Not able to post to Sentry using sentry-log4j2 and a spring-boot app

Hi,
I’m using a spring-boot app with log4j2 logging.
I therefore used sentry-log4j2 jar in my pom like so:

Blockquote

           <dependency>
		<groupId>io.sentry</groupId>
		<artifactId>sentry-log4j2</artifactId>
		<version>1.7.22</version>
	</dependency>

Also, configured log4j2 with the correct appender etc.

When my logs startup, I get the exception below.

I am using a cert that is issued by DigiCert CA.

Why is it not able to validate the cert?

Thanks!

Blockquote
2020-06-20T14:57:04,514 ERROR [sentry-pool-1-thread-2] i.s.c.AsyncConnection$EventSubmitter An exception occurred while sending the event to Sentry.
io.sentry.connection.ConnectionException: An exception occurred while submitting the event to the Sentry server.
at io.sentry.connection.HttpConnection.doSend(HttpConnection.java:216)
at io.sentry.connection.AbstractConnection.send(AbstractConnection.java:76)
at io.sentry.connection.AsyncConnection$EventSubmitter.run(AsyncConnection.java:185)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at io.sentry.connection.HttpConnection.doSend(HttpConnection.java:168)
… 5 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
… 16 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
… 22 more

Looks like your client cannot verify the HTTPS certificate for your Sentry server. If this is on sentry.io, it is 100% a bug, if this is your local install then you either need to get a publicly verifiable certification for your on-premise Sentry or add the certificate to the machine you are using Log4J SDK on.

Maybe @bruno-garcia may point us to a config or something for custom certs?

I am using a cert that is issued by DigiCert CA.

It should be working then. If the Java process has access to a cert-store that trusts the chain of your cert.
Could you confirm the cert store does trust it?

The SDK doesn’t have any custom code to trust only sentry.io or something. It’s just Java doing its thing.

Thanks a lot for the responses!

Here are some points to note:

  1. My server runs on localhost. I connect to my server (from the browser) via SSL. For that I’ve created a DNS entry (myserver.xyz.com) to my static IP and the certificate I am using is based on myserver.xyz.com. So the browser works fine using the cert mapped to that DNS entry.

However, SentrySDK uses the same certificate but since it’s trying to push info upon server startup to the DSN, from my localhost, the domain name on the certificate will not match localhost.
Could that be the reason that Sentry finds the certificate invalid?

  1. The certificate I am using does NOT have a Digicert root CA as earlier stated. It is DST and Im not sure if they are the same. Please see the certificate info below. As per Sentry docs, the cert needs to be issued by Digicert. Can you please confirm if the root CA on that cert as shown below, is good?

spring-boot git:(sentry-integration-log4j2) ✗ openssl pkcs12 -info -in src/main/resources/pankaj.p12
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 84 1D 70 83 11 DA C5 B3 10 D6 F5 6E 91 39 96 98 8D 4C 1C 79
subject=/CN=xxx.yyy.zzz
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Certificate bag
Bag Attributes:
subject=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 84 1D 70 83 11 DA C5 B3 10 D6 F5 6E 91 39 96 98 8D 4C 1C 79
Key Attributes:
Enter PEM pass phrase:

Thanks!

Not sure what you mean here but if the DSN has localhost in it but the certificate is for a real domain, Sentry SDK (well, any TLS check, really) would complain and stop.

I don’t know where we state this but there is no requirement for a specific root CA for TLS certificates. What the SDKs need is a root CA installed on and trusted by the system. Seems like you are using Let’s Encrypt which should be fine.

Thanks BYK!
The DSN I have does not have localhost in it.
It is what I got from the sentry console (client-keys).

What I was saying was, that since (during my development), Im trying this from my localhost, and my .p12 cert is for myserver.xyz com, could it be that the SDK that is pushing the logs to Sentry is not able to reconcile the cert (that is for myserver.xyz com) against localhost (where the Sentry SDK is running)?
I did try making mapping 127.0.0.1 to myserver.xyz.com in my /etc/hosts file on my mac, but that didn’t help.

Understood (and relieved) to know that any root CA will work. So it’s not a cert issue.

I have the same problem, although in my case it is a Java application. I am using the below artifact.

<dependency>
    <groupId>io.sentry</groupId>
    <artifactId>sentry-log4j2</artifactId>
    <version>1.7.30</version>
</dependency>

Not doing anything special, just running

Logger logger = LogManager.getLogger(HelloWorld.class);
logger.info(“Example log from {}”, HelloWorld.class.getSimpleName());
logger.error(“This is a test”);

Then, I get the error:

[sentry-pool-1-thread-1] WARN io.sentry.connection.AbstractConnection.lockdown - Initiated a temporary lockdown because of exception: An exception occurred while submitting the event to the Sentry server.
[sentry-pool-1-thread-1] ERROR io.sentry.connection.AsyncConnection - An exception occurred while sending the event to Sentry.
io.sentry.connection.ConnectionException: An exception occurred while submitting the event to the Sentry server.
at io.sentry.connection.HttpConnection.doSend(HttpConnection.java:216)
at io.sentry.connection.AbstractConnection.send(AbstractConnection.java:88)
at io.sentry.connection.AsyncConnection$EventSubmitter.run(AsyncConnection.java:187)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(…)

I tried to fix it using the steps on https://docs.sentry.io/ssl/. Basically, imported the getsentry.pem certificate. But that did not fix it.

Ok great, I managed to fix it by upgrading my project from Java 8 --> Java 11

1 Like

Thanks for that info canetcesc!

Can one of the @Sentry folks please confirm that this is a known problem in Java 8 and that upgrading is the only option?
For me, it’s not an option to upgrade at this time so we may not be able to use Sentry.

Please confirm.

Thanks!

I’m fairly sure this is not a Sentry issue but a TLS/SSL issue in Java that gets updated or fixed when moving to a more recent version.