Installing Eclipse Plug-ins from an Update Site with a self-signed certificate

Installing Eclipse Plug-ins from an Update Site with a self-signed certificate

Overview

This article describes how to install Eclipse plug-ins from an update site (p2 repository) that is hosted on an HTTP(s) server with a self-signed (SSL) certificate.

The Problem

If you try and connect to a p2 repository on a server with a self-signed cert, you will more than likely hit the following error.

Screen Shot 2013-04-16 at 3.57.58 PMLooking closely at the log, and you will see:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
 at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
 at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
 at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
 at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
 at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:150)
 at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
 at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:575)
 at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
 at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
 at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
 at org.eclipse.ecf.provider.filetransfer.httpclient4.HttpClientFileSystemBrowser.runRequest(HttpClientFileSystemBrowser.java:263)
 at org.eclipse.ecf.provider.filetransfer.browse.AbstractFileSystemBrowser$DirectoryJob.run(AbstractFileSystemBrowser.java:69)
 at org.eclipse.core.internal.jobs.Worker.run(Worker:53)


Because this certificate was not issued by a ‘trusted’ source, and thus cannot be verified for authenticity, the transport layer rejects it.

Solution

While Eclipse and p2 doesn’t offer any nice support out-of-the-box, you can easily get around this problem by installing the root certificate (or the certificate itself) into a truststore on your machine, and then use that truststore when starting Eclipse.

To install a certificate into a custom trust store, simply:

keytool -import -alias custom-ssl -file my-custom-cert.cer -keystore ~/custom.truststore

Now, when you start Eclipse, add the following arguments to your eclipse.ini file.

-Djavax.net.ssl.trustStore=
-Djavax.net.ssl.trustStorePassword=


When you connect to the update site (p2 repository), the transport layer will be able to validate the self-signed certificate. If the site requires authentication you will even be prompted for a username / password: Screen Shot 2013-04-18 at 4.49.25 PM

Pro-Tip

A common question is how do you get the certificate to add to the trust store. While you could contact your system administrator and ask for the cert, it's actually much easier than that. The certificate is public, and you can fetch it directly from your web server:

echo -n | openssl s_client -connect HOST:PORTNUMBER | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > my-custom-cert.cert


Special thanks to Gunnar Wagenknecht, David Williams and Markus Knauer for the help they gave me with this problem.

If anybody has any other suggestions for how they deal with self-signed certificates in Eclipse or Java, please feel free to leave a comment (or ping me on twitter @irbull).

2 Comments
  • Mark Phippard
    Posted at 20:30, 2013-04-19

    The only thing I do differently, is that I usually import the certificate into the default keystore of the JVM. Which is the jre/lib/security/cacerts file. You then do not need to change the start params for Eclipse.

    I also usually use -trustcacerts when I import the cert, but maybe that is not necessary.