Forums : Technical Issue Help
Dear Open Hub Users,
We’re excited to announce that we will be moving the Open Hub Forum to
https://community.blackduck.com/s/black-duck-open-hub.
Beginning immediately, users can head over,
register,
get technical help and discuss issue pertinent to the Open Hub. Registered users can also subscribe to Open Hub announcements here.
On May 1, 2020, we will be freezing https://www.openhub.net/forums and users will not be able to create new discussions. If you have any questions and concerns, please email us at
[email protected]
Adding RRS feed for a project fails
Hi,
I tried to add news RSS feed to the project (swingx), but ended up with The server could not be reached. Is the URL correct?
The url is valid and works as you can check for yourself - https://swinglabs.dev.java.net/servlets/ProjectNewsRSS
Could that be because of the https protocol?
It looks like the problem is with the certificate. A browser seems to ignore the certificate issue, but our code is failing. You can reproduce the problem with curl:
$ curl https://swinglabs.dev.java.net/servlets/ProjectNewsRSS
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3GETSERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
I'm no SSL genius, but I think you are using a certificate that is not signed by a well-known certificate authority. Is this a self-signed certificate?
I've got nothing to do with the certificate. The feed is comming from java.net site which is AFAIK maintained jointly by Sun and O'Reilly. But I can try to probe admins of the site if they know about the problem. Thanks for explaining the issue.
I had the same problem a while back (see http://www.ohloh.net/forums/11/topics/449). I raised it on the Java.net forums. I got a response but they didn't seem to understand what I was asking:
https://java-net.dev.java.net/servlets/ProjectForumMessageView?forumID=978&messageID=20777
I gave up :(
Hi Robin,
certificate issue have been fixed and if I run curl now it works and doesn't complain about certificate anymore, however trying to add feed to the project is still failing. Could you have a look what is stopping it now? Could you also try curl again from your server? If it doesn't work for you then the problem is in the configuration at your end, it could be certificate store or firewall or .... dunno. In case this can't be fixed would it be at least possible to switch off certificates validation so the feeds can be registered? Ta.
Hmm, I want to help, but I don't have any new helpful information. I still get the same certificate verification error. What exactly do you mean when you say it was 'fixed'? Is it possible that your local machine has now been configured to accept this certificate?
Is there possibly something configured incorrectly on our end? It seems that one probable solution would be for us to configure all of our servers to accept the java.net certificate, although logistically I hesitate to go that route.
The certificate used by dev.java.net have been issued by Equifax Secure Global eBusiness CA-1. This is not self signed certificate. Issuer field lists: CN = Equifax Secure Global eBusiness CA-1, O = Equifax Secure Inc., C = US. I think the problem is that your servers do not have latest list of root CA. Equifax is not recognized by default by some older Apache servers and/or curl installations ... you will need to import the root certificate ... the instructions are here: http://www.geotrust.com/resources/root_certificates/index.asp There are also instructions on how to update curl to the latest certificates here: http://mi6.ais.ucla.edu/index.php?id=66
From Ohloh's perspective, I see no reason why it should care about authenticating HTTPS servers. Ohloh has no interest in the security of the connection; it will just as happily use plain HTTP. If someone gives an HTTPS URL, for a repository, feed, or anything else, Ohloh should just retrieve it. What benefit does it give to reject unknown certificates here? Ohloh does not transmit sensitive information over the connection.
@Josh: Yes, I agree, I don't really care about the certificate validity, and we routinely ignore certificates for all of our source code downloads -- we have a custom build of Subversion for just this purpose.
However, in this case, the error is happening deep down in a Ruby library (OpenURI), and there's no trivial way I can find to turn off the certificate validation.
@rah003: I'm sure either by hacking the code or distributing new certificate information across our server farm (and our Mac development laptops) we can make this work, but we don't have time for everything. I'm sorry to give a negative response, but I must admit I'll have to append this to our very long list of Ohloh feature requests.
Hi, I've hit the same issue when adding a new RSS feed [1]. Could you please add the certificate of CACert [2] to the list of supported CAs?
With kind regards,
Jan
[1] https://projects.flaska.net/projects/trojita/activity.atom?show_issues=1
[2] http://www.cacert.org/index.php?id=3
