Recently the cert got expired both on Jenkins server (Linux) and IIS server (windows) and we have imported the new certs for both Jenkins and remote slave.
post that it was able to connect when we launch through browser (but pop up with java - (The certificate is not valid and cannot be used to verify the identity of this website) and if we install Jenkins as a service on windows machine it was in starting state (not proceeding with the Running state) and unable to start the Jenkins as slave in logs
i can see this error as following:
"Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Your certs are not correct. Make sure the values for CN and hostname on the cert you imported are the same as the old cert. Make sure you have the intermediate and root certificates imported/trusted as well, as those may have changed with the new certs.
Windows: certlm to check that the intermediate and root certificates are also trusted.
Related
I have stored a correct certificate in the Graylog configuration file, in the correct format. The web interface is also accessible via https. However, I get the following error message:
WARN [ProxiedResource] Unable to call https://<...>/api/system/metrics/multiple on node <...>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
WARN [ProxiedResource] Unable to call https://<...>/api/system/inputstates on node <...>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I work on Debian 10 with Graylog 5.0
My Server conf
hope someone can help me
I have stored a correct certificate in the Graylog configuration file, in the correct format. The web interface is also accessible via https. However, I get the following error message.
I have also packed the certificate chain into the cacerts file from elastic via keytool
Last time I was able to work around it by adding a local dns entry to the hosts file, which set the Hostname to the public IP (the certificate did not contain the ip. But now it is)
or do I have the wrong approach?
At first search for the cacerts for graylog
sudo find / -name cacerts
then put in the cert chain via keytool
sudo keytool -import -keystore /usr/share/graylog-server/jvm/lib/security/cacerts -file /etc/ssl/certs/gray.pem
Once this was done it started working.
Charles 4.6.2, macos 12.1
Following this page, https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/
I tried the following steps:
help->ssl proxying->save charles root cert
find where java lives: /usr/libexec/java_home
cd /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/lib/security
sudo keytool -import -alias charles -fileĀ ~/Documents/charles-ssl-proxying-certificate.pem. THis prompts for 3 passwords, which I created new/radom passwords for (dont know what they are)
start java thusly: java -jar aem-publish-p4503.jar -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=8888
in charles proxy->ssl proxy settings Check Enable proxy settings.
Add URLs in "include" which the java server will call with port 443.
Now when my java app tries to hit api end points I added to the SSL proxying location, I get the following in the charles proxy sequence output:
URL https://npxx.net
Status Failed
Failure SSL handshake with client failed: An unknown issue occurred processing the certificate (certificate_unknown)
Notes You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu.
Response Code 200 Connection established
Protocol HTTP/1.1
In java logs, I see this:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
NOTE: the external end point the local java process is hitting has a wild card Multi SAN cert from comodo
=== UPDATE 1 ====
I found an undocumented way to add certificates, in charles proxy, there are some cert install options under help:
Help->SSL proxying->Install Charles Root Cert.
This does nothing. Presume it doesnt work on mac
Help->SSL proxying->Install cert on Java VMs
This does work, and prompts for password, then says complete, but doesnt help.
I am running a local Spring boot app that uses oauth2.0 and ssl.
I am using a zerossl signed certificate which is stored in /src/main/resources, and I've imported into the keychain in the project resources.
I am able to retrieve a token and call the /oauth/check_token endpoint manually, however when I try to hit any other endpoint I get the following error:
.o.s.r.w.BearerTokenAuthenticationFilter : Authentication request for failed!
org.springframework.security.authentication.AuthenticationServiceException: I/O error on POST request for "https://localhost:8443/oauth/check_token": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
application.properties:
# The format used for the keystore. It could be set to JKS in case it is a JKS file
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:demo.p12
# The password used to generate the certificate
server.ssl.key-store-password=*****
# The alias mapped to the certificate
server.ssl.key-alias=demo
server.ssl.enabled=true
security.oauth2.resource.token-info-uri=https://localhost:8443/oauth/check_token
security.oauth2.client.registered-redirect-uri=https://localhost:8443/test
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://localhost:8443/oauth/check_token
Stepping through the code it looks like when the NimbusOpaqueTokenIntrospector tries to check the token by calling POST https://localhost:8443/oauth/check_token it is not even hitting the endpoint (I placed a breakpoint in CheckTokenEndpoint controller) and getting the above KPIX error. I've tried using a custom RestTemplate that specifies the SSL context but I'm still seeing the same error.
If you are still struggling with this, I also experienced the same issue and also tried to install the Valid certificate into my JDK ca-certs. That was actually the correct solution except that even though both the RootCa and ActualDomain certs were installed as trusted certs in JDK ca-certs, there was an intermediate certificate issued just recently that I had left out. I installed the intermediate certificate as a trusted cert into the JDK ca-certs and the TLS certificate is no more.
RootCA=>!!!IntermediateCert!!!=>SubdomainCert
I'm setting up a Docker container of the Confluent Platform, and I'm getting the javax.net.ssl.SSLHandshakeException error. Which certificate do I add?
The reason why I'm using Docker is due to my laptop being a windows device. I've installed the latest version of Java/cloned the latest images for the Confluent Platform.
I've added the certificate for "*.confluent.io" into cacerts for my JRE.
I think this issue is due to my environment being a closed Single Sign On environment. So this is where I am stuck.
The specific error message that I get when setting up docker compose with the CP image is
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Error: Unknown error
ERROR: Service 'connect' failed to build: The command '/bin/sh -c confluent-hub install --no-prompt confluentinc/kafka-connect-datagen:latest' returned a non-zero code: 7
This is the error I get when I use
curl https://api.hub.confluent.io/api/plugins
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
I'm having issue to communicate between the Cisco CUCM and a script on another server since the CUCM's certificate have been changed.
I'm running the commands from the server towards the Cisco CUCM
After troubleshooting it, Php sends me this :
nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As I know it's SSL related, I imported the new CUCM certificate onto the Debian server which is hosting the script.
By the way, i'm working with OpenSSL 0.9.8o (01 Jun 2010)
I added it to every keystore that I found on the machine (I found 5different keystores) and reloaded with "dpkg-reconfigure ca-certificates" (even if I don't know if the system is using it)
The fact is that I cannot really change the scripts, I'm in charge of the system, not the code.
Which is interesting is this :
1/ Running the command openssl s_client -showcerts -connect ip:443
Is telling me :
CONNECTED
...
verify return code: 18 (self signed certificate)
2/ Running the same command but adding "-CApath /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts"
CONNECTED
...
Verify return code: 0 (ok)
I should conclude that the script (and openssl by default) is not using the CA keystore locate in the java directory
Am I right ?
If I am, how do I know where is the used keystore located ?