Not able to post to Sentry using sentry-log4j2 and a spring-boot app

Hi,
I’m using a spring-boot app with log4j2 logging.
I therefore used sentry-log4j2 jar in my pom like so:

Blockquote

           <dependency>
		<groupId>io.sentry</groupId>
		<artifactId>sentry-log4j2</artifactId>
		<version>1.7.22</version>
	</dependency>

Also, configured log4j2 with the correct appender etc.

When my logs startup, I get the exception below.

I am using a cert that is issued by DigiCert CA.

Why is it not able to validate the cert?

Thanks!

Blockquote
2020-06-20T14:57:04,514 ERROR [sentry-pool-1-thread-2] i.s.c.AsyncConnection$EventSubmitter An exception occurred while sending the event to Sentry.
io.sentry.connection.ConnectionException: An exception occurred while submitting the event to the Sentry server.
at io.sentry.connection.HttpConnection.doSend(HttpConnection.java:216)
at io.sentry.connection.AbstractConnection.send(AbstractConnection.java:76)
at io.sentry.connection.AsyncConnection$EventSubmitter.run(AsyncConnection.java:185)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at io.sentry.connection.HttpConnection.doSend(HttpConnection.java:168)
… 5 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
… 16 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
… 22 more

Looks like your client cannot verify the HTTPS certificate for your Sentry server. If this is on sentry.io, it is 100% a bug, if this is your local install then you either need to get a publicly verifiable certification for your on-premise Sentry or add the certificate to the machine you are using Log4J SDK on.

Maybe @bruno-garcia may point us to a config or something for custom certs?

I am using a cert that is issued by DigiCert CA.

It should be working then. If the Java process has access to a cert-store that trusts the chain of your cert.
Could you confirm the cert store does trust it?

The SDK doesn’t have any custom code to trust only sentry.io or something. It’s just Java doing its thing.

Thanks a lot for the responses!

Here are some points to note:

  1. My server runs on localhost. I connect to my server (from the browser) via SSL. For that I’ve created a DNS entry (myserver.xyz.com) to my static IP and the certificate I am using is based on myserver.xyz.com. So the browser works fine using the cert mapped to that DNS entry.

However, SentrySDK uses the same certificate but since it’s trying to push info upon server startup to the DSN, from my localhost, the domain name on the certificate will not match localhost.
Could that be the reason that Sentry finds the certificate invalid?

  1. The certificate I am using does NOT have a Digicert root CA as earlier stated. It is DST and Im not sure if they are the same. Please see the certificate info below. As per Sentry docs, the cert needs to be issued by Digicert. Can you please confirm if the root CA on that cert as shown below, is good?

spring-boot git:(sentry-integration-log4j2) ✗ openssl pkcs12 -info -in src/main/resources/pankaj.p12
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 84 1D 70 83 11 DA C5 B3 10 D6 F5 6E 91 39 96 98 8D 4C 1C 79
subject=/CN=xxx.yyy.zzz
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Certificate bag
Bag Attributes:
subject=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 84 1D 70 83 11 DA C5 B3 10 D6 F5 6E 91 39 96 98 8D 4C 1C 79
Key Attributes:
Enter PEM pass phrase:

Thanks!

Not sure what you mean here but if the DSN has localhost in it but the certificate is for a real domain, Sentry SDK (well, any TLS check, really) would complain and stop.

I don’t know where we state this but there is no requirement for a specific root CA for TLS certificates. What the SDKs need is a root CA installed on and trusted by the system. Seems like you are using Let’s Encrypt which should be fine.

Thanks BYK!
The DSN I have does not have localhost in it.
It is what I got from the sentry console (client-keys).

What I was saying was, that since (during my development), Im trying this from my localhost, and my .p12 cert is for myserver.xyz com, could it be that the SDK that is pushing the logs to Sentry is not able to reconcile the cert (that is for myserver.xyz com) against localhost (where the Sentry SDK is running)?
I did try making mapping 127.0.0.1 to myserver.xyz.com in my /etc/hosts file on my mac, but that didn’t help.

Understood (and relieved) to know that any root CA will work. So it’s not a cert issue.

I have the same problem, although in my case it is a Java application. I am using the below artifact.

<dependency>
    <groupId>io.sentry</groupId>
    <artifactId>sentry-log4j2</artifactId>
    <version>1.7.30</version>
</dependency>

Not doing anything special, just running

Logger logger = LogManager.getLogger(HelloWorld.class);
logger.info(“Example log from {}”, HelloWorld.class.getSimpleName());
logger.error(“This is a test”);

Then, I get the error:

[sentry-pool-1-thread-1] WARN io.sentry.connection.AbstractConnection.lockdown - Initiated a temporary lockdown because of exception: An exception occurred while submitting the event to the Sentry server.
[sentry-pool-1-thread-1] ERROR io.sentry.connection.AsyncConnection - An exception occurred while sending the event to Sentry.
io.sentry.connection.ConnectionException: An exception occurred while submitting the event to the Sentry server.
at io.sentry.connection.HttpConnection.doSend(HttpConnection.java:216)
at io.sentry.connection.AbstractConnection.send(AbstractConnection.java:88)
at io.sentry.connection.AsyncConnection$EventSubmitter.run(AsyncConnection.java:187)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(…)

I tried to fix it using the steps on https://docs.sentry.io/ssl/. Basically, imported the getsentry.pem certificate. But that did not fix it.

Ok great, I managed to fix it by upgrading my project from Java 8 --> Java 11

1 Like

Thanks for that info canetcesc!

Can one of the @Sentry folks please confirm that this is a known problem in Java 8 and that upgrading is the only option?
For me, it’s not an option to upgrade at this time so we may not be able to use Sentry.

Please confirm.

Thanks!

I’m fairly sure this is not a Sentry issue but a TLS/SSL issue in Java that gets updated or fixed when moving to a more recent version.

So I got this to work with Java 8.
Just wanted to post here, incase someone else faces the same problem:

Turns out that my Java 8 security directory was old or corrupt.
I installed a more recent version of jdk8 from adoptopenjdk.

➜  xyz git:(sentry-integration-log4j2) ✗ ll /Library/Java/JavaVirtualMachines                                 
total 0
drwxr-xr-x  3 root  wheel    96B Feb 20 20:22 adoptopenjdk-11.jdk
drwxr-xr-x  3 root  wheel    96B Jul 24 16:50 adoptopenjdk-8.jdk
drwxr-xr-x  3 root  wheel    96B Jan  6  2016 jdk1.7.0_79.jdk
drwxr-xr-x  3 root  wheel    96B Jan  6  2016 jdk1.8.0_65.jdk

From the above, jdk1.8.0_65.jdk doesnt work but adoptopenjdk-8.jdk does.

Here are the contents of my security dir:
This doesn’t work:
git:(sentry-integration-log4j2) ✗ ll /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security
total 312
-rw-rw-r–@ 1 root wheel 5.2K Jul 24 15:56 US_export_policy.jar
-rw-rw-r-- 1 root wheel 4.0K Oct 6 2015 blacklist
-rw-rw-r-- 1 root wheel 1.2K Oct 6 2015 blacklisted.certs
-rw-rw-r-- 1 root wheel 98K Oct 6 2015 cacerts
-rw-rw-r-- 1 root wheel 2.4K Oct 6 2015 java.policy
-rw-rw-r-- 1 root wheel 26K Oct 6 2015 java.security
-rw-rw-r–@ 1 root wheel 5.2K Jul 24 15:57 local_policy.jar
-rw-rw-r-- 1 root wheel 0B Oct 6 2015 trusted.libraries

And this does:
git:(sentry-integration-log4j2) ✗ ll /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security
total 312
-rw-r–r-- 1 root wheel 1.2K Jul 15 07:08 blacklisted.certs
-rw-r–r-- 1 root wheel 99K Jul 15 07:08 cacerts
-rw-r–r-- 1 root wheel 2.5K Jul 15 07:08 java.policy
-rw-r–r-- 1 root wheel 45K Jul 15 07:08 java.security
drwxr-xr-x 4 root wheel 128B Jul 15 07:08 policy

1 Like

Hi, I am getting the same error while using sentry. Locally , in STS it is working fine. I am able to send the messages to sentry. but when i deploy to the server using docker it says .

i.s.c.AbstractConnection.lockdown : Initiated a temporary lockdown because of exception: An exception occurred while submitting the event to the Sentry server.

My docker file:

FROM maven:3.6.2-jdk-8 as base
ARG APP_PATH=/usr/src/app/
WORKDIR ${APP_PATH

FROM openjdk:8-jre-alpine as release

Basically I am using these two versions. One for maven and other for java as release.
Can anyone please help me regarding this?