quarkus: maven deploy to minikube fails due to insecure curl problem

Describe the bug When executing: mvn clean package -Dquarkus.kubernetes.deploy=true -debug

Expected behavior Quarkus installs whatever is needed to deploy

Actual behavior

20:41:14,717 [build-17] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] error: cannot update repo 'ubi-8-baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried; Last error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
20:41:14,776 [build-6] [DEBUG] [io.quarkus.bootstrap.classloading.QuarkusClassLoader] Class io.dekorate.deps.kubernetes.api.model.EnvVarBuilder not found in parent first load from ClassRealm[plugin>io.quarkus:quarkus-maven-plugin:1.5.0.Final, parent: sun.misc.Launcher$AppClassLoader@55f96302]
20:41:14,812 [build-17] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] The command '/bin/sh -c microdnf install curl ca-certificates ${JAVA_PACKAGE}     && microdnf update     && microdnf clean all     && mkdir /deployments     && chown 1001 /deployments     && chmod "g+rwX" /deployments     && chown 1001:root /deployments     && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh     && chown 1001 /deployments/run-java.sh     && chmod 540 /deployments/run-java.sh     && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security' returned a non-zero code: 1

To Reproduce Steps to reproduce the behavior:

  1. install minikube
  2. follow https://haralduebele.blog/2020/04/03/deploy-your-quarkus-applications-on-kubernetes-almost-automatically/

I believe there is a problem with curl inside:

curl -v https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get issuer certificate
curl: (60) SSL certificate problem: unable to get issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

curl -v https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml --insecure
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
> GET /content/publicm/ubi/dist/ubi8/8/x86_64/baseosoms/repodata/repmd.xml HTTP/1.1
> Host: cdn-ubi.redhat.com
> User-Agent: curl/7.66.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: AkamaiGHost
< Mime-Version: 1.0
< Content-Type: text/html
< Content-Length: 383
< Expires: Tue, 09 Jun 2020 18:51:01 GMT
< Date: Tue, 09 Jun 2020 18:51:01 GMT
< Connection: Keep-Alive
<
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>

You don't have permission to access "http&#58;&#47;&#47;cdn&#45;ubi&#46;redhat&#46;com&#47;content&#47;publicm&#47;ubi&#47;dist&#47;ubi8&#47;8&#47;x86&#95;64&#47;baseosoms&#47;repodata&#47;repmd&#46;xml" on this server.<P>
Reference&#32;&#35;18&#46;9c02655f&#46;1591728661&#46;68045495
</BODY>
</HTML>

Screenshots (If applicable, add screenshots to help explain your problem.)

Environment (please complete the following information):

  • Output of uname -a or ver: $ uname -a Linux minikube 4.19.107 #1 SMP Thu May 28 15:07:17 PDT 2020 x86_64 GNU/Linux
  • Output of java -version: λ java -version java version “1.8.0_152” Java™ SE Runtime Environment (build 1.8.0_152-b16) Java HotSpot™ 64-Bit Server VM (build 25.152-b16, mixed mode)
  • GraalVM version (if different from Java):
  • Quarkus version or git rev: quarkus-maven-plugin:1.5.0.Final
  • Build tool (ie. output of mvnw --version or gradlew --version): λ mvn -v Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 2019-04-04T21:00:29+02:00) Maven home: C:\Users\tool\apache-maven-3.6.1\bin.. Java version: 1.8.0_131, vendor: Oracle Corporation, runtime: C:\Users\tool\java\jre Default locale: de_DE, platform encoding: Cp1252 OS name: “windows 7”, version: “6.1”, arch: “amd64”, family: “windows”

Additional context I updated /etc/ssl/certs/cacert.pem without success. Also, when logged in via terminal, this helped - but not with Maven:

cat ~/.curlrc
insecure

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Comments: 36 (13 by maintainers)

Most upvoted comments

Ok, finally I found the solution…

As suspected, our SSL intercepting proxy is causing a problem again - and just adding it to the Linux Virtualbox host was not enough for the isolated docker container underneath accepting it. By copying the intercepting SSL PEM inside registry.access.redhat.com/ubi8/ubi:8.1 image to /etc/pki/ca-trust/source/anchors/, and running update-ca-trust, curl will now now longer mind the sniffing proxy and just works:

[root@0fa71125f5bd /]# yum install curl
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                                                      2.6 MB/s |  18 MB     00:06
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                                                         1.9 MB/s |  18 MB     00:09
Red Hat Universal Base Image 8 (RPMs) - BaseOS                                                                                                                                                                552 kB/s | 766 kB     00:01
Red Hat Universal Base Image 8 (RPMs) - AppStream                                                                                                                                                             1.3 MB/s | 3.8 MB     00:02
Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder                                                                                                                                                     9.1 kB/s |  11 kB     00:01
Package curl-7.61.1-12.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

In case you are also targeting big companies, which often use this kind of intercepting proxy, then I highly recommend some sort of automatism for intercepting proxies.

Or maybe there already is?

+1
ambition-consulting on Jun 12, 2020
Read more comments on GitHub
← quarkus: Manually created sequence in postgresql is not working correctly
quarkus: [Maven] Don't change finalName with runner classifier →