Enthusiast
Enthusiast

Network connectivity fails

Jump to solution

Deploying ver 1.3

Network connectivity fails with the following error:

sun.security.validator.ValidatorException:PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuildBuilderException: Unable to find certification path to requested target

Do i still need a proxy even though we dont block outbound traffic form the appliance vlan?

1 Solution

Accepted Solutions
Enthusiast
Enthusiast

I was getting the same certificate error when using an Internet proxy

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

VMware Skyline support gave this info with example syntax:

(remember to change proxy IP/name and your cert files accordingly)

If the proxy uses a self signed certificate

Use this openssl command to pull and create it:

    echo -n | openssl s_client -connect myproxy.domain.local:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert

Now import the cert into the cacerts java keystore

    keytool -importcert -file myproxy.cert -alias proxycert -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit

Restart the collector

    systemctl restart ccf-collector

If the proxy uses a internally CA signed cert

Export the root and any intermediate CA certificates (https://technet.microsoft.com/en-us/library/dd261928.aspx)

   Or use openssl to display the full chain, then create each cert file manually:

    openssl s_client -host proxy.domain.com -port 443 -prexit -showcerts
 

In any order, add the certs to the cacerts java keystore. Use a different alias for each one

    keytool -importcert -file root.cer -alias proxyroot -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit

Restart the collector

    systemctl restart ccf-collector

Since our proxy is using an internal certificate, I imported each individual cert in the chain and restarted the collector. Once this was complete, I was able to successfully test connectivity and continue with the initial appliance configuration. Hopefully this info helps you!

View solution in original post

4 Replies
Enthusiast
Enthusiast

Hello,

Thank you for your post.

Please let me know if you are using any proxy at the moment. We might have to import the certificates manually if there is a proxy or if there are any networking software that intercepts and serves as firewall/shapers etc..

Please try the steps below and let me know if it helps.

In some cases, Skyline VA would be in an environment with HTTPS proxy and the proxy certificate might not be trusted by the VA (e.g. self-signed, or signed by customer's CA that's not known to the VA).

In that case, you need to import the certificate(s) in the Java keystore.

The Java keystore is the /usr/java/jre-vmware/lib/security/cacerts file

Download the proxy certificate (assuming your proxy host is myproxy.acme.org and the port is 8080):

echo -n | openssl s_client -connect myproxy.acme.org:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert

Then import the certificate in the keystore:

keytool -importcert -file myproxy.cert -keystore /usr/java/jre-vmware/lib/security/cacerts -alias "myproxy"

When asked for a password, the default one for the Java keystore is "changeit". When asked if you trust the certificate, answer "yes".You may have to restart the collector:

systemctl restart ccf-collector

Make sure you import not only the proxy certificate but also any intermediate/issuer certificates from the certificate chain if the customer has their own CA that's not recognized by the standard root certificates shipped with Java.

Sometimes the command above that saves the certificate might not work well and won 't be able to extract the certificate correctly. Also, that command will extract only the server certificate but not the whole certificate chain that you might want to also import. So, in order to work around that, here's the basic principle:

Part of the first command above is openssl s_client -connect myserver.com:443 which lists only the server certificate. You can try executing that command alone in a terminal and see its output. As you can see above, the output of that command is fed to sed to extract the text portion between

-----BEGIN CERTIFICATE-----

and

-----END CERTIFICATE-----

(those sections are included) and saves that as a certificate file (PEM format). Now, you can use the same principle to extract the whole certificate chain. The following command will list the whole certificate chain:

openssl s_client -host myserver.com -port 443 -prexit -showcerts

It will include multiple PEM sections. However it's a bit tricky to make sed extract those sections, so you'll have to do that manually: copy each separate certificate PEM between these two sections (do not forget to include them as well) and save them as separate files, then import each of them with the keytool command above. Certificate import order doesn't matter.

Sincerely Harish Venkatachalam Skyline Support Moderator
0 Kudos
Enthusiast
Enthusiast

We have a web filter that seems to be the one blocking it.

0 Kudos
Enthusiast
Enthusiast

Hello,

Thank you for your response. Please try disabling the web filter and start the deployment again.

Do let me know if you need any assistance.

Sincerely Harish Venkatachalam Skyline Support Moderator
0 Kudos
Enthusiast
Enthusiast

I was getting the same certificate error when using an Internet proxy

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

VMware Skyline support gave this info with example syntax:

(remember to change proxy IP/name and your cert files accordingly)

If the proxy uses a self signed certificate

Use this openssl command to pull and create it:

    echo -n | openssl s_client -connect myproxy.domain.local:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert

Now import the cert into the cacerts java keystore

    keytool -importcert -file myproxy.cert -alias proxycert -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit

Restart the collector

    systemctl restart ccf-collector

If the proxy uses a internally CA signed cert

Export the root and any intermediate CA certificates (https://technet.microsoft.com/en-us/library/dd261928.aspx)

   Or use openssl to display the full chain, then create each cert file manually:

    openssl s_client -host proxy.domain.com -port 443 -prexit -showcerts
 

In any order, add the certs to the cacerts java keystore. Use a different alias for each one

    keytool -importcert -file root.cer -alias proxyroot -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit

Restart the collector

    systemctl restart ccf-collector

Since our proxy is using an internal certificate, I imported each individual cert in the chain and restarted the collector. Once this was complete, I was able to successfully test connectivity and continue with the initial appliance configuration. Hopefully this info helps you!

View solution in original post