We Keep Coding

Certificate chain handed over to graylog for internal communication doesn't work

I have stored a correct certificate in the Graylog configuration file, in the correct format. The web interface is also accessible via https. However, I get the following error message:
WARN [ProxiedResource] Unable to call https://<...>/api/system/metrics/multiple on node <...>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
WARN [ProxiedResource] Unable to call https://<...>/api/system/inputstates on node <...>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I work on Debian 10 with Graylog 5.0
My Server conf
hope someone can help me
I have stored a correct certificate in the Graylog configuration file, in the correct format. The web interface is also accessible via https. However, I get the following error message.
I have also packed the certificate chain into the cacerts file from elastic via keytool
Last time I was able to work around it by adding a local dns entry to the hosts file, which set the Hostname to the public IP (the certificate did not contain the ip. But now it is)
or do I have the wrong approach?

At first search for the cacerts for graylog
sudo find / -name cacerts
then put in the cert chain via keytool
sudo keytool -import -keystore /usr/share/graylog-server/jvm/lib/security/cacerts -file /etc/ssl/certs/gray.pem
Once this was done it started working.

Spring boot oauth + ssl: Unable to access resource due to certificate error

I am running a local Spring boot app that uses oauth2.0 and ssl.
I am using a zerossl signed certificate which is stored in /src/main/resources, and I've imported into the keychain in the project resources.
I am able to retrieve a token and call the /oauth/check_token endpoint manually, however when I try to hit any other endpoint I get the following error:
.o.s.r.w.BearerTokenAuthenticationFilter : Authentication request for failed!
org.springframework.security.authentication.AuthenticationServiceException: I/O error on POST request for "https://localhost:8443/oauth/check_token": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
application.properties:
# The format used for the keystore. It could be set to JKS in case it is a JKS file
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:demo.p12
# The password used to generate the certificate
server.ssl.key-store-password=*****
# The alias mapped to the certificate
server.ssl.key-alias=demo
server.ssl.enabled=true
security.oauth2.resource.token-info-uri=https://localhost:8443/oauth/check_token
security.oauth2.client.registered-redirect-uri=https://localhost:8443/test
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://localhost:8443/oauth/check_token
Stepping through the code it looks like when the NimbusOpaqueTokenIntrospector tries to check the token by calling POST https://localhost:8443/oauth/check_token it is not even hitting the endpoint (I placed a breakpoint in CheckTokenEndpoint controller) and getting the above KPIX error. I've tried using a custom RestTemplate that specifies the SSL context but I'm still seeing the same error.

If you are still struggling with this, I also experienced the same issue and also tried to install the Valid certificate into my JDK ca-certs. That was actually the correct solution except that even though both the RootCa and ActualDomain certs were installed as trusted certs in JDK ca-certs, there was an intermediate certificate issued just recently that I had left out. I installed the intermediate certificate as a trusted cert into the JDK ca-certs and the TLS certificate is no more.
RootCA=>!!!IntermediateCert!!!=>SubdomainCert

Jenkins to slave machine connection got broken after updating the SSL certs?

Recently the cert got expired both on Jenkins server (Linux) and IIS server (windows) and we have imported the new certs for both Jenkins and remote slave.
post that it was able to connect when we launch through browser (but pop up with java - (The certificate is not valid and cannot be used to verify the identity of this website) and if we install Jenkins as a service on windows machine it was in starting state (not proceeding with the Running state) and unable to start the Jenkins as slave in logs
i can see this error as following:
"Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Your certs are not correct. Make sure the values for CN and hostname on the cert you imported are the same as the old cert. Make sure you have the intermediate and root certificates imported/trusted as well, as those may have changed with the new certs.
Windows: certlm to check that the intermediate and root certificates are also trusted.

PKIX path building failed. Self-signed SSL certificates

I created server and client keystore.jks and truststore.jks pairs.
server-truststore.jks contains client-public.cer, client-truststore.jks contains server-public.cer.
SSL certificates have no CAs, are self-signed ones. If I play the communication locally it works. But after deploying my server I get the exception:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I've tried to put my server/client certificates into carcerts of java security, it didn't help.
The communication only works if I call my WS from SOAP UI. (For SOAP UI I don't need to use truststore.jks)
I checked it out with a famous SSLPoke.class
$ java SSLPoke HOST 443
Successfully connected
$ java -Djavax.net.ssl.trustStore=truststore.jks SSLPoke HOST 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What could solve it?

Java nested exception SSLHandshakeException

I'm having issue to communicate between the Cisco CUCM and a script on another server since the CUCM's certificate have been changed.
I'm running the commands from the server towards the Cisco CUCM
After troubleshooting it, Php sends me this :
nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As I know it's SSL related, I imported the new CUCM certificate onto the Debian server which is hosting the script.
By the way, i'm working with OpenSSL 0.9.8o (01 Jun 2010)
I added it to every keystore that I found on the machine (I found 5different keystores) and reloaded with "dpkg-reconfigure ca-certificates" (even if I don't know if the system is using it)
The fact is that I cannot really change the scripts, I'm in charge of the system, not the code.
Which is interesting is this :
1/ Running the command openssl s_client -showcerts -connect ip:443
Is telling me :
CONNECTED
...
verify return code: 18 (self signed certificate)
2/ Running the same command but adding "-CApath /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts"
CONNECTED
...
Verify return code: 0 (ok)
I should conclude that the script (and openssl by default) is not using the CA keystore locate in the java directory
Am I right ?
If I am, how do I know where is the used keystore located ?