Trust certificate dialog not showing up
Hi
We are developing a plugin for the intellij platform.
As part of its work, the plugin has to send an http request. It uses URLConnection connection = new URL(urlString).openConnection();
to make sure intellij platform proxy settings and http config is used.
In some enterprise settings, we see proxy servers that use a certificate that is not trusted out of the box by java.
In some cases, the “trust certificate” dialog box appears, and once the user approves the certificate everything is working.
But in other times, the dialog does not appear and the http request fails.
Here is a stacktrace from a user that had this isuue recently -
2024-07-17 14:57:17,958 [ 27260] WARN - #com.tabnineCommon.binary.fetch.BinaryRemoteSource - Request of current version failed. Falling back to latest local version.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1665)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
at com.tabnineCommon.binary.fetch.BinaryRemoteSource.remoteVersionRequest(BinaryRemoteSource.java:58)
at com.tabnineCommon.binary.fetch.BinaryRemoteSource.existingLocalBetaVersion(BinaryRemoteSource.java:38)
at com.tabnineCommon.binary.fetch.BinaryVersionFetcher.fetchBinary(BinaryVersionFetcher.java:50)
at com.tabnineCommon.binary.BinaryRun.generateRunCommand(BinaryRun.java:41)
at com.tabnineCommon.binary.BinaryProcessRequesterProvider.lambda$initProcess$1(BinaryProcessRequesterProvider.java:118)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at com.intellij.util.concurrency.ContextCallable.call(ContextCallable.java:32)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at com.intellij.util.concurrency.ContextRunnable.run(ContextRunnable.java:27)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1$1.run(Executors.java:702)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1$1.run(Executors.java:699)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.base/java.util.concurrent.Executors$PrivilegedThreadFactory$1.run(Executors.java:699)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 37 more
We are not sure if it related to some config in the user machine, in the IDE or has to do with the specific error the user is getting.
Sometime we use the signtool utility to add the certificate manually, but this process is error prone and also very hard to do when there are many users involved.
Any advice?
Regards
Amir
Please sign in to leave a comment.
Another user got the same thing
Would really appreciate some feedback here :-)
Hi! We don't intercept certificate checks fully automatically and the exact steps depend on which HTTP client API you use. For instance, for com.intellij.util.io.HttpRequests or java.net.URLConnection it happens by default. For other clients, such as Apache HttpClient, you might need to configure our SSL context manually using CertificateManager.getInstance().getSslContext() with e.g. org.apache.http.impl.client.HttpClientBuilder#setSSLContext.
We use URLConnection, but still some times it works and others it doesn't.
Specifically, for the two stacktraces above it did not pop up
Hej Amir,
looking at the stacktrace, maybe it has to do with the TabNine plugin. Looks like it wants to send a request to check some file version.
Best regards,
Marco
Yeah, I am one of the developers of the tabnine plugin :-)
But if a user has a custom untrusted by default certificate and my plugin needs to make an https request, I still expect IJ to popup a “Trsut Certificate” dialog
Ah, I see. I was not aware of that. ;-)
Maybe one of the certificates (that a user might have accepted before) is invalid, e.g. expired.
Good luck, anyway.
I am also getting this with my tabnine plugin. What is the resolution?
Some more info, for anyone looking for a solution.
I was finally able to reproduce this on a user's machine.
My original description of the issue was not accurate. The “Trust Certificate” dialog did pop up for the user, and he accepted the certificate, but still our plugin filed to connect to an https endpoint.
The issue was that we were using
new Url("..").openConnection()
to make the request.To fix this issue, we now use jetbrains' provided class
com.intellij.util.io.HttpRequests
which sets things up correctly to get it working.I'd like to point out that I think
Url.openConnection
worked in previous versions of jetbrains IDEs, but in latest versions (2024) it seemed to stop working, and you are required to use theHttpRequests
class to make it work