[IGBF-2964] Investigate: “This feature is not reachable” error - JIRA UNCC

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: None
Labels:
None

Story Points:
2
Epic Link:
Build Track Hub converter
Sprint:
Fall 4 2021 Sep 27 - Oct 8, Fall 5 2021 Oct 11 - Oct 22, Fall 6 2021 Oct 25 - Nov 5

Description

See comment in ~~IGBF-2948~~:

IGB reports “This feature is not reachable” error even though the file is reachable in a Web browser.

Attachments

Issue Links

relates to

IGBF-3000 Investigate the different SSL configurations available through Let's Encrypt

Closed

IGBF-3001 Handle data sources with improper SSL certificates

Closed

IGBF-2948 Attempt to convert and load each track hub featured in the table interface

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Philip Badzuh (Inactive) added a comment - 15/Oct/21 6:08 PM - edited

In this case of this issue, HttpURLConnection is returning an HTTP status code of -1, which indicates that 'no code can be discerned from the response (i.e., the response is not valid HTTP).'
The specific exception causing this is 'java.security.cert.CertificateException: No subject alternative DNS name matching {HOST}
found.' This seems to be an SSL validation related issue, so we be able to avoid this error by altering the current HTTPS connection configuration.
More useful info here.

Show

Philip Badzuh (Inactive) added a comment - 15/Oct/21 6:08 PM - edited In this case of this issue, HttpURLConnection is returning an HTTP status code of -1, which indicates that 'no code can be discerned from the response (i.e., the response is not valid HTTP).' The specific exception causing this is 'java.security.cert.CertificateException: No subject alternative DNS name matching {HOST} found.' This seems to be an SSL validation related issue, so we be able to avoid this error by altering the current HTTPS connection configuration. More useful info here .

4 older comments

Hide

Permalink

Ann Loraine added a comment - 28/Oct/21 5:16 AM

Thank you for the very clear discussion.
I have a an additional questions regarding how the interaction between the server and client when the client is curl or a Web browser. How do you know that they are obtaining the correct certificate? Is it because the browser and curl accept the authenticity?

Show

Ann Loraine added a comment - 28/Oct/21 5:16 AM Thank you for the very clear discussion. I have a an additional questions regarding how the interaction between the server and client when the client is curl or a Web browser. How do you know that they are obtaining the correct certificate? Is it because the browser and curl accept the authenticity?

Hide

Permalink

Philip Badzuh (Inactive) added a comment - 28/Oct/21 2:09 PM

Using the browser, you can inspect the certificate being used by clicking on the lock to the left of the URL. When using CURL, the -v flag can be passed for verbose output, which includes basic updates of the SSL handshake steps, including details about the certificate being used.

Show

Philip Badzuh (Inactive) added a comment - 28/Oct/21 2:09 PM Using the browser, you can inspect the certificate being used by clicking on the lock to the left of the URL. When using CURL, the -v flag can be passed for verbose output, which includes basic updates of the SSL handshake steps, including details about the certificate being used.

Hide

Permalink

Ann Loraine added a comment - 29/Oct/21 10:21 AM - edited

I'm confused about there being multiple certificates returned by the site. My understanding from having requested and installed certificates is that you only get one! And you can often purchase a "star" certificate that will cover every subdomain, e.g., foo.bioviz.org or bar.bioviz.org would be validated the same "star" certificate.

However, looking at the above certificates mentioned in the previous comments, it looks like the site is using a public service ("let's encrypt") that provides certificates for free, in some kind of dynamic way. I wonder if the site's configuration is messed up or incorrect in a minor way that affects IGB and openssl, but not the other applications, explaining why the site maintainers perhaps never noticed the problem. For this latter task, let's make a new ticket to investigate "let's encrypt".

Maybe we ought to investigate how the "let's encrypt" configuration is done? Also, [~aloraine] is interested in how "let's encrypt" works in case we want to use for our Web applications, as well. Why? It's because the lab has multiple domains, for only a few of which do we currently purchase certificates, as they are costly. If we knew how to use "let's encrypt," we could provide SSL level security for every site, not just "bioviz" and the few others for which we purchase certificates.

Show

Ann Loraine added a comment - 29/Oct/21 10:21 AM - edited I'm confused about there being multiple certificates returned by the site. My understanding from having requested and installed certificates is that you only get one! And you can often purchase a "star" certificate that will cover every subdomain, e.g., foo.bioviz.org or bar.bioviz.org would be validated the same "star" certificate. However, looking at the above certificates mentioned in the previous comments, it looks like the site is using a public service ("let's encrypt") that provides certificates for free, in some kind of dynamic way. I wonder if the site's configuration is messed up or incorrect in a minor way that affects IGB and openssl, but not the other applications, explaining why the site maintainers perhaps never noticed the problem. For this latter task, let's make a new ticket to investigate "let's encrypt". Maybe we ought to investigate how the "let's encrypt" configuration is done? Also, [~aloraine] is interested in how "let's encrypt" works in case we want to use for our Web applications, as well. Why? It's because the lab has multiple domains, for only a few of which do we currently purchase certificates, as they are costly. If we knew how to use "let's encrypt," we could provide SSL level security for every site, not just "bioviz" and the few others for which we purchase certificates.

Hide

Permalink

Ann Loraine added a comment - 29/Oct/21 10:23 AM - edited

To solve the immediate problem, I agree ([~aloraine]) that you should do this: "allow all certificates that have the same domain and TLD, regardless of subdomain".

Make new tickets for these new tasks.

Show

Ann Loraine added a comment - 29/Oct/21 10:23 AM - edited To solve the immediate problem, I agree ( [~aloraine] ) that you should do this: "allow all certificates that have the same domain and TLD, regardless of subdomain". Make new tickets for these new tasks.

Hide

Permalink

Philip Badzuh (Inactive) added a comment - 01/Nov/21 2:05 PM

I have made new tickets for these tasks in ~~IGBF-3000~~ and ~~IGBF-3001~~. Closing this issue.

Show

Philip Badzuh (Inactive) added a comment - 01/Nov/21 2:05 PM I have made new tickets for these tasks in IGBF-3000 and IGBF-3001 . Closing this issue.

People

Assignee:

Philip Badzuh (Inactive)

Reporter:

Ann Loraine

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

29/Sep/21 10:52 AM

Updated:

01/Nov/21 2:05 PM

Resolved:

01/Nov/21 2:05 PM