[🐛 Bug]: SSLHandshakeException since Selenium Grid 3.14.0

[pandoras-toolbox]

What happened?

Our remote Selenium Grid is currently on version 3.15.0.

In the Maven POM I cannot update the Selenium version to 3.14.0 or later, it has to stay at 3.13.0.

Otherwise the error below would occur, meaning, all Selenium tests fail because of that.

Our Selnium Grid is NOT configured with HTTPS and certificates. Do we really now have to spend time for that stuff in order to be able to increase the Selenium versions we use? I mean we have much more important things to work on, the Selenium Grid is behind a firewall and of no concern to security for us.

Ideally I would like to configure the Grid easily so that it does not throw this error, without having to run the gauntlets to make it support HTTPS. Is that possible, and how? And why does it fail now all of a sudden in such a scenario instead of just logging a warning? And why does the release notes not say that they will break existing test automations with that version in this scenario?

How can we reproduce the issue?

Run Selenium Grid 3.14.0 or later. In Maven set dependency to Selenium to 3.14.0 or later.

Relevant log output

org.openqa.selenium.SessionNotCreatedException: Could not start a new session. Possible causes are invalid address of the remote server or browser start-up failure. 
Host info: host: 'foobar.com', ip: '111.111.1.111'
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '6.6.3-200.fc39.x86_64', java.version: '17.0.6'
Driver info: org.openqa.selenium.remote.RemoteWebDriver
Command: [null, newSession {capabilities=[Capabilities {browserName: chrome, goog:chromeOptions: {args: [...], excludeSwitches: [enable-automation], extensions: [], prefs: {download.default_directory: /tmp, intl.accept_languages: de}}, pageLoadStrategy: eager}]}]
Capabilities {browserName: chrome, goog:chromeOptions: {args: [...], excludeSwitches: [enable-automation], extensions: [], prefs: {download.default_directory: /tmp, intl.accept_languages: de}}, pageLoadStrategy: eager}
	at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:625)
	at org.openqa.selenium.remote.RemoteWebDriver.startSession(RemoteWebDriver.java:241)
	at org.openqa.selenium.remote.RemoteWebDriver.<init>(RemoteWebDriver.java:168)
	at org.openqa.selenium.remote.RemoteWebDriver.<init>(RemoteWebDriver.java:148)
	at com.swisssign.at.selenium.DriverManager.createDriver(DriverManager.java:121)
	at com.swisssign.at.selenium.DriverManager.lambda$driver$3(DriverManager.java:97)
	... 30 more
Caused by: java.io.UncheckedIOException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.openqa.selenium.remote.http.jdk.JdkHttpClient.execute0(JdkHttpClient.java:450)
	at org.openqa.selenium.remote.http.AddSeleniumUserAgent.lambda$apply$0(AddSeleniumUserAgent.java:42)
	at org.openqa.selenium.remote.http.Filter.lambda$andFinally$1(Filter.java:55)
	at org.openqa.selenium.remote.http.jdk.JdkHttpClient.execute(JdkHttpClient.java:366)
	at org.openqa.selenium.remote.tracing.TracedHttpClient.execute(TracedHttpClient.java:54)
	at org.openqa.selenium.remote.ProtocolHandshake.createSession(ProtocolHandshake.java:115)
	at org.openqa.selenium.remote.ProtocolHandshake.createSession(ProtocolHandshake.java:96)
	at org.openqa.selenium.remote.ProtocolHandshake.createSession(ProtocolHandshake.java:68)
	at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:163)
	at org.openqa.selenium.remote.TracedCommandExecutor.execute(TracedCommandExecutor.java:51)
	at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:607)
	... 35 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1118)
	at java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:157)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1113)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1079)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:484)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:268)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:205)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$TryEndDeferredCompleter.complete(SequentialScheduler.java:347)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:151)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:230)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
	... 23 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 28 more

Operating System

Fedora 39

Selenium version

3.14.0

What are the browser(s) and version(s) where you see this issue?

Chrome 119

What are the browser driver(s) and version(s) where you see this issue?

Chromedriver 119

Are you using Selenium Grid?

3.14.0

[github-actions]

@pandoras-toolbox, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[github-actions]

Hi, @pandoras-toolbox.
Please follow the issue template, we need more information to reproduce the issue.

Either a complete code snippet and URL/HTML (if more than one file is needed, provide a GitHub repo and instructions to run the code), the specific versions used, or a more detailed description to help us understand the issue.

Note: If you cannot share your code and URL/HTML, any complete code snippet and URL/HTML that reproduces the issue is good enough.

Reply to this issue when all information is provided, thank you.

[diemol]

Share the commands you are using to start the Grid and the test you are using to get that error.

[pandoras-toolbox]

I do not know how the Grid is started, it is done by people from operations, it is basically a YAML file which is redeployed whenever changes are merged to master branch, then a ArgoCD job starts automatically to apply the changes.

I wonder if that error is supposed to exist or not. Because if it is intended behavior, then I think you are aware of how to reproduce it. So I assume it is not a feature for you but a bug.

Sorry, but to create the code snippet in Java and all the other things in the whole ping pong until it is maybe solved by you, I am afraid that is more effort here to provide you all that stuff, because our test code was never made for that, it is no open source project but closed, I would have quite some effort into extracting something for you guys.

Then forget about it, i will run the gauntlets and provide that stupid HTTPS certificate, because in the end that is less effort as I see now than to give you all the extra information.

[diemol]

Well, we are here to help, we have tons of users who have been successfully upgraded to Grid 4. We have been helping them whenever questions come, but without details that help reproduce the error, it is hard to help.

I wonder if that error is supposed to exist or not. Because if it is intended behavior, then I think you are aware of how to reproduce it. So I assume it is not a feature for you but a bug.

Hard to say, it obviously depends on your environment.

I will leave this open in case you want to provide more information.

[krmahadevan]

@pandoras-toolbox - Maybe you can help share these specific information (which is what @diemol is also asking)

1. How are you enabling SSL on your Grid (Can you please reach out to your ops team and help get this information)? It looks to me that your Grid has https enabled at its side and is serving a self signed certificate that is perhaps NOT available in your Local Java Key store. I have added some additional details around the bottom of this message to give you some additional context
2. When you instantiate your RemoteWebDriver, do you setup some ssl context manually by passing in a JKS file or does this gauntlet [ I am guessing that is the tool you are referring to ] set this up by injecting a certificate into a keystore and then passing in the location of that keystore using the JVM arguments ?
3. Between 4.14 and 4.15 has anything changed in your grid environment? [For e.g., enabling https or has it always been https ]

This is just a guess. But from the stacktrace that you have shared, it looks to me that you need to have a keystore setup with the certificate that is being used to enable https at the Grid end.

FYI.,

If you run java -jar selenium-server-4.15.0.jar info security you should see a whole lot of information around enabling https at your grid end. Maybe you can refer to that output to familiarise yourself with the details so that it becomes easy for you to ask your operations team on how the https is being setup at your grid end and also to get hold of the certificate.

Security in Selenium server

About Security
==============

Selenium 4 has a number of changes aimed at improving the security posture
of running your own infrastructure. The ability to communicate to a Selenium
Server (whether it is acting as a Standalone or Grid) is discussed in `Secure
Communication` and restricting Grid Nodes to only those you trust is covered
in `Node Registration.`

1. Secure Communication

=======================

Selenium Grid by default communicates over HTTP. This is fine for a lot of
use cases, especially if everything is contained within the firewall and against
test sites with testing data. However, if your server is exposed to the Internet
or is being used in environments with production data (or that which has PII)
then you should secure it.

Standalone

In order to run the server using HTTPS instead of HTTP you need to start it
with the `--https-private-key` and `--https-certificate` flags to provide
it the certificate and private key (as a PKCS8 file).

  java -jar selenium.jar \
       hub \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem


Distributed

Alternatively, if you are starting things individually you would also specify
https when telling where to find things.

  java -jar selenium.jar \
       sessions \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem


  java -jar selenium.jar \
       distributor \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       -s https://sessions.grid.com:5556


  java -jar selenium.jar \
       router \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       -s https://sessions.grid.com:5556 \
       -d https://distributor.grid.com:5553 \


Certificates

The Selenium Grid will not operate with self-signed certificates, as a result
you will need to have some provisioned to you from a Certificate Authority
of some sort. For experimentation purposes you can use MiniCA to create and
sign your certificates.

  minica --domains sessions.grid.com,distributor.grid.com,router.grid.com


This will create minica.pem and minica.key in the current directory as well
as cert.pem and key.pem in a directory `sessions.grid.com` which will have
both distributor.grid.com and router.grid.com as alternative names. Because
Selenium Grid requires the key to be in PKCS8, you have to convert it.

  openssl pkcs8 \
    -in sessions.grid.com/key.pem \
    -topk8 \
    -out sessions.grid.com/key.pkcs8 \
    -nocrypt


And since we are using a non-standard CA, we have to teach Java about it.
To do that you add it to the cacert truststore which is by default, $JAVA_HOME/jre/lib/security/cacerts


  sudo keytool \
      -import \
      -file /path/to/minica.pem \
      -alias minica \
      -keystore $JAVA_HOME/jre/lib/security/cacerts \
      -storepass changeit \
      -cacerts


More information can be found at:

* MiniCA: https://github.com/jsha/minica


2. Node Registration

====================

Selenium Grid distributes script execution to worker nodes. Those nodes self-register
with the Grid Distributor process when they start and the Distributor trusts
that they should be getting work. This is fine in highly secured networks
where everything is trusted, but aside from that you really want to make sure
that the node is one you control and not a rouge node. In order to do this,
you start the Distributor, Router and Node servers with the new `--registration-secret`
command-line argument.

Using the same examples as above, they become the following with this additional
layer of security.

  java -jar selenium.jar \
       distributor \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       -s https://sessions.grid.com:5556 \
       --registration-secret cheese \


  java -jar selenium.jar \
       router \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       -s https://sessions.grid.com:5556 \
       -d https://distributor.grid.com:5553 \
       --registration-secret cheese


  java -jar selenium.jar \
       node \
       --https-private-key /path/to/key.pkcs8 \
       --https-certificate /path/to/cert.pem \
       --detect-drivers \
       --registration-secret cheese


Note: If the registration-secret from the Node to the Distributor (or Router)
is incorrect, there is nothing to indicate that returned to the Node. There
is an ERROR level log entry produced on the servers. You should be monitoring
the logs for that and raise alarms as deemed appropriate.

[pandoras-toolbox]

I understand that you want to reproduce it. Perhaps I am the 1 percent. For me it would be solved if I can configure the Grid to ignore any SSL problems, if that is possible. I will now take a deeper look at the issue.

If I find something out I will let you know.

[krmahadevan]

For me it would be solved if I can configure the Grid to ignore any SSL problems, if that is possible.

I think that the easiest way of getting past this problem is to grab the certificate that is being used to enable https at your grid end, and add it to your local Java keystore. That should fix the issue. The problem is coming up because your Grid is https enabled, its serving a self signed certificate that is NOT marked as a trusted certificate in your local Java Key store and so Java is refusing to allow you to connect to the https end point (Grid in this case)

[pandoras-toolbox]

Thanks @krmhadevan. But wouldn't it be easier not to enable HTTPS on the Grid? If I knew how.

Locally I can NOT reproduce the problem. I have set Selenium version to be 4.15.0 in the Maven POM file, on my client side.

This is how I installed and started the Grid locally on Fedora Linux:

mkdir selenium
cd selenium
# Download and extract Chromedriver in the right version for your computer
# (see: https://googlechromelabs.github.io/chrome-for-testing/):
chromedriver_version="119.0.6045.105"
wget https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/$chromedriver_version/linux64/chromedriver-linux64.zip --continue
unzip chromedriver-linux64.zip
rm chromedriver-linux64.zip
PATH=$(pwd)/chromedriver-linux64/chromedriver:$PATH
# Download and start Selenium Grid:
selenium_major_version="4.14.0"
selenium_server_version="4.14.1"
wget https://github.com/SeleniumHQ/selenium/releases/download/selenium-$selenium_major_version/selenium-server-$selenium_server_version.jar --continue
java -jar selenium-server-$selenium_server_version.jar hub --port 4444
# In a new terminal window in the same directory:
selenium_server_version="4.14.1"
java -jar selenium-server-$selenium_server_version.jar node --port 5555 --hub http://localhost:4444 --max-sessions 8

On Kubernetes we use 4.15.0 for the Grid, but the problem started with 4.14.0, so I think it does not matter the little version discrepancy between the local and remote Grid situation. But I will retest again, and if it is a different behavior locally with Grid 4.15.0 I will comment.

[krmahadevan]

@pandoras-toolbox - Thanks for adding those details. The steps that you shared to start the hub and the node, will only run a grid working with http. So this is fine.

You mentioned that you are using K8s for managing the grid. Would it be possible for you to please help share either the deployment yaml file or the helm chart that you are using to deploy the grid?

Also I remember you mentioning gauntlet in your earlier posts. Can you please share some additional details in terms of what role it plays?

There is something in your k8s cluster that is enabling https on the Grid.

[pandoras-toolbox]

@krmahadevan I need to first ask for permission to attach the YAML file here. With "gauntlet" I meant the English phrase "run the gauntlet" in a metaphoric way, when you Google it you will see what it means.

[krmahadevan]

@pandoras-toolbox

With "gauntlet" I meant the English phrase "run the gauntlet" in a metaphoric way, when you Google it you will see what it means.

Lol! Silly me. I just tied it to that tool (Strange co-incidence aint it) ! Glad one of the confusions stands ruled out. We now have to just figure out what in your k8s cluster is enabling https :)

Thanks for clarifying the "gauntlet" part :)

[pandoras-toolbox]

I still do not know if I can share the Kubernetes YAML.

I had a wrong assumption, that we do not have HTTPS for the Selenium Grid. But we do have HTTPS. That has changed recently, before it was insecure HTTP. It is nevertheless related to which versions of Selenium I use in the Maven POM.

When I export the certificate in Chrome of the Selenium Grid and import it with the "keytool" command, then it works with Selenium 4.15.0 to run a test without the errors above.

Now I need to figure out the best way to avoid the error.

I did not understand how I can apply: "When you instantiate your RemoteWebDriver, do you setup some ssl context manually by passing in a JKS file ..."

Or maybe there is a setting or VM argument to ignore such errors, which would be the easiest.

[diemol]

Grid 3 did not support HTTPS out of the box, you had to follow several workarounds or put a layer on top that took care of that.

Grid 4 does support HTTPS and here are instructions that show how to enable it. The workaround of putting a layer on top to enable that is still valid (which is, I believe, what your ops team is doing).

[pandoras-toolbox]

Can I do that in Java also? Because then it would work in every situation where it is run.

I mean what is done with the command below to solve in Java Selenium code:

  sudo keytool \
      -import \
      -file /path/to/minica.pem \
      -alias minica \
      -keystore $JAVA_HOME/jre/lib/security/cacerts \
      -storepass changeit \
      -cacerts

[pandoras-toolbox]

Any ideas? I now came up with this attempt, but it fails, see error below:

TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
        @Override
        public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
        }

        @Override
        public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
        }

        @Override
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return new java.security.cert.X509Certificate[]{};
        }
    }
};

SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());

ClientConfig clientConfig = ClientConfig.defaultConfig()
    .connectionTimeout(Duration.ofSeconds(10))
    .readTimeout(Duration.ofSeconds(10))
    .sslContext(sslContext);

RemoteWebDriver.builder()
        .address("https://url-to-our-selenium-grid.xyz")
        .oneOf(new ChromeOptions())
        .setCapability("ext:options", Map.of("key", "value"))
        .config(clientConfig)
        .build();

org.openqa.selenium.remote.http.ConnectionFailedException: JdkWebSocket initial request execution error
Build info: version: '4.15.0', revision: '1d14b5521b'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '6.6.4-200.fc39.x86_64', java.version: '17.0.6'
Driver info: driver.version: unknown

	at org.openqa.selenium.remote.http.jdk.JdkHttpClient.openSocket(JdkHttpClient.java:256)
	at org.openqa.selenium.devtools.Connection.<init>(Connection.java:84)
	at org.openqa.selenium.devtools.SeleniumCdpConnection.<init>(SeleniumCdpConnection.java:36)
	at org.openqa.selenium.devtools.SeleniumCdpConnection.lambda$create$3(SeleniumCdpConnection.java:103)
	at java.base/java.util.Optional.map(Optional.java:260)
	at org.openqa.selenium.devtools.SeleniumCdpConnection.create(SeleniumCdpConnection.java:103)
	at org.openqa.selenium.devtools.SeleniumCdpConnection.create(SeleniumCdpConnection.java:49)
	at org.openqa.selenium.devtools.DevToolsProvider.getImplementation(DevToolsProvider.java:50)
	at org.openqa.selenium.devtools.DevToolsProvider.getImplementation(DevToolsProvider.java:29)
	at org.openqa.selenium.remote.Augmenter.augment(Augmenter.java:191)
	at org.openqa.selenium.remote.Augmenter.augment(Augmenter.java:162)
	at org.openqa.selenium.remote.RemoteWebDriverBuilder.build(RemoteWebDriverBuilder.java:371)
	at com.swisssign.at.swissid.e2e.RemoteWebDriverTest.remoteWebDriverBuilder(RemoteWebDriverTest.java:133)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at java.base/java.util.concurrent.RecursiveAction.exec(RecursiveAction.java:194)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182)
	at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655)
	at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622)
	at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165)
Caused by: java.net.http.HttpConnectTimeoutException: HTTP connect timed out
	at java.net.http/jdk.internal.net.http.MultiExchange.toTimeoutException(MultiExchange.java:580)
	at java.net.http/jdk.internal.net.http.MultiExchange.getExceptionalCF(MultiExchange.java:527)
	at java.net.http/jdk.internal.net.http.MultiExchange.lambda$responseAsyncImpl$7(MultiExchange.java:447)
	at java.base/java.util.concurrent.CompletableFuture.uniHandle(CompletableFuture.java:934)
	at java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire(CompletableFuture.java:911)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510)
	at java.base/java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:2162)
	at java.net.http/jdk.internal.net.http.Http1Exchange.lambda$cancelImpl$9(Http1Exchange.java:483)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.net.ConnectException: HTTP connect timed out
	at java.net.http/jdk.internal.net.http.MultiExchange.toTimeoutException(MultiExchange.java:581)
	... 10 more

[diemol]

That Java code would probably only work if it was executed inside the Grid. Running it on the client side has no effect on the server side at all.

If you want to locally setup a Grid with HTTPS, you can follow the link I shared before, but I believe you should share that link with your OPS team so they add the certificates to the Grid and it starts working properly.

[krmahadevan]

@diemol - This is just a guess, but it looks like we currently don't have a mechanism to pass in the SSL Context which was passed via RemoteWebDriver.builder() to DevToolsProvider.getImplementation

We seem to ignore the sslContext set via the builder and we are working without any ssl context

Call goes from SeleniumCdpConnection.create() to CdpEndpointFinder.getHttpClient()

Please let me know if this analysis is valid.

[krmahadevan]

@pandoras-toolbox - I think you would need to do something like the sample in this stackoverflow post which will setup a default ssl context for the entire jvm. Please see if this helps.

[diemol]

I am not sure. As always, we need something actionable to troubleshoot.

[pandoras-toolbox]

@krmahadevan Thank you, I will try that. But wouldn't it be good if the SSL Context set in the builder would not be ignored, if that is really the case?

[krmahadevan]

@pandoras-toolbox - yes. But for us to be able to confirm that hunch, we would need to have a reproducible (which is what @diemol is also expecting).

[pandoras-toolbox]

I guess you mean me to provide something reproducible. I will try to do it on basis of your own examples, but fist I need to work on something else for a bit.

[VietND96]

I also tried to explore enabling HTTPS in Selenium in the downstream repo SeleniumHQ/docker-selenium#2080

1. We need to have a JKS (java truststore) file, based on that export the private key (PKCS8 format no encrypted) and certificate PEM. Via keytool you can add multiple certs to create CA bundles before exporting.
2. Adding these options for both server and JAVA_OPTS while starting the Grid. For example

java -jar -Djavax.net.ssl.trustStore=/path/to/truststore.jks \
-Djavax.net.ssl.trustStorePassword=your_passphase \
-Djdk.internal.httpclient.disableHostnameVerification=true \
selenium-server.jar \
--https-private-key /path/to/privateKey.pkcs8 \
--https-certificate /path/to/cert.pem

Internally components communicate with different IPs so without disableHostnameVerification some error related to not match host, DNS, or SAN will be seen, so keep it disabled

3. Test execution against the Grid is enabled HTTPS, it would depend on the language binding that you are using. If your CA bundles are already imported correctly to the default location (e.g JVM trust store, or OS), no further action is needed. Otherwise, we need to specify the CA bundles location. For example

Java binding

mvn test -Djavax.net.ssl.trustStore=src/test/resources/configuration/selenium.jks \
-Djavax.net.ssl.trustStorePassword=changeit \
-Djdk.internal.httpclient.disableHostnameVerification=true \
-Dselenium.hub.url="https://ci.ndviet.org/selenium"

Python binding

export REQUESTS_CA_BUNDLE=/path/to/cert.pem
export GRID_URL=https://ci.ndviet.org/selenium
python test.py

[titusfortner]

You should be able to pass these things into the Http Client classes/configs as well.

[titusfortner]

I don't know much about certs, is there a way to test whether things are being applied properly?

[diemol]

I do not think this is a bug in the Grid, as this has been working fine for a while; we even have the instructions on how to roll this on your own at https://github.com/SeleniumHQ/selenium/blob/trunk/java/src/org/openqa/selenium/grid/commands/security.txt.

When working with certs, you always need to make the cert store on the host trust the certificate.

I will close this, and I will be happy to reopen it when we have something that we can use to reproduce it.

If you need help to get this working, join our chat https://www.selenium.dev/support/#ChatRoom.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.