Unable to resolve artifact due to hostname verification

Solution Unverified - Updated -

Issue

We are having problems connecting BRMS with a Artifactory Repository hosted and provided with AWS + OCP (using SNI for SSL). The problem seems that the HttpClient library provided with BRMS don't support SNI requests, the stack trace is:

12:47:21,832 DEBUG [org.kie.scanner.MavenRepository] (EJB default - 7) Unable to resolve artifact: sample:test:1.0: org.eclipse.aether.resolution.ArtifactResolutionException: Could not transfer artifact sample:test:jar:1.0 from/to groupArtifactory (https://default.artifactory.eu-central.aws.test.com/artifactory/virtual_maven): hostname in certificate didn't match: <default.artifactory.eu-central.aws.test.com> != <www.example.com>
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:444) [aether-impl-1.0.0.v20140518.jar:]
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:246) [aether-impl-1.0.0.v20140518.jar:]
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:223) [aether-impl-1.0.0.v20140518.jar:]
    at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveArtifact(DefaultRepositorySystem.java:294) [aether-impl-1.0.0.v20140518.jar:]
    at org.kie.scanner.MavenRepository.resolveArtifact(MavenRepository.java:167) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12]
    at org.kie.scanner.MavenRepository.resolveArtifact(MavenRepository.java:155) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12]
    at org.kie.scanner.MavenRepository.resolveArtifact(MavenRepository.java:151) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12]
    at org.kie.scanner.ArtifactResolver.resolveArtifact(ArtifactResolver.java:68) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12]
    at org.kie.scanner.KieRepositoryScannerImpl.loadArtifact(KieRepositoryScannerImpl.java:153) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12]
    at org.kie.scanner.KieRepositoryScannerImpl.loadArtifact(KieRepositoryScannerImpl.java:149) [kie-ci-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12]
    at org.drools.compiler.kie.builder.impl.KieRepositoryImpl.loadKieModuleFromMavenRepo(KieRepositoryImpl.java:157) [drools-compiler-6.5.0.Final-redhat-12.jar:6.5.0.Final-redhat-12]
...
Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <default.artifactory.eu-central.aws.test.com> != <www.example.com>
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:159) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:561) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:536) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.apache.http.impl.client.DecompressingHttpClient.execute(DecompressingHttpClient.java:158) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1]
    at org.eclipse.aether.transport.http.HttpTransporter.execute(HttpTransporter.java:279) [aether-transport-http-1.0.0.v20140518.jar:]
    at org.eclipse.aether.transport.http.HttpTransporter.implGet(HttpTransporter.java:235) [aether-transport-http-1.0.0.v20140518.jar:]
    at org.eclipse.aether.spi.connector.transport.AbstractTransporter.get(AbstractTransporter.java:59) [aether-spi-1.0.0.v20140518.jar:]
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask(BasicRepositoryConnector.java:447) [aether-connector-basic-1.0.0.v20140518.jar:]
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run(BasicRepositoryConnector.java:350) [aether-connector-basic-1.0.0.v20140518.jar:]
    ... 85 more

The request is not including the servername for SNI and is receiving an invalid certificate.

Some more testing showed that the same code works with HttpClient 4.5.3.

Environment

  • Red Hat JBoss BPM Suite
    • 6.4.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In