Configured Node:
Launch method: Launchagents via SSH
Host: host
Credentials: added a new one by specifying username and Private key
Host Key Verification Strategy: Not verifying (The error does not differ when choosing a different value)
When I try to connect, I get an error:
[08/24/22 14:39:14] [SSH] Opening SSH connection to host:22.
[08/24/22 14:39:14] [SSH] WARNING: SSH Host Keys are not being verified. Man-in-the-middle attacks may be possible against this connection.
ERROR: Server rejected the 1 private key(s) for cred_name (credentialId:cred_name/method:publickey)
ERROR: Failed to authenticate as cred_name with credential=cred_name
java.io.IOException: Publickey authentication failed.
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:349)
at com.trilead.ssh2.Connection.authenticateWithPublicKey(Connection.java:472)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.doAuthenticate(TrileadSSHPublicKeyAuthenticator.java:110)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:431)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:468)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:881)
at hudson.plugins.sshslaves.SSHLauncher.lambda$launch$0(SSHLauncher.java:434)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.io.IOException: Could not generate signature
at com.trilead.ssh2.signature.KeyAlgorithm.generateSignature(KeyAlgorithm.java:43)
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:316)
... 10 more
Caused by: java.security.SignatureException: Could not sign data
at java.base/sun.security.rsa.RSASignature.engineSign(RSASignature.java:196)
at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)
at java.base/java.security.Signature.sign(Signature.java:712)
at com.trilead.ssh2.signature.KeyAlgorithm.generateSignature(KeyAlgorithm.java:41)
... 11 more
Caused by: javax.crypto.BadPaddingException: RSA private key operation failed
at java.base/sun.security.rsa.RSACore.crtCrypt(RSACore.java:209)
at java.base/sun.security.rsa.RSACore.rsa(RSACore.java:130)
at java.base/sun.security.rsa.RSASignature.engineSign(RSASignature.java:193)
... 14 more
[08/24/22 14:39:14] [SSH] Authentication failed.
From the machine on which Jenkins is installed, I can connect to a remote one using:
ssh name#host -p 22
All the solutions I found to this issue were solved through the console under the user Jenkins
But how to solve this issue using the jenkins UI, because the connection to the previously created Node is active, the problems are only with this. Maybe he indicated something wrong
The private key was created using:
ssh-keygen -t rsa
I took the key from rsa_id
I had the same issue. I think it's a bug.
I changed the type of ssh-key to ed25519 and it worked.
ssh-keygen -t ed25519
Related
I did the setup of the Cosmos DB emulator on the local machine, and started with the following parameters:
/port=443 /AllowNetworkAccess /Key=<CosmosPrimaryKey>
And currently, it is accessible via https://<LocalMachineIP>/
When I tried to make a curl request from the docker Redhat container (using docker image: confluentinc/cp-kafka-connect) it throws the below error:
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
And when trying to crate cosmos DB source connector it throws the below error:
[20 10:37:45,018] ERROR Client initialization failed. Check if the endpoint is reachable and if your auth token is valid. More info: https://aka.ms/cosmosdb-tsg-service-unavailable-java (com.azure.cosmos.implementation.RxDocumentClientImpl)
[2022-05-20 10:37:45,079] ERROR unexpected failure in initializing client. (com.azure.cosmos.implementation.RxDocumentClientImpl)
java.lang.RuntimeException: Client initialization failed. Check if the endpoint is reachable and if your auth token is valid. More info: https://aka.ms/cosmosdb-tsg-service-unavailable-java
at com.azure.cosmos.implementation.RxDocumentClientImpl.initializeGatewayConfigurationReader(RxDocumentClientImpl.java:401)
.......
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
[2022-05-20 10:37:45,095] WARN [8e2a220b, L:/172.25.0.6:57076 ! R:/192.168.154.131:443] The connection observed an error (reactor.netty.http.client.HttpClientConnect)
shaded.io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at shaded.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
..........
at shaded.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
at shaded.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at shaded.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
.........
at shaded.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1283)
at shaded.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
at shaded.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
.....................
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
... 31 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 37 more
I have exported the cosmos emulator .cer file using this article.
How to install it in the Docker container "kafka-connect"?
Can you post your curl request?
You need to use the -k flag to denote that it’s insecure.
curl -k https://{emulatoripaddr}:8081/_explorer/emulator.pem > emulatorcert.crt
It needs to be .crt
Then copy it to
/usr/local/share/ca-certificates/
Then install it
update-ca-certificates
Additionally you can mount a volume to the cosmos folder and save the .pem manually… /tmp/cosmos/appdata
i have CA cert password protected in my docker. How can i supply the password. I can't even go into my docker to set the password of ssl based on reference from
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html#generate-certificates
where i need do below
/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add
xpack.security.transport.ssl.truststore.secure_password
Exception
"Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]",
"Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager",
"Caused by: java.io.IOException: keystore password was incorrect",
"Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.",
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[keystore password was incorrect]; nested: UnrecoverableKeyException[failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.];
Likely root cause: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
SSHLauncher{host='172.31.45.245', port=22, credentialsId='1', jvmOptions='', javaPath='', prefixStartSlaveCmd='', suffixStartSlaveCmd='', launchTimeoutSeconds=60, maxNumRetries=10, retryWaitTime=15, sshHostKeyVerificationStrategy=hudson.plugins.sshslaves.verifiers.NonVerifyingKeyVerificationStrategy, tcpNoDelay=true, trackCredentials=true}
[03/24/21 16:14:07] [SSH] Opening SSH connection to 172.31.45.245:22.
[03/24/21 16:14:07] [SSH] WARNING: SSH Host Keys are not being verified. Man-in-the-middle attacks may be possible against this connection.
ERROR: Server rejected the 1 private key(s) for ubuntu (credentialId:1/method:publickey)
[03/24/21 16:14:07] [SSH] Authentication failed.
Authentication failed.
[03/24/21 16:14:07] Launch failed - cleaning up connection
[03/24/21 16:14:07] [SSH] Connection closed
Try by changing the below settings in each of the slave machine.
Host Key Verification Strategy - Non Verifying Verification Strategy
Jenkins-43062
CloudBees Snippet
We are trying to establish a grpcs (TLS) connection between a docker container running API server (based on Node.js) and another docker container running peer0 from Fabric network.
All containers are orchestated by docker swarm, and both containers happen to be running on the same Linux host.
The error log thrown by API container is the following:
2021-01-07T18:27:38.110Z - error: [Remote.js]: Error: Failed to
connect before the deadline URL:grpcs://10.0.1.2:9051 Query has
completed, checking results error from query = { Error: Failed to
connect before the deadline URL:grpcs://10.0.1.2:9051
at checkState (/usr/src/app/node_modules/grpc/src/client.js:833:16) connectFailed:
true } sampleEvent ERROR : Error: 14 UNAVAILABLE: Connect Failed E0107
18:27:53.602719124 16 ssl_transport_security.cc:1229] Handshake
failed with fatal error SSL_ERROR_SSL: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed.
And the error log thrown from peer0 is:
2021-01-07 18:50:22.224 UTC [core.comm] ServerHandshake -> ERRO 043 TLS handshake failed with error EOF server=PeerServer remoteaddress=10.0.1.4:46212
IP addresses layout
IP address for API container is 10.0.1.94
IP address for peer0 container is 10.0.1.3
virtual IP address for docker service peer0 is 10.0.1.2
IP address for docker swarm load balancer endpoint is 10.0.1.4
Any suggestion of where to further troubleshoot? At this point is not clear if the problem is with the docker swarm internal networking, or an issue with ssl certificates in either side of the network.
UPDATE Feb 2 2021
The original TLS handshake error was fixed by upgrading the javascript used in NodeSDK. Among other things we started using the addToWallet.js script contained in the commercial-paper example
After being able to stablish TLS succesfully between Node.js API and peer0, we get a new access denied error when making a simple query to chaincode_example02
Facts:
We are running the query with 2 Admin users
One Admin is first-network original Admin#org1.example.com, with credentials generated by cryptogen tool
The other Admin is Admin#buyer.dlt.com whose credentials were created with openssl and a self signed in-company CA
From CLI, both Admin are good and are allowed to run peer commands interchangeably
From Node.js app, only Admin#org1.example.com is allowed to run queries. The message printed to console.log is:
Transaction has been evaluated, result is: 100
When running queries with Admin#buyer.dlt.com we get the following error logs:
Error logs from peer0#buyer.dlt.com
2021-02-02T04:08:45.291086617Z ^[[36m2021-02-02 04:08:45.290 UTC [protoutils] checkSignatureFromCreator -> DEBU 6e637^[[0m creator is &{BuyerMSP 8b7cc2ee996be4f7e5dbb1a4f64db67afd2ff8a2f41276c9bd7f33a2447dd9df}
2021-02-02T04:08:45.291094817Z ^[[36m2021-02-02 04:08:45.290 UTC [protoutils] checkSignatureFromCreator -> DEBU 6e638^[[0m creator is valid
2021-02-02T04:08:45.291100418Z ^[[36m2021-02-02 04:08:45.290 UTC [msp.identity] 2021-02-02T04:08:45.303821799Z ^[[33m2021-02-02 04:08:45.303 UTC [protoutils] ValidateProposalMessage -> WARN 6e63b^[[0m channel [mychannel]: creator's signature over the proposal is not valid: The signature is invalid
2021-02-02T04:08:45.303891604Z ^[[36m2021-02-02 04:08:45.303 UTC [endorser] func1 -> DEBU 6e63c^[[0m Exit: request from 10.0.1.84:52696
2021-02-02T04:08:45.303902005Z ^[[34m2021-02-02 04:08:45.303 UTC [comm.grpc.server] 1 -> INFO 6e63d^[[0m unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.peer_address=10.0.1.84:52696 error="access denied: channel [mychannel] creator org [BuyerMSP]" grpc.code=Unknown grpc.call_duration=13.783655ms
Error log on console.log from script query.js:
2021-02-02T04:08:45.305Z - error: [Channel.js]: Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [BuyerMSP]
2021-02-02T04:08:45.307Z - error: [Network]: _initializeInternalChannel: Unable to initialize channel. Attempted to contact 1 Peers. Last error was Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [BuyerMSP]
Failed to evaluate transaction: Error: Unable to initialize channel. Attempted to contact 1 Peers. Last error was Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [BuyerMSP]
In the end, this issue turned out to be two issues, in a 'russian doll like' style.
1. First issue: TLS Handshake error
This was fixed by upgrading the SDK library to the latest release
2. Second issue: Node SDK query triggers error "The signature is invalid".
The reason turned out to be that the CLI (written on Go) is using the Go crypto support which allows it to generate a signature from a hash without any knowledge of the curve used for the key. Instead, the SDK libraries used by the Node implementation require a specific curve to be specified by the code generating the signature, separately from the private key itself.
Bottom line, private keys used within Node SDK should be P-256.
As an alternative, as suggested by hyperledger dev team:
If you really must use a curve other than P-256 then you might be able
to use one of the following approaches:
-Use the off-line signing approach included in the documentation but specify an alternative curve instead of 'p256'. The supported curves
for the elliptic package documented here:
https://github.com/indutny/elliptic
-Set your own CryptoSuite implementation on the Client that underpins the Gateway object, with your own CryptoSuite.sign() implementation:
https://hyperledger.github.io/fabric-sdk-node/release-2.2/CryptoSuite.html#sign
I'm not sure of what the proper steps are for configuring the Jenkins master to build/deploy these jobs to a new slave, and how to set up the new slave, but it is giving an error. For instance, do I need to install anything on the new slave, or do any kind of setup/config? & I'm configuring on Ubuntu OS.
just before slave node1 gets launched ...
executing pre-launch scripts ...
[06/25/15 13:06:55] [SSH] Opening SSH connection to 192.168.4.153:22.
ERROR: Server rejected the 1 private key(s) for jenkins (credentialId:fd3affc2-25a4-4b24-9e21-275badb8b6d9/method:publickey)
ERROR: Failed to authenticate as jenkins with credential=fd3affc2-25a4-4b24-9e21-275badb8b6d9
java.io.IOException: Publickey authentication failed.
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:315)
at com.trilead.ssh2.Connection.authenticateWithPublicKey(Connection.java:467)
at com.cloudbees.jenkins.plugins.sshcredentials.impl.TrileadSSHPublicKeyAuthenticator.doAuthenticate(TrileadSSHPublicKeyAuthenticator.java:109)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:408)
at com.cloudbees.jenkins.plugins.sshcredentials.SSHAuthenticator.authenticate(SSHAuthenticator.java:428)
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1173)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Decrypted PEM has wrong padding, did you specify the correct password?
at com.trilead.ssh2.crypto.PEMDecoder.removePadding(PEMDecoder.java:110)
at com.trilead.ssh2.crypto.PEMDecoder.decryptPEM(PEMDecoder.java:287)
at com.trilead.ssh2.crypto.PEMDecoder.decode(PEMDecoder.java:320)
at com.trilead.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:224)
... 11 more
[06/25/15 13:06:55] [SSH] Authentication failed.
hudson.AbortException: Authentication failed.
at hudson.plugins.sshslaves.SSHLauncher.openConnection(SSHLauncher.java:1178)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:701)
at hudson.plugins.sshslaves.SSHLauncher$2.call(SSHLauncher.java:696)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[06/25/15 13:06:55] Launch failed - cleaning up connection
[06/25/15 13:06:55] [SSH] Connection closed.
This article explains how to connect a slave to the master using the master public ssh key:
https://www.caktusgroup.com/blog/2012/01/10/configuring-jenkins-slave/
To resume:
Generate a public SSH key on the master: ssh-keygen -t rsa (with no paraphrase)
Copy the public master key from .ssh/id_rsa.pub
On the slave, paste the public key in /home/jenkins/.ssh/authorized_keys (if /home/jenkins is your home folder)
Please confirm it solves your issue.
The real issue in question is Caused by: java.io.IOException: Decrypted PEM has wrong padding, did you specify the correct password? so there maybe mistake in private key text or wrong passphrase.
In my case I've got an error PEM problem: it is of unknown type with key which looks like valid:
-----BEGIN RSA PRIVATE KEY-----
...
...
-----END RSA PRIVATE KEY----
but it's not valid because I've lost last "-" character when copy/paste private key from terminal, so the right form should be:
-----BEGIN RSA PRIVATE KEY-----
...
...
-----END RSA PRIVATE KEY-----
The .ssh directory on the agent must have proper access permissions so that group and others do not have write permissions. The following command should make it work:
chmod 700 ~/.ssh