Using third-party certificate: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hi, I'm making a bare metal oVirt installation, version 4.4.8. 'ovirt-engine' command ends well, however, we're using a third-party certificate (from LetsEncrypt) both for the apache server and the ovirt-websocket-proxy. So we changed configuration files regarding httpd and ovirt-websocket-proxy. Once changed the configurations, if I try to log in to the oVirt engine, I get a "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error. In prior versions we used to add the chain to the /etc/pki/ovirt-engine/.truststore file, however, simply listing the current certificates seems not to be working on 4.4.8. # LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -alias intermedia_le -storepass mypass keytool error: java.io.IOException: Invalid keystore format Is there something I'm missing here? Thank
Please, any help with this? El 29/9/21 a las 13:21, nicolas@devels.es escribió:
Hi,
I'm making a bare metal oVirt installation, version 4.4.8. 'ovirt-engine' command ends well, however, we're using a third-party certificate (from LetsEncrypt) both for the apache server and the ovirt-websocket-proxy. So we changed configuration files regarding httpd and ovirt-websocket-proxy.
Once changed the configurations, if I try to log in to the oVirt engine, I get a "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error.
In prior versions we used to add the chain to the /etc/pki/ovirt-engine/.truststore file, however, simply listing the current certificates seems not to be working on 4.4.8.
# LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -alias intermedia_le -storepass mypass keytool error: java.io.IOException: Invalid keystore format
Is there something I'm missing here?
Thank _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5VWVBQGIWJSPWV...
I have an engine with a similar issue. You might want to revert to the old self signed cert created by installation, and then follow the instructions at https://ovirt.org/documentation/administration_guide/index.html to try re-installing the third party cert after you're sure the original cert is working properly. My temp fix for this (didn't survive an engine VM reboot) was to cat the cert I was installing with its intermediate-root cert into a file named full.crt and then running a command as root like... keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file full.crt and then systemctl restart ovirt-engine #to pick up the change. Still trying to track down what's different on this one vs others that work. key size is larger cert has alternative name. On Thu, Sep 30, 2021 at 4:47 PM Nicolás <nicolas@devels.es> wrote:
Please, any help with this?
El 29/9/21 a las 13:21, nicolas@devels.es escribió:
Hi,
I'm making a bare metal oVirt installation, version 4.4.8. 'ovirt-engine' command ends well, however, we're using a third-party certificate (from LetsEncrypt) both for the apache server and the ovirt-websocket-proxy. So we changed configuration files regarding httpd and ovirt-websocket-proxy.
Once changed the configurations, if I try to log in to the oVirt engine, I get a "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error.
In prior versions we used to add the chain to the /etc/pki/ovirt-engine/.truststore file, however, simply listing the current certificates seems not to be working on 4.4.8.
# LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -alias intermedia_le -storepass mypass keytool error: java.io.IOException: Invalid keystore format
Is there something I'm missing here?
Thank _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5VWVBQGIWJSPWV... _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKYBE6TJZFMAXX...
Thanks, this put me in the correct track. In my case, I just needed to run step 2, as the rest of the configuration is being handled in a different way and works well. I also tried to restart the host and it still works. Thanks for the help! El 2021-10-01 00:13, Edward Berger escribió:
I have an engine with a similar issue. You might want to revert to the old self signed cert created by installation, and then follow the instructions at https://ovirt.org/documentation/administration_guide/index.html to try re-installing the third party cert after you're sure the original cert is working properly.
My temp fix for this (didn't survive an engine VM reboot) was to cat the cert I was installing with its intermediate-root cert into
a file named full.crt and then running a command as root like...
keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file full.crt and then systemctl restart ovirt-engine #to pick up the change.
Still trying to track down what's different on this one vs others that work.
key size is larger cert has alternative name.
On Thu, Sep 30, 2021 at 4:47 PM Nicolás <nicolas@devels.es> wrote:
Please, any help with this?
Hi,
I'm making a bare metal oVirt installation, version 4.4.8. 'ovirt-engine' command ends well, however, we're using a
El 29/9/21 a las 13:21, nicolas@devels.es escribió: third-party
certificate (from LetsEncrypt) both for the apache server and the ovirt-websocket-proxy. So we changed configuration files regarding
httpd and ovirt-websocket-proxy.
Once changed the configurations, if I try to log in to the oVirt engine, I get a "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error.
In prior versions we used to add the chain to the /etc/pki/ovirt-engine/.truststore file, however, simply listing the current certificates seems not to be working on 4.4.8.
# LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -alias intermedia_le -storepass mypass keytool error: java.io.IOException: Invalid keystore format
Is there something I'm missing here?
Thank _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5VWVBQGIWJSPWV...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKYBE6TJZFMAXX...
participants (3)
-
Edward Berger -
nicolas@devels.es -
Nicolás