Deploying ver 1.3
Network connectivity fails with the following error:
sun.security.validator.ValidatorException:PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuildBuilderException: Unable to find certification path to requested target
Do i still need a proxy even though we dont block outbound traffic form the appliance vlan?
I was getting the same certificate error when using an Internet proxy
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
VMware Skyline support gave this info with example syntax:
(remember to change proxy IP/name and your cert files accordingly)
If the proxy uses a self signed certificate
Use this openssl command to pull and create it:
echo -n | openssl s_client -connect myproxy.domain.local:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert
Now import the cert into the cacerts java keystore
keytool -importcert -file myproxy.cert -alias proxycert -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit
Restart the collector
systemctl restart ccf-collector
If the proxy uses a internally CA signed cert
Export the root and any intermediate CA certificates (https://technet.microsoft.com/en-us/library/dd261928.aspx)
Or use openssl to display the full chain, then create each cert file manually:
openssl s_client -host proxy.domain.com -port 443 -prexit -showcerts
In any order, add the certs to the cacerts java keystore. Use a different alias for each one
keytool -importcert -file root.cer -alias proxyroot -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit
Restart the collector
systemctl restart ccf-collector
Since our proxy is using an internal certificate, I imported each individual cert in the chain and restarted the collector. Once this was complete, I was able to successfully test connectivity and continue with the initial appliance configuration. Hopefully this info helps you!
Hello,
Thank you for your post.
Please let me know if you are using any proxy at the moment. We might have to import the certificates manually if there is a proxy or if there are any networking software that intercepts and serves as firewall/shapers etc..
Please try the steps below and let me know if it helps.
In some cases, Skyline VA would be in an environment with HTTPS proxy and the proxy certificate might not be trusted by the VA (e.g. self-signed, or signed by customer's CA that's not known to the VA).
In that case, you need to import the certificate(s) in the Java keystore.
The Java keystore is the /usr/java/jre-vmware/lib/security/cacerts file
Download the proxy certificate (assuming your proxy host is myproxy.acme.org and the port is 8080):
echo -n | openssl s_client -connect myproxy.acme.org:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert
Then import the certificate in the keystore:
keytool -importcert -file myproxy.cert -keystore /usr/java/jre-vmware/lib/security/cacerts -alias "myproxy"
When asked for a password, the default one for the Java keystore is "changeit". When asked if you trust the certificate, answer "yes".You may have to restart the collector:
systemctl restart ccf-collector
Make sure you import not only the proxy certificate but also any intermediate/issuer certificates from the certificate chain if the customer has their own CA that's not recognized by the standard root certificates shipped with Java.
Sometimes the command above that saves the certificate might not work well and won 't be able to extract the certificate correctly. Also, that command will extract only the server certificate but not the whole certificate chain that you might want to also import. So, in order to work around that, here's the basic principle:
Part of the first command above is openssl s_client -connect myserver.com:443 which lists only the server certificate. You can try executing that command alone in a terminal and see its output. As you can see above, the output of that command is fed to sed to extract the text portion between
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
(those sections are included) and saves that as a certificate file (PEM format). Now, you can use the same principle to extract the whole certificate chain. The following command will list the whole certificate chain:
openssl s_client -host myserver.com -port 443 -prexit -showcerts
It will include multiple PEM sections. However it's a bit tricky to make sed extract those sections, so you'll have to do that manually: copy each separate certificate PEM between these two sections (do not forget to include them as well) and save them as separate files, then import each of them with the keytool command above. Certificate import order doesn't matter.
We have a web filter that seems to be the one blocking it.
Hello,
Thank you for your response. Please try disabling the web filter and start the deployment again.
Do let me know if you need any assistance.
I was getting the same certificate error when using an Internet proxy
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
VMware Skyline support gave this info with example syntax:
(remember to change proxy IP/name and your cert files accordingly)
If the proxy uses a self signed certificate
Use this openssl command to pull and create it:
echo -n | openssl s_client -connect myproxy.domain.local:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert
Now import the cert into the cacerts java keystore
keytool -importcert -file myproxy.cert -alias proxycert -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit
Restart the collector
systemctl restart ccf-collector
If the proxy uses a internally CA signed cert
Export the root and any intermediate CA certificates (https://technet.microsoft.com/en-us/library/dd261928.aspx)
Or use openssl to display the full chain, then create each cert file manually:
openssl s_client -host proxy.domain.com -port 443 -prexit -showcerts
In any order, add the certs to the cacerts java keystore. Use a different alias for each one
keytool -importcert -file root.cer -alias proxyroot -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit
Restart the collector
systemctl restart ccf-collector
Since our proxy is using an internal certificate, I imported each individual cert in the chain and restarted the collector. Once this was complete, I was able to successfully test connectivity and continue with the initial appliance configuration. Hopefully this info helps you!