Installing Eclipse Plug-ins from an Update Site with a self-signed certificate

Overview

This article describes how to install Eclipse plug-ins from an update site (p2 repository) that is hosted on an HTTP(s) server with a self-signed (SSL) certificate.

The Problem

If you try and connect to a p2 repository on a server with a self-signed cert, you will more than likely hit the following error.

Looking closely at the log, and you will see:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
 at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
 at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
 at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
 at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
 at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:150)
 at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
 at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:575)
 at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
 at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
 at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
 at org.eclipse.ecf.provider.filetransfer.httpclient4.HttpClientFileSystemBrowser.runRequest(HttpClientFileSystemBrowser.java:263)
 at org.eclipse.ecf.provider.filetransfer.browse.AbstractFileSystemBrowser$DirectoryJob.run(AbstractFileSystemBrowser.java:69)
 at org.eclipse.core.internal.jobs.Worker.run(Worker:53)

Because this certificate was not issued by a ’trusted’ source, and thus cannot be verified for authenticity, the transport layer rejects it.

Solution

While Eclipse and p2 doesn’t offer any nice support out-of-the-box, you can easily get around this problem by installing the root certificate (or the certificate itself) into a truststore on your machine, and then use that truststore when starting Eclipse.

To install a certificate into a custom trust store, simply:``

keytool -import -alias custom-ssl -file my-custom-cert.cer -keystore ~/custom.truststore

Now, when you start Eclipse, add the following arguments to your eclipse.ini file.`

-Djavax.net.ssl.trustStore=
-Djavax.net.ssl.trustStorePassword=

`When you connect to the update site (p2 repository), the transport layer will be able to validate the self-signed certificate. If the site requires authentication you will even be prompted for a username / password:

Pro-Tip

A common question is how do you get the certificate to add to the trust store. While you could contact your system administrator and ask for the cert, it’s actually much easier than that. The certificate is public, and you can fetch it directly from your web server:` ```sh echo -n | openssl s_client -connect HOST:PORTNUMBER | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > my-custom-cert.cert

``` ` Special thanks to Gunnar Wagenknecht, David Williams and Markus Knauer for the help they gave me with this problem.

If anybody has any other suggestions for how they deal with self-signed certificates in Eclipse or Java, please feel free to leave a comment (or ping me on twitter @irbull).``