{"id":22289758,"url":"https://github.com/cfryanr/cert-trust-demo","last_synced_at":"2025-03-25T21:24:16.485Z","repository":{"id":115057925,"uuid":"259822802","full_name":"cfryanr/cert-trust-demo","owner":"cfryanr","description":null,"archived":false,"fork":false,"pushed_at":"2020-04-29T04:27:57.000Z","size":14,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-30T18:48:04.673Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cfryanr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-29T04:20:39.000Z","updated_at":"2020-04-29T04:28:00.000Z","dependencies_parsed_at":"2023-04-13T16:55:39.966Z","dependency_job_id":null,"html_url":"https://github.com/cfryanr/cert-trust-demo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfryanr%2Fcert-trust-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfryanr%2Fcert-trust-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfryanr%2Fcert-trust-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfryanr%2Fcert-trust-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cfryanr","download_url":"https://codeload.github.com/cfryanr/cert-trust-demo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245544457,"owners_count":20632823,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-03T17:10:00.631Z","updated_at":"2025-03-25T21:24:16.477Z","avatar_url":"https://github.com/cfryanr.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cert-trust-demo\n\n## Why\n\nThis app is a simple Java Spring app to demonstrate that there is\nsomething intermittently preventing it from connecting to \nUAA and CAPI on cf-for-k8s v0.1.0.\n\nThis is a simplification of a mature Java app that works great on cf-deployment.\nThat app uses\n[cloudfoundry-certificate-truster](https://github.com/pivotal-cf/cloudfoundry-certificate-truster)\nto implement an important \"skip SSL\" feature for non-production use cases.\nIn this app, rather than declaring cloudfoundry-certificate-truster as\na dependency in our `pom.xml` file as we normally would, we have copied\nthe source code from the library's master branch into this project.\nThis allowed us to enhance the debugging output from the library code,\nbut we have left it otherwise unchanged.\n\n## Steps to Reproduce\n\n1. Clone this repo.\n   We'll assume that you cloned it to `/Users/pivotal/workspace/cert-trust-demo` for the rest of this doc.\n\n1. Edit `manifest.yml` and change the system domain to match the system domain of your cf-for-k8s.\n\n1. Compile the app. Don't forget to repeat this step each time you change the code while debugging.\n\n   ```\n   cd /Users/pivotal/workspace/cert-trust-demo\n   ./mvnw install\n   ```\n\n1. Do the following a few times to push/re-push the app and observe the app's log.\n\n   `cf delete -f cert-trust-demo \u0026\u0026 cf push cert-trust-demo -p /Users/pivotal/workspace/cert-trust-demo/target/demo-0.0.1-SNAPSHOT.jar -f ./manifest.yml \u0026\u0026 sleep 3 \u0026\u0026 kubectl logs $(kubectl get pods -n cf-workloads | grep cert-trust-demo | cut -d' ' -f1) -n cf-workloads -c opi`\n\nSometimes the certificate truster will work, and sometimes it will fail because it\nis unable to connect to port 443 of the UAA and CAPI platform components.\nThe desired behavior is that it should always work, as it would when used in\nJava apps pushed to cf-deployment.\n\nThe log of a successful run will start with happy messages like this:\n```\nCalculated JVM Memory Configuration: -XX:MaxDirectMemorySize=10M -XX:MaxMetaspaceSize=82977K -XX:ReservedCodeCacheSize=240M -Xss1M -Xmx405022K (Head Room: 0%, Loaded Class Count: 12236, Thread Count: 250, Total Memory: 1024000000)\nstarting trusting certificate ***********************************\ntrusting certificate at succeeded for: api.tacos.sso.identity.team:443\ntrusting certificate at succeeded for: login.tacos.sso.identity.team:443\ntrusting certificate at succeeded for: uaa.tacos.sso.identity.team:443\n```\n\nThe log of a failed run will start with sad messages like this:\n```\nCalculated JVM Memory Configuration: -XX:MaxDirectMemorySize=10M -XX:MaxMetaspaceSize=82977K -XX:ReservedCodeCacheSize=240M -Xss1M -Xmx405022K (Head Room: 0%, Loaded Class Count: 12236, Thread Count: 250, Total Memory: 1024000000)\nstarting trusting certificate ***********************************\nError downloading certificate for api.tacos.sso.identity.team:443\njava.net.ConnectException: Connection refused (Connection refused)\n\tat java.base/java.net.PlainSocketImpl.socketConnect(Native Method)\n\tat java.base/java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)\n\tat java.base/java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)\n\tat java.base/java.net.AbstractPlainSocketImpl.connect(Unknown Source)\n\tat java.base/java.net.SocksSocketImpl.connect(Unknown Source)\n\tat java.base/java.net.Socket.connect(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketImpl.connect(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketImpl.\u003cinit\u003e(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)\n\tat com.example.demo.SslCertificateTruster$2.run(SslCertificateTruster.java:103)\n\tat java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)\n\tat java.base/java.util.concurrent.FutureTask.run(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\n\tat java.base/java.lang.Thread.run(Unknown Source)\ntrusting certificate failed for api.tacos.sso.identity.team:443\njava.security.cert.CertificateException: Could not obtain server certificate chain\n\tat com.example.demo.SslCertificateTruster.getUntrustedCertificateInternal(SslCertificateTruster.java:123)\n\tat com.example.demo.SslCertificateTruster.getUntrustedCertificate(SslCertificateTruster.java:89)\n\tat com.example.demo.SslCertificateTruster.trustCertificateInternal(SslCertificateTruster.java:146)\n\tat com.example.demo.CloudFoundryCertificateTruster.trustCertificatesInternal(CloudFoundryCertificateTruster.java:91)\n\tat com.example.demo.CloudFoundryCertificateTruster.trustCertificates(CloudFoundryCertificateTruster.java:54)\n\tat com.example.demo.CloudFoundryCertificateTruster.\u003cclinit\u003e(CloudFoundryCertificateTruster.java:103)\n\tat java.base/java.lang.Class.forName0(Native Method)\n\tat java.base/java.lang.Class.forName(Unknown Source)\n\tat com.example.demo.DemoApplication.forceClassInitializationToCallStaticBlock(DemoApplication.java:11)\n\tat com.example.demo.DemoApplication.main(DemoApplication.java:22)\nError downloading certificate for login.tacos.sso.identity.team:443\njava.net.ConnectException: Connection refused (Connection refused)\n\tat java.base/java.net.PlainSocketImpl.socketConnect(Native Method)\n\tat java.base/java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)\n\tat java.base/java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)\n\tat java.base/java.net.AbstractPlainSocketImpl.connect(Unknown Source)\n\tat java.base/java.net.SocksSocketImpl.connect(Unknown Source)\n\tat java.base/java.net.Socket.connect(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketImpl.connect(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketImpl.\u003cinit\u003e(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)\n\tat com.example.demo.SslCertificateTruster$2.run(SslCertificateTruster.java:103)\n\tat java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)\n\tat java.base/java.util.concurrent.FutureTask.run(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\n\tat java.base/java.lang.Thread.run(Unknown Source)\ntrusting certificate failed for login.tacos.sso.identity.team:443\njava.security.cert.CertificateException: Could not obtain server certificate chain\n\tat com.example.demo.SslCertificateTruster.getUntrustedCertificateInternal(SslCertificateTruster.java:123)\n\tat com.example.demo.SslCertificateTruster.getUntrustedCertificate(SslCertificateTruster.java:89)\n\tat com.example.demo.SslCertificateTruster.trustCertificateInternal(SslCertificateTruster.java:146)\n\tat com.example.demo.CloudFoundryCertificateTruster.trustCertificatesInternal(CloudFoundryCertificateTruster.java:91)\n\tat com.example.demo.CloudFoundryCertificateTruster.trustCertificates(CloudFoundryCertificateTruster.java:54)\n\tat com.example.demo.CloudFoundryCertificateTruster.\u003cclinit\u003e(CloudFoundryCertificateTruster.java:103)\n\tat java.base/java.lang.Class.forName0(Native Method)\n\tat java.base/java.lang.Class.forName(Unknown Source)\n\tat com.example.demo.DemoApplication.forceClassInitializationToCallStaticBlock(DemoApplication.java:11)\n\tat com.example.demo.DemoApplication.main(DemoApplication.java:22)\nError downloading certificate for uaa.tacos.sso.identity.team:443\njava.net.ConnectException: Connection refused (Connection refused)\n\tat java.base/java.net.PlainSocketImpl.socketConnect(Native Method)\n\tat java.base/java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)\n\tat java.base/java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)\n\tat java.base/java.net.AbstractPlainSocketImpl.connect(Unknown Source)\n\tat java.base/java.net.SocksSocketImpl.connect(Unknown Source)\n\tat java.base/java.net.Socket.connect(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketImpl.connect(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketImpl.\u003cinit\u003e(Unknown Source)\n\tat java.base/sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)\n\tat com.example.demo.SslCertificateTruster$2.run(SslCertificateTruster.java:103)\n\tat java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)\n\tat java.base/java.util.concurrent.FutureTask.run(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\n\tat java.base/java.lang.Thread.run(Unknown Source)\ntrusting certificate failed for uaa.tacos.sso.identity.team:443\njava.security.cert.CertificateException: Could not obtain server certificate chain\n\tat com.example.demo.SslCertificateTruster.getUntrustedCertificateInternal(SslCertificateTruster.java:123)\n\tat com.example.demo.SslCertificateTruster.getUntrustedCertificate(SslCertificateTruster.java:89)\n\tat com.example.demo.SslCertificateTruster.trustCertificateInternal(SslCertificateTruster.java:146)\n\tat com.example.demo.CloudFoundryCertificateTruster.trustCertificatesInternal(CloudFoundryCertificateTruster.java:91)\n\tat com.example.demo.CloudFoundryCertificateTruster.trustCertificates(CloudFoundryCertificateTruster.java:54)\n\tat com.example.demo.CloudFoundryCertificateTruster.\u003cclinit\u003e(CloudFoundryCertificateTruster.java:103)\n\tat java.base/java.lang.Class.forName0(Native Method)\n\tat java.base/java.lang.Class.forName(Unknown Source)\n\tat com.example.demo.DemoApplication.forceClassInitializationToCallStaticBlock(DemoApplication.java:11)\n\tat com.example.demo.DemoApplication.main(DemoApplication.java:22)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcfryanr%2Fcert-trust-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcfryanr%2Fcert-trust-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcfryanr%2Fcert-trust-demo/lists"}