Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Che Theia respecting self-signed certificate #13574

Closed
sleshchenko opened this issue Jun 19, 2019 · 1 comment
Closed

Make Che Theia respecting self-signed certificate #13574

sleshchenko opened this issue Jun 19, 2019 · 1 comment
Assignees
@AndrienkoAleksandr
Labels
kind/enhancement A feature request - must adhere to the feature request template. severity/blocker Causes system to crash and be non-recoverable or prevents Che developers from working on Che code.
Milestone
7.0.0

Comments

@sleshchenko
Copy link
Member

sleshchenko commented Jun 19, 2019
edited
Loading

Description

Theia fails to request Che Server if Che is deployed in a secure manner with a self-signed certificate.

It's a subtask of #12634.

Reproduction Steps

  1. Deploy Che with self-signed certificates used.
    ocp.sh may be used to do it
./ocp.sh --run-ocp --deploy-che --multiuser --secure --no-pull --setup-ocp-oauth
  1. Create Che7 workspace with Che Theia as Editor.
Java Maven Che 7 Devfile 
---
apiVersion: 1.0.0
metadata:
  name: java-maven
projects:
  -
    name: console-java-simple
    source:
      type: git
      location: "https://github.com/che-samples/console-java-simple.git"
components:
  -
    type: chePlugin
    id: redhat/java/latest
  -
    type: dockerimage
    alias: maven
    image: maven:3.6.0-jdk-11
    command: ['sleep']
    args: ['infinity']
    env:
      - name: MAVEN_CONFIG
        value: /home/user/.m2
      - name: MAVEN_OPTS
        value: "-XX:MaxRAMPercentage=50 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10
          -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90
          -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom
          -Duser.home=/home/user"
      - name: JAVA_OPTS
        value: "-XX:MaxRAMPercentage=50 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10
          -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90
          -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom"
      - name: JAVA_TOOL_OPTIONS
        value: "-XX:MaxRAMPercentage=50 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10
          -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90
          -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom"
      - name: PS1
        value: $(echo ${0})\\$
      - name: HOME
        value: /home/user
    memoryLimit: 512Mi
    endpoints:
      - name: '8080/tcp'
        port: 8080
    mountSources: true
    volumes:
      - name: m2
        containerPath: /home/user/.m2
commands:
  -
    name: maven build
    actions:
      -
        type: exec
        command: "mvn -Duser.home=${HOME} -f ${CHE_PROJECTS_ROOT}/console-java-simple clean install"
        component: maven
  -
    name: maven build and run
    actions:
      -
        type: exec
        command: "mvn -Duser.home=${HOME} -f ${CHE_PROJECTS_ROOT}/console-java-simple clean install && java -jar ${CHE_PROJECTS_ROOT}/console-java-simple/target/*.jar"
        component: maven
  1. Try to start any task
    Expected: It's possible to run task configured in Devfile;
    Actual: It's not possible to run task because Theia failed to request workspace configuration;

OS and version:

Diagnostics:
Screenshot_20190619_113628

More Theia Logs: 
root ERROR Request currentWorkspace failed with error:  
root INFO { status: NaN,
  name: 'Error',
  message: 'self signed certificate in certificate chain',
  config:
   { adapter: [Function],
     transformRequest: { '0': [Function] },
     transformResponse: { '0': [Function] },
     timeout: 0,
     xsrfCookieName: 'XSRF-TOKEN',
     xsrfHeaderName: 'X-XSRF-TOKEN',
     maxContentLength: -1,
     validateStatus: [Function: validateStatus],
     headers:
      { Accept: 'application/json, text/plain, */*',
        Authorization:
         'Bearer eyJhbGciOiJSUzI1NiIsImtpbmQiOiJtYWNoaW5lX3Rva2VuIiwia2lkIjoid29ya3NwYWNlYTd3cmU4aDF6cjE3YXlibiJ9.eyJ3c2lkIjoid29ya3NwYWNlYTd3cmU4aDF6cjE3YXlibiIsInVpZCI6IjU5YmRjMjhjLWZmM2UtNDU1MS1iYjFmLTFiNjg1ZDNlNzIxZSIsImF1ZCI6IndvcmtzcGFjZWE3d3JlOGgxenIxN2F5Ym4iLCJuYmYiOi0xLCJ1bmFtZSI6ImRldmVsb3BlciIsImlzcyI6IndzbWFzdGVyIiwiZXhwIjoxNTkyNDY4Njg3LCJpYXQiOjE1NjA5MzI2ODcsImp0aSI6ImI5YWYzNTE0LWU3NGQtNGYyNS05YjdlLTljZGEwOTFkZTdlNyJ9.DynS9hSShUnFIS1O8hPYXDkJk8ULKRuFh1cJ9TKKZeGd_NNqVvFWzZMkHYo9JkczBOBRyXQl7TDgs07HaqmQtlt-XOJ2vXbBRu4cKo_a62cS34dEpYti8VSRXEHBeZPXYV-kDtNVJ4N8PManAVHBqsff5mHME_v39ROi5roDgy8XLTcgEAHsFlHoZKoee9341ONeN9jC4_bcydPbE53n0ZadoUByNG716gOowDQBIZhMpem75I3EaLf9peCX3rYlNYOZJbRdX0MEsNQUj3YjNXllmSzoV8KLqsgq4YZ4tnx2Hr_XClmCylXEX5sGRYNFpZdLqhosFGKPNVNXBby-9A',
        'User-Agent': 'axios/0.18.0' },
     method: 'get',
     baseURL: 'https://che-eclipse-che.10.33.177.202.nip.io/api' ,
     url:
      'https://che-eclipse-che.10.33.177.202.nip.io/api/workspace/workspacea7wre8h1zr17aybn' ,
     data: undefined },
  request:
   Writable {
     _writableState:
      WritableState {
        objectMode: false,
        highWaterMark: 16384,
        finalCalled: false,
        needDrain: false,
        ending: false,
        ended: false,
        finished: false,
        destroyed: false,
        decodeStrings: true,
        defaultEncoding: 'utf8',
        length: 0,
        writing: false,
        corked: 0,
        sync: true,
        bufferProcessing: false,
        onwrite: [Function: bound onwrite],
        writecb: null,
        writelen: 0,
        bufferedRequest: null,
        lastBufferedRequest: null,
        pendingcb: 0,
        prefinished: false,
        errorEmitted: false,
        emitClose: true,
        bufferedRequestCount: 0,
        corkedRequestsFree: [Object] },
     writable: true,
     _events:
      [Object: null prototype] { response: [Function], error: [Function] },
     _eventsCount: 2,
     _maxListeners: undefined,
     _options:
      { maxRedirects: 21,
        maxBodyLength: 10485760,
        protocol: 'https:',
        path: '/api/workspace/workspacea7wre8h1zr17aybn',
        method: 'get',
        headers: [Object],
        agent: undefined,
        auth: undefined,
        hostname: 'che-eclipse-che.10.33.177.202.nip.io',
        port: null,
        nativeProtocols: [Object],
        pathname: '/api/workspace/workspacea7wre8h1zr17aybn' },
     _ended: true,
     _ending: true,
     _redirectCount: 0,
     _redirects: [],
     _requestBodyLength: 0,
     _requestBodyBuffers: [],
     _onNativeResponse: [Function],
     _currentRequest:
      ClientRequest {
        _events: [Object],
        _eventsCount: 6,
        _maxListeners: undefined,
        output: [],
        outputEncodings: [],
        outputCallbacks: [],
        outputSize: 0,
        writable: true,
        _last: true,
        chunkedEncoding: false,
        shouldKeepAlive: false,
        useChunkedEncodingByDefault: false,
        sendDate: false,
        _removedConnection: false,
        _removedContLen: false,
        _removedTE: false,
        _contentLength: 0,
        _hasBody: true,
        _trailer: '',
        finished: true,
        _headerSent: true,
        socket: [TLSSocket],
        connection: [TLSSocket],
        _header:
         'GET /api/workspace/workspacea7wre8h1zr17aybn HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nAuthorization: Bearer eyJhbGciOiJSUzI1NiIsImtpbmQiOiJtYWNoaW5lX3Rva2VuIiwia2lkIjoid29ya3NwYWNlYTd3cmU4aDF6cjE3YXlibiJ9.eyJ3c2lkIjoid29ya3NwYWNlYTd3cmU4aDF6cjE3YXlibiIsInVpZCI6IjU5YmRjMjhjLWZmM2UtNDU1MS1iYjFmLTFiNjg1ZDNlNzIxZSIsImF1ZCI6IndvcmtzcGFjZWE3d3JlOGgxenIxN2F5Ym4iLCJuYmYiOi0xLCJ1bmFtZSI6ImRldmVsb3BlciIsImlzcyI6IndzbWFzdGVyIiwiZXhwIjoxNTkyNDY4Njg3LCJpYXQiOjE1NjA5MzI2ODcsImp0aSI6ImI5YWYzNTE0LWU3NGQtNGYyNS05YjdlLTljZGEwOTFkZTdlNyJ9.DynS9hSShUnFIS1O8hPYXDkJk8ULKRuFh1cJ9TKKZeGd_NNqVvFWzZMkHYo9JkczBOBRyXQl7TDgs07HaqmQtlt-XOJ2vXbBRu4cKo_a62cS34dEpYti8VSRXEHBeZPXYV-kDtNVJ4N8PManAVHBqsff5mHME_v39ROi5roDgy8XLTcgEAHsFlHoZKoee9341ONeN9jC4_bcydPbE53n0ZadoUByNG716gOowDQBIZhMpem75I3EaLf9peCX3rYlNYOZJbRdX0MEsNQUj3YjNXllmSzoV8KLqsgq4YZ4tnx2Hr_XClmCylXEX5sGRYNFpZdLqhosFGKPNVNXBby-9A\r\nUser-Agent: axios/0.18.0\r\nHost: che-eclipse-che.10.33.177.202.nip.io\r\nConnection: close\r\n\r\n',
        _onPendingData: [Function: noopPendingOutput],
        agent: [Agent],
        socketPath: undefined,
        timeout: undefined,
        method: 'GET',
        path: '/api/workspace/workspacea7wre8h1zr17aybn',
        _ended: false,
        res: null,
        aborted: undefined,
        timeoutCb: null,
        upgradeOrConnect: false,
        parser: null,
        maxHeadersCount: null,
        _redirectable: [Circular],
        [Symbol(isCorked)]: false,
        [Symbol(outHeadersKey)]: [Object] },
     _currentUrl:
      'https://che-eclipse-che.10.33.177.202.nip.io/api/workspace/workspacea7wre8h1zr17aybn'  } }
root INFO Error: Request 'currentWorkspace' failed
    at Proxy.<anonymous> (https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:1817030 )
    at e.$getCurrentWorkspace (https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/che.29e20d2f1e85def7bab8.js:1:106912 )
    at e.doInvokeHandler (https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:1949336 )
    at e.invokeHandler (https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:1949064 )
    at e.receiveRequest (https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:1948196 )
    at e.receiveOneMessage (https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:1947669 )
    at https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:1946431 
    at https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:1949685 
    at https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:3902808 
    at e.invoke (https://routem48k53ol-workspacea7wre8h1zr17aybn.10.33.177.202.nip.io/theia.3cc98bc95beaa0ed18a8.js:1:3903026 )
root INFO [hosted-plugin: 58] PLUGIN_HOST(58): PluginManagerExtImpl/loadPlugin(/tmp/theia-unpacked/eclipse_che_theia_containers_plugin.theia/lib/containers-plugin.js)

root INFO [hosted-plugin: 58] PLUGIN_HOST(58): PluginManagerExtImpl/loadPlugin(/tmp/theia-unpacked/eclipse_che_theia_factory_plugin.theia/lib/factory-plugin.js)

root INFO [hosted-plugin: 58] PLUGIN_HOST(58): PluginManagerExtImpl/loadPlugin(/tmp/theia-unpacked/eclipse_che_theia_ssh_plugin.theia/lib/ssh-plugin-backend.js)

root INFO [hosted-plugin: 58] PLUGIN_HOST(58): PluginManagerExtImpl/loadPlugin(/tmp/theia-unpacked/eclipse_che_welcome_plugin.theia/lib/welcome-plugin.js)

root INFO [hosted-plugin: 58] PLUGIN_HOST(58): PluginManagerExtImpl/loadPlugin(/tmp/theia-unpacked/task_plugin.theia/lib/task-plugin-backend.js)

root INFO { status: NaN,
  name: 'Error',
  message: 'self signed certificate in certificate chain',
  config:
   { adapter: [Function],
     transformRequest: { '0': [Function] },
     transformResponse: { '0': [Function] },
     timeout: 0,
     xsrfCookieName: 'XSRF-TOKEN',
     xsrfHeaderName: 'X-XSRF-TOKEN',
     maxContentLength: -1,
     validateStatus: [Function: validateStatus],
     headers:
      { Accept: 'application/json, text/plain, */*',
        Authorization:
         'Bearer eyJhbGciOiJSUzI1NiIsImtpbmQiOiJtYWNoaW5lX3Rva2VuIiwia2lkIjoid29ya3NwYWNlYTd3cmU4aDF6cjE3YXlibiJ9.eyJ3c2lkIjoid29ya3NwYWNlYTd3cmU4aDF6cjE3YXlibiIsInVpZCI6IjU5YmRjMjhjLWZmM2UtNDU1MS1iYjFmLTFiNjg1ZDNlNzIxZSIsImF1ZCI6IndvcmtzcGFjZWE3d3JlOGgxenIxN2F5Ym4iLCJuYmYiOi0xLCJ1bmFtZSI6ImRldmVsb3BlciIsImlzcyI6IndzbWFzdGVyIiwiZXhwIjoxNTkyNDY4Njg3LCJpYXQiOjE1NjA5MzI2ODcsImp0aSI6ImI5YWYzNTE0LWU3NGQtNGYyNS05YjdlLTljZGEwOTFkZTdlNyJ9.DynS9hSShUnFIS1O8hPYXDkJk8ULKRuFh1cJ9TKKZeGd_NNqVvFWzZMkHYo9JkczBOBRyXQl7TDgs07HaqmQtlt-XOJ2vXbBRu4cKo_a62cS34dEpYti8VSRXEHBeZPXYV-kDtNVJ4N8PManAVHBqsff5mHME_v39ROi5roDgy8XLTcgEAHsFlHoZKoee9341ONeN9jC4_bcydPbE53n0ZadoUByNG716gOowDQBIZhMpem75I3EaLf9peCX3rYlNYOZJbRdX0MEsNQUj3YjNXllmSzoV8KLqsgq4YZ4tnx2Hr_XClmCylXEX5sGRYNFpZdLqhosFGKPNVNXBby-9A',
        'User-Agent': 'axios/0.18.0' },
     method: 'get',
     baseURL: 'https://che-eclipse-che.10.33.177.202.nip.io/api' ,
     url:
      'https://che-eclipse-che.10.33.177.202.nip.io/api/workspace/workspacea7wre8h1zr17aybn' ,
     data: undefined },
  request:
   Writable {
     _writableState:
      WritableState {
        objectMode: false,
        highWaterMark: 16384,
        finalCalled: false,
        needDrain: false,
        ending: false,
        ended: false,
        finished: false,
        destroyed: false,
        decodeStrings: true,
        defaultEncoding: 'utf8',
        length: 0,
        writing: false,
        corked: 0,
        sync: true,
        bufferProcessing: false,
        onwrite: [Function: bound onwrite],
        writecb: null,
        writelen: 0,
        bufferedRequest: null,
        lastBufferedRequest: null,
        pendingcb: 0,
        prefinished: false,
        errorEmitted: false,
        emitClose: true,
        bufferedRequestCount: 0,
        corkedRequestsFree: [Object] },
     writable: true,
     _events:
      [Object: null prototype] { response: [Function], error: [Function] },
     _eventsCount: 2,
     _maxListeners: undefined,
     _options:
      { maxRedirects: 21,
        maxBodyLength: 10485760,
        protocol: 'https:',
        path: '/api/workspace/workspacea7wre8h1zr17aybn',
        method: 'get',
        headers: [Object],
        agent: undefined,
        auth: undefined,
        hostname: 'che-eclipse-che.10.33.177.202.nip.io',
        port: null,
        nativeProtocols: [Object],
        pathname: '/api/workspace/workspacea7wre8h1zr17aybn' },
     _ended: true,
     _ending: true,
     _redirectCount: 0,
     _redirects: [],
     _requestBodyLength: 0,
     _requestBodyBuffers: [],
     _onNativeResponse: [Function],
     _currentRequest:
      ClientRequest {
        _events: [Object],
        _eventsCount: 6,
        _maxListeners: undefined,
        output: [],
        outputEncodings: [],
        outputCallbacks: [],
        outputSize: 0,
        writable: true,
        _last: true,
        chunkedEncoding: false,
        shouldKeepAlive: false,
        useChunkedEncodingByDefault: false,
        sendDate: false,
        _removedConnection: false,
        _removedContLen: false,
        _removedTE: false,
        _contentLength: 0,
        _hasBody: true,
        _trailer: '',
        finished: true,
        _headerSent: true,
        socket: [TLSSocket],
        connection: [TLSSocket],
        _header:
         'GET /api/workspace/workspacea7wre8h1zr17aybn HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nAuthorization: Bearer eyJhbGciOiJSUzI1NiIsImtpbmQiOiJtYWNoaW5lX3Rva2VuIiwia2lkIjoid29ya3NwYWNlYTd3cmU4aDF6cjE3YXlibiJ9.eyJ3c2lkIjoid29ya3NwYWNlYTd3cmU4aDF6cjE3YXlibiIsInVpZCI6IjU5YmRjMjhjLWZmM2UtNDU1MS1iYjFmLTFiNjg1ZDNlNzIxZSIsImF1ZCI6IndvcmtzcGFjZWE3d3JlOGgxenIxN2F5Ym4iLCJuYmYiOi0xLCJ1bmFtZSI6ImRldmVsb3BlciIsImlzcyI6IndzbWFzdGVyIiwiZXhwIjoxNTkyNDY4Njg3LCJpYXQiOjE1NjA5MzI2ODcsImp0aSI6ImI5YWYzNTE0LWU3NGQtNGYyNS05YjdlLTljZGEwOTFkZTdlNyJ9.DynS9hSShUnFIS1O8hPYXDkJk8ULKRuFh1cJ9TKKZeGd_NNqVvFWzZMkHYo9JkczBOBRyXQl7TDgs07HaqmQtlt-XOJ2vXbBRu4cKo_a62cS34dEpYti8VSRXEHBeZPXYV-kDtNVJ4N8PManAVHBqsff5mHME_v39ROi5roDgy8XLTcgEAHsFlHoZKoee9341ONeN9jC4_bcydPbE53n0ZadoUByNG716gOowDQBIZhMpem75I3EaLf9peCX3rYlNYOZJbRdX0MEsNQUj3YjNXllmSzoV8KLqsgq4YZ4tnx2Hr_XClmCylXEX5sGRYNFpZdLqhosFGKPNVNXBby-9A\r\nUser-Agent: axios/0.18.0\r\nHost: che-eclipse-che.10.33.177.202.nip.io\r\nConnection: close\r\n\r\n',
        _onPendingData: [Function: noopPendingOutput],
        agent: [Agent],
        socketPath: undefined,
        timeout: undefined,
        method: 'GET',
        path: '/api/workspace/workspacea7wre8h1zr17aybn',
        _ended: false,
        res: null,
        aborted: undefined,
        timeoutCb: null,
        upgradeOrConnect: false,
        parser: null,
        maxHeadersCount: null,
        _redirectable: [Circular],
        [Symbol(isCorked)]: false,
        [Symbol(outHeadersKey)]: [Object] },
     _currentUrl:
      'https://che-eclipse-che.10.33.177.202.nip.io/api/workspace/workspacea7wre8h1zr17aybn'  } }

Detailed screencast:

https://youtu.be/8z8WXA82G28

Implementation notes:
Che Server mounts /tmp/che/secret/ca.crt file with public part of self-signed certificates to all workspace containers if it's configured.
@sleshchenko sleshchenko added the kind/enhancement A feature request - must adhere to the feature request template. label Jun 19, 2019
@sleshchenko sleshchenko mentioned this issue Jun 19, 2019
Closed
@l0rd l0rd added severity/P1 Has a major impact to usage or development of the system. team/ide2 labels Jun 19, 2019
@l0rd
Copy link
Contributor

l0rd commented Jun 19, 2019

@sleshchenko thanks for that analysis. @evidolob @ashumilova I am tagging it with team/ide2

@slemeur I have labelled it as SEV1 but I would consider that for 7.1.0 not as a blocker for GA

@AndrienkoAleksandr AndrienkoAleksandr self-assigned this Jun 20, 2019
@l0rd l0rd mentioned this issue Jun 27, 2019
Closed
85 tasks
@l0rd l0rd added severity/blocker Causes system to crash and be non-recoverable or prevents Che developers from working on Che code. target/che7GA and removed severity/P1 Has a major impact to usage or development of the system. labels Jun 27, 2019
@l0rd l0rd added this to the 7.0.0 milestone Jun 27, 2019
This was referenced Jun 30, 2019
Merged
Merged
@ashumilova ashumilova mentioned this issue Jul 2, 2019
Closed
16 tasks
@evidolob evidolob closed this as completed Jul 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndrienkoAleksandr AndrienkoAleksandr

Labels
kind/enhancement A feature request - must adhere to the feature request template. severity/blocker Causes system to crash and be non-recoverable or prevents Che developers from working on Che code.
Projects
None yet
Milestone
7.0.0
Development

No branches or pull requests
4 participants
@l0rd @evidolob @sleshchenko @AndrienkoAleksandr