4 Replies Latest reply on Jul 31, 2018 12:23 PM by Mike_Gelhar

    Network connectivity fails

    erives Lurker

      Deploying ver 1.3

       

      Network connectivity fails with the following error:

       

      sun.security.validator.ValidatorException:PKIX path building failed:

      sun.security.provider.certpath.SunCertPathBuildBuilderException: Unable to find certification path to requested target

       

      Do i still need a proxy even though we dont block outbound traffic form the appliance vlan?

        • 1. Re: Network connectivity fails
          HarishV Hot Shot
          Skyline Community 2/2VMware EmployeesSkyline Moderators (GS DP)

          Hello,

           

          Thank you for your post.

           

          Please let me know if you are using any proxy at the moment. We might have to import the certificates manually if there is a proxy or if there are any networking software that intercepts and serves as firewall/shapers etc..

           

          Please try the steps below and let me know if it helps.

           

          In some cases, Skyline VA would be in an environment with HTTPS proxy and the proxy certificate might not be trusted by the VA (e.g. self-signed, or signed by customer's CA that's not known to the VA).

          In that case, you need to import the certificate(s) in the Java keystore.

           

           

          The Java keystore is the /usr/java/jre-vmware/lib/security/cacerts file

           

           

          Download the proxy certificate (assuming your proxy host is myproxy.acme.org and the port is 8080):

          echo -n | openssl s_client -connect myproxy.acme.org:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert

           

           

          Then import the certificate in the keystore:

          keytool -importcert -file myproxy.cert -keystore /usr/java/jre-vmware/lib/security/cacerts -alias "myproxy"

           

           

          When asked for a password, the default one for the Java keystore is "changeit". When asked if you trust the certificate, answer "yes".You may have to restart the collector:

          systemctl restart ccf-collector

           

           

          Make sure you import not only the proxy certificate but also any intermediate/issuer certificates from the certificate chain if the customer has their own CA that's not recognized by the standard root certificates shipped with Java.

           

           

          Sometimes the command above that saves the certificate might not work well and won 't be able to extract the certificate correctly. Also, that command will extract only the server certificate but not the whole certificate chain that you might want to also import. So, in order to work around that, here's the basic principle:

           

           

          Part of the first command above is openssl s_client -connect myserver.com:443 which lists only the server certificate. You can try executing that command alone in a terminal and see its output. As you can see above, the output of that command is fed to sed to extract the text portion between

           

           

          -----BEGIN CERTIFICATE-----

           

           

          and

           

           

          -----END CERTIFICATE-----

           

           

          (those sections are included) and saves that as a certificate file (PEM format). Now, you can use the same principle to extract the whole certificate chain. The following command will list the whole certificate chain:

           

           

          openssl s_client -host myserver.com -port 443 -prexit -showcerts

           

           

          It will include multiple PEM sections. However it's a bit tricky to make sed extract those sections, so you'll have to do that manually: copy each separate certificate PEM between these two sections (do not forget to include them as well) and save them as separate files, then import each of them with the keytool command above. Certificate import order doesn't matter.

          • 2. Re: Network connectivity fails
            erives Lurker

            We have a web filter that seems to be the one blocking it.

            • 3. Re: Network connectivity fails
              HarishV Hot Shot
              Skyline Moderators (GS DP)VMware EmployeesSkyline Community 2/2

              Hello,

               

              Thank you for your response. Please try disabling the web filter and start the deployment again.

               

              Do let me know if you need any assistance.

              • 4. Re: Network connectivity fails
                Mike_Gelhar Enthusiast

                I was getting the same certificate error when using an Internet proxy

                 

                sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                 

                VMware Skyline support gave this info with example syntax:

                (remember to change proxy IP/name and your cert files accordingly)

                 

                If the proxy uses a self signed certificate

                Use this openssl command to pull and create it:

                    echo -n | openssl s_client -connect myproxy.domain.local:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert

                Now import the cert into the cacerts java keystore

                    keytool -importcert -file myproxy.cert -alias proxycert -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit

                Restart the collector

                    systemctl restart ccf-collector

                 

                If the proxy uses a internally CA signed cert

                Export the root and any intermediate CA certificates (https://technet.microsoft.com/en-us/library/dd261928.aspx)

                   Or use openssl to display the full chain, then create each cert file manually:

                    openssl s_client -host proxy.domain.com -port 443 -prexit -showcerts
                 

                In any order, add the certs to the cacerts java keystore. Use a different alias for each one

                    keytool -importcert -file root.cer -alias proxyroot -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit

                Restart the collector

                    systemctl restart ccf-collector

                 

                Since our proxy is using an internal certificate, I imported each individual cert in the chain and restarted the collector. Once this was complete, I was able to successfully test connectivity and continue with the initial appliance configuration. Hopefully this info helps you!

                1 person found this helpful