reproduce the problem?
1. Sign in with OpenID with google account
2.
3.

What is the expected output? What do you see instead?
1. I can't login with OpenID. 
2. Error message on GUI. "Provider is not supported, or was incorrectly entered."


Please provide any additional information below.

error_log:
[2012-01-21 09:21:32,539] ERROR com.google.gerrit.httpd.auth.openid.OpenIdServiceImpl : Cannot discover OpenID https://www.google.com/accounts/o8/id?id=AItOawmYJPbgx6MIXMBRckv3AmM2vNHv0yhS2Wg
org.openid4java.discovery.yadis.YadisException: 0x704: I/O transport error: peer not authenticated
        at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:478)
        at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:248)
        at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
        at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
        at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
        at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
        at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
        at com.google.gerrit.httpd.auth.openid.OpenIdServiceImpl.init(OpenIdServiceImpl.java:510)
        at com.google.gerrit.httpd.auth.openid.OpenIdServiceImpl.doAuth(OpenIdServiceImpl.java:249)
        at com.google.gerrit.httpd.auth.openid.OpenIdLoginServlet.doPost(OpenIdLoginServlet.java:50)
        at com.google.gerrit.httpd.auth.openid.OpenIdLoginServlet.doGet(OpenIdLoginServlet.java:40)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:216)
        at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:141)
        at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:63)
        at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
        at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
        at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
        at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:76)
        at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:129)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
        at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
        at com.google.gerrit.httpd.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:54)
        at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:129)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
        at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:122)
        at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:110)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1322)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:473)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:921)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:403)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:856)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:114)
        at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:59)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:114)
        at org.eclipse.jetty.server.Server.handle(Server.java:352)
at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:596)
        at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1052)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:590)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:212)
        at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:426)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:510)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.access$000(SelectChannelEndPoint.java:34)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:450)
        at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
        at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
        at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
        at org.openid4java.util.HttpCache.head(HttpCache.java:335)
        at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:400)
        ... 52 more
[2012-01-21 09:21:52,029] ERROR com.google.gerrit.server.git.PushReplication : Cannot replicate to gerrit2@10.40.2.117:/opt/git/TF1-wrapper.git
org.eclipse.jgit.errors.TransportException: gerrit2@10.40.2.117:/opt/git/TF1-wrapper.git: reject HostKey: 10.40.2.117
        at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:138)
        at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:121)
        at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:248)
        at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:147)
        at com.google.gerrit.server.git.PushOp.listRemote(PushOp.java:358)
        at com.google.gerrit.server.git.PushOp.generateUpdates(PushOp.java:312)
        at com.google.gerrit.server.git.PushOp.pushVia(PushOp.java:258)
        at com.google.gerrit.server.git.PushOp.runImpl(PushOp.java:213)
        at com.google.gerrit.server.git.PushOp.run(PushOp.java:166)
        at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
        at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
        at java.util.concurrent.FutureTask.run(Unknown Source)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
        at com.google.gerrit.server.git.WorkQueue$Task.run(WorkQueue.java:324)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)


Mar 5, 2012
#1 mtakem...@gmail.com
I get the same error for Yahoo! Japan.
Mar 30, 2012
#2 csilv...@khanacademy.org
I'm getting the same error on an ubuntu 11 box (running on amazon ec2, which may or may not be an issue here).  I played around with it and made some progress, but not a total solution.  Here's what I got, in case it helps:

The error seems to be with the cacerts -- this file is small on ubuntu by default.  You can add some by doing this:
   $ sudo keytool -alias cacert -import -keystore /etc/ssl/certs/java/cacerts -file /usr/share/ca-certificates/cacert.org/cacert.org.crt
You will need to enter the keytool password, which by default is 'changeit' (http://mediakey.dk/~cc/java-default-keystore-password-cacerts/)

Once I did this and restarted gerrit, I got a different error:

[2012-03-30 18:11:17,094] ERROR com.google.gerrit.httpd.auth.openid.OpenIdServic
eImpl : Cannot create OpenID redirect for https://www.google.com/accounts/o8/id
org.openid4java.message.MessageException: 0x300: Error verifying return URL in a
uth request.

Looking at the source code, this *seems* to be because the url is malformed (can't be parsed).  I couldn't figure out what the misparsed url was, though -- it looks like I'd have to recompile from source to get that, which I haven't done yet.  My guess is it's an error message or something.

There's probably an easy solution: I noticed  issue 513 , which may be what is happening here as well.  But I don't know how to solve this on ubuntu (as opposed to debian).  Maybe just need to download the sun-java6-jre package manually.  
Apr 2, 2012
#3 csilv...@khanacademy.org
} Once I did this and restarted gerrit, I got a different error:
} [2012-03-30 18:11:17,094] ERROR com.google.gerrit.httpd.auth.openid.OpenIdServic
eImpl : Cannot create OpenID redirect for https://www.google.com/accounts/o8/id
org.openid4java.message.MessageException: 0x300: Error verifying return URL in a
uth request.

It turns out this error was my fault: I had left the 'http://' prefix off canonicalWebUrl when initializing.  Once I fixed that, the openid worked.

In retrospect, I'm not sure that the keytool command is what fixed it for me.  More likely is that I installed the java jdk, which does include a full list of certs, following the instructions here: http://thelinuxexperiment.com/guinea-pigs/tyler-b/how-to-install-sun-java6-jdk-and-netbeans-in-ubuntu-11-10/, and then ran:
   % sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old
   % sudo ln -snf /etc/java-6-sun/security/cacerts /etc/ssl/certs/java/cacerts
Apr 15, 2012
#4 ryan.raa...@gmail.com
Hi. I got more or less the same problem. I don't use the sun version, however, I use the openjdk. I 'fixed' the problem with the following command

sudo update-ca-certificates

This seemed to update the links correctly.
Apr 28, 2012
#5 zole...@gmail.com
nothing of this helps, still getting the same error. i'm on debian x64
Nov 29, 2012
#6 lukasz.d...@gmail.com
For me solution for 0x300 error was setting canonicalWebUrl.
Mar 28, 2013
#7 sop@google.com
(No comment was entered for this change.)
Status: Invalid
Sign in to add a comment

Powered by Google Project Hosting