Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » GIT HTTPS Internal CA "cannot open git-upload-pack"(Communicate over ssl with remote git repository is not working because we are using an internal ca)
GIT HTTPS Internal CA "cannot open git-upload-pack" [message #1779533] Tue, 09 January 2018 11:11 Go to next message
Christian Hässler is currently offline Christian HässlerFriend
Messages: 2
Registered: January 2018
Junior Member
Hello together,

i tried using eclipse with egit/jgit to communicate with our remote repository. If i use git on command line it works as designed after adding the certificate to the bundle like recommended here:
h_t_t_p_s://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exes-store/


My .gitconfig looks like:
[user]
	name = My Name
	email = My E-Mail
[http]
	sslCAInfo = C:/users/myuser/ca-bundle.crt
	sslVerify = true


Of course it is working as well if i set:
sslVerify = false

But this is a workaround and not a solution cause we have a valid certificate from a valid coorperatewide ca.

The error:
h_t_t_p_s://git.company.local/myuser/scripts.git: cannot open git-upload-pack


Stack trace:
org.eclipse.jgit.api.errors.TransportException: h_t_t_p_s://git.company.local/myuser/scripts.git: cannot open git-upload-pack
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:245)
	at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:288)
	at org.eclipse.egit.core.op.PullOperation$1.run(PullOperation.java:200)
	at org.eclipse.core.internal.resources.Workspace.run(Workspace.java:2240)
	at org.eclipse.core.internal.resources.Workspace.run(Workspace.java:2267)
	at org.eclipse.egit.core.op.PullOperation.execute(PullOperation.java:232)
	at org.eclipse.egit.ui.internal.pull.PullOperationUI.execute(PullOperationUI.java:176)
	at org.eclipse.egit.ui.internal.pull.PullOperationUI.access$0(PullOperationUI.java:168)
	at org.eclipse.egit.ui.internal.pull.PullOperationUI$1.runInWorkspace(PullOperationUI.java:141)
	at org.eclipse.core.internal.resources.InternalWorkspaceJob.run(InternalWorkspaceJob.java:39)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:56)
Caused by: org.eclipse.jgit.errors.TransportException: h_t_t_p_s://git.company.local/myuser/scripts.git: cannot open git-upload-pack
	at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:566)
	at org.eclipse.jgit.transport.TransportHttp.openFetch(TransportHttp.java:326)
	at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136)
	at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122)
	at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1236)
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:234)
	... 10 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.net.www.protocol.h_t_t_p_s.h_t_t_p_sClient.afterConnect(Unknown Source)
	at sun.net.www.protocol.h_t_t_p_s.AbstractDelegateh_t_t_p_sURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
	at java.net.HttpURLConnection.getResponseCode(Unknown Source)
	at sun.net.www.protocol.h_t_t_p_s.h_t_t_p_sURLConnectionImpl.getResponseCode(Unknown Source)
	at org.eclipse.jgit.transport.http.JDKHttpConnection.getResponseCode(JDKHttpConnection.java:99)
	at org.eclipse.jgit.util.h_t_t_p_support.response(h_t_t_p_support.java:202)
	at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:504)
	... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
	... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	... 38 more


Session Data:
eclipse.buildId=4.7.1.M20171009-0410
java.version=1.8.0_151
java.vendor=Oracle Corporation
BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=de_DE
Framework arguments:  -product org.eclipse.epp.package.java.product
Command-line arguments:  -os win32 -ws win32 -arch x86_64 -product org.eclipse.epp.package.java.product


Plugins:
  Git integration for Eclipse	4.9.2.201712150930-r	org.eclipse.egit.feature.group	Eclipse EGit
  Git integration for Eclipse - Task focused interface	4.9.2.201712150930-r	org.eclipse.egit.mylyn.feature.group	Eclipse EGit
  Java implementation of Git	4.9.2.201712150930-r	org.eclipse.jgit.feature.group	Eclipse JGit
  Mylyn Versions Connector: Git	1.15.0.v20170411-2003	org.eclipse.mylyn.git.feature.group	Eclipse Mylyn


Git Version:
C:\versionsverwaltung\git_scripts>git version
git version 2.15.1.windows.2
Re: GIT HTTPS Internal CA "cannot open git-upload-pack" [message #1779585 is a reply to message #1779533] Wed, 10 January 2018 00:28 Go to previous messageGo to next message
Matthias Sohn is currently offline Matthias SohnFriend
Messages: 1032
Registered: July 2009
Senior Member
Configuring CA cert using git config isn't supported by jgit yet. You should be able to workaround by adding the
CA certs to the truststore of the JVM used to run JGit.
See e.g. https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html

Chris had worked on this a long time back but then our priorities changed and this was never finished
https://git.eclipse.org/r/#/c/3200/
Re: GIT HTTPS Internal CA "cannot open git-upload-pack" [message #1779594 is a reply to message #1779585] Wed, 10 January 2018 06:48 Go to previous messageGo to next message
Christian Hässler is currently offline Christian HässlerFriend
Messages: 2
Registered: January 2018
Junior Member
I am not going to authenticate with a Client side certificate. I would like to connect with a Server over SSL Connection. The Server certificate is signed by a internal CA. The root certificate of the internal ca is in the Windows truststore and included in my packet: C:/users/myuser/ca-bundle.crt.

But if i get this right jgit doesn't use the certificates from the file git uses with Parameter sslCAInfo. Instead jgit is using the Java internal keystore?
Re: GIT HTTPS Internal CA "cannot open git-upload-pack" [message #1780547 is a reply to message #1779594] Tue, 23 January 2018 20:19 Go to previous message
Matthias Sohn is currently offline Matthias SohnFriend
Messages: 1032
Registered: July 2009
Senior Member
exactly. So you need to configure the truststore of the jvm running Eclipse to trust certificates issued by your internal CA.
Refer to "Import a Certificate for the CA" in https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
Previous Topic:GIt makes Eclipse crashes when trying to vreate a new repository
Next Topic:Installation EGit
Goto Forum:
  


Current Time: Sat Sep 22 15:06:55 GMT 2018

Powered by FUDForum. Page generated in 0.01963 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top