6:41 p.m.
This is a cryptographically signed message in MIME format.
--------------ms020800040402030301010200
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Hi,
after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login
into admin portal because
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
I am using custom 3rd party certificate
Any hints how to resolve this issue?
Thanks in advance,
Jiri Slezka
--------------ms020800040402030301010200
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
Cn8wggUJMIID8aADAgECAhACt8ndrdK9CetZxFyQDGB4MA0GCSqGSIb3DQEBCwUAMGUxCzAJ
BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2Vy
dC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0xNDExMTgx
MjAwMDBaFw0yNDExMTgxMjAwMDBaMHIxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1I
b2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEmMCQGA1UEAxMd
VEVSRU5BIGVTY2llbmNlIFBlcnNvbmFsIENBIDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCwp9Jj5Aej1xPkS1GV3LvBdemFmkUR//nSzBodqsU3dv2BCRD30r4gt5oRsYty
qDGF2nnItxV1SkwVoDxFeRzOIHYNYvBRHaiGvCQjEXzPRTocOSVfWpmq/zAL/QOEqpJogeM+
0IBGiJcAENJshl7UcfjYbBnN5qStk74f52VWFf/aiF7MVJnsUr3oriQvXYOzs8N/NXyyQyim
atBbumJVCNszF1X+XHCGfPNvxlNFW9ktv7azK0baminfLcsh6ubCdINZc+Nof2lU387NCDgg
oh3KsYVcZTSuhh7qp6MjxE5VqOZod1hpXXzDOkjK+DAMC57iZXssncp24eaN08VlAgMBAAGj
ggGmMIIBojASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjB5BggrBgEFBQcB
AQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcw
AoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB
LmNydDCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lD
ZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUjJ8RLubj
egSlHlWLRggEpu2XcKYwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZI
hvcNAQELBQADggEBAI5HEV91Oen8WHFCoJkeu2Av+b/kWTV2qH/YNI1Xsbou2hHKhh4IyNkF
OxA/TUiuK2qQnQ5hAS0TIrs9SJ1Ke+DjXd/cTBiw7lCYSW5hkzigFV+iSivninpItafWqYBS
WxITl1KHBS9YBskhEqO5GLliDMPiAgjqUBQ/H1qZMlZNQIuFu0UaFUQuZUpJFr4+0zpzPxsB
iWU2muAoGItwbaP55EYshM7+v/J+x6kIhAJt5Dng8fOmOvR9F6Vw2/E0EZ6oQ8g1fdhwM101
S1OI6J1tUil1r7ES/svNqVWVb7YkUEBcPo8ppfHnTI/uxsn2tslsWefsOGJxNYUUSMAb9Eow
ggVuMIIEVqADAgECAhAKebGg8bOvnIyfOWAn4bpzMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
BAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzAN
BgNVBAoTBlRFUkVOQTEmMCQGA1UEAxMdVEVSRU5BIGVTY2llbmNlIFBlcnNvbmFsIENBIDMw
HhcNMTcxMTE2MDAwMDAwWhcNMTgxMjE1MTIwMDAwWjCBlDETMBEGCgmSJomT8ixkARkWA29y
ZzEWMBQGCgmSJomT8ixkARkWBnRlcmVuYTETMBEGCgmSJomT8ixkARkWA3RjczELMAkGA1UE
BhMCQ1oxJTAjBgNVBAoTHFNpbGVzaWFuIFVuaXZlcnNpdHkgaW4gT3BhdmExHDAaBgNVBAMT
E0ppcmkgU2xlemthIHNsZTAwMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/
VwOD1hlYL6l7GzxNqV1ne7/iMF/gHvPfTwejsC2s9sby7It82qXPRBVA2s1Cjb1A3ucpdlDN
MXM83Lvh881XfkxhS2YLLyiZDmlSzAqfoMLxQ2/E0m1UugttzGJF7/10pEwj0FJFhnIVwA/E
8svCcbhxwO9BBpUz8JG1C6fTd0qyzJtNXVyH+WuHQbU2jgu2JJ7miiEKE1Fis0hFf1rKxTzX
aVGyXiQLOn7TZDfPtXrJEG7eWYlFUP58edyuJELpWHTPHn8xJKYTy8Qq5BgFNyCRQT/6imsh
tZlDBZSEeqyoSNtLsC57ZrjqgtLCEQFK9EX27dOy0/u95zS0OIWdAgMBAAGjggHbMIIB1zAf
BgNVHSMEGDAWgBSMnxEu5uN6BKUeVYtGCASm7ZdwpjAdBgNVHQ4EFgQUF1mSlcyDz9wWit9V
jCz+zJ9CrpswDAYDVR0TAQH/BAIwADAdBgNVHREEFjAUgRJqaXJpLnNsZXprYUBzbHUuY3ow
DgYDVR0PAQH/BAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDA0BgNVHSAE
LTArMAwGCiqGSIb3TAUCAgEwDAYKYIZIAYb9bAQfATANBgsqhkiG90wFAgMDAzCBhQYDVR0f
BH4wfDA8oDqgOIY2aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1RFUkVOQWVTY2llbmNlUGVy
c29uYWxDQTMuY3JsMDygOqA4hjZodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BZVNj
aWVuY2VQZXJzb25hbENBMy5jcmwwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRpZ2lj
ZXJ0LmNvbS9URVJFTkFlU2NpZW5jZVBlcnNvbmFsQ0EzLmNydDANBgkqhkiG9w0BAQsFAAOC
AQEADtFRxKphkcHVdWjR/+i1+cdHfkbicraHlU5Mpw8EX6nemKu4GGAWfzH+Y7p6ImZwUHWf
/SSbrX+57xaFUBOr3jktQm1GRmGUZESEmsUDB8UZXzdQC79/tO9MzRhvEBXuQhdxdoO64Efx
VqtYAB2ydqz7yWh56ioSwaQZEXo5rO1kZuAcmVz8Smd1r/Mur/h8Y+qbrsJng1GS25aMhFts
UV6z9zXuHFkT9Ck8SLdCEDzjzYNjXIDB5n+QOmPXnXrZMlGiI/aOqa5k5Sv6xCIPdH2kbpyd
M1YiH/ChmU9gWJvy0Jq42KGLvWBvuHEzcb3f473Fvn4GWsXu0zDS2oh2/TGCA8MwggO/AgEB
MIGGMHIxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlB
bXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEmMCQGA1UEAxMdVEVSRU5BIGVTY2llbmNlIFBl
cnNvbmFsIENBIDMCEAp5saDxs6+cjJ85YCfhunMwDQYJYIZIAWUDBAIBBQCgggINMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE4MDUwNzE1NDEwM1owLwYJ
KoZIhvcNAQkEMSIEICVXkIyGY0Vn2bfo9/HNUIM1ozaasiIOr8tqAebw1DwvMGwGCSqGSIb3
DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG
9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgZcGCSsG
AQQBgjcQBDGBiTCBhjByMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDES
MBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExJjAkBgNVBAMTHVRFUkVOQSBl
U2NpZW5jZSBQZXJzb25hbCBDQSAzAhAKebGg8bOvnIyfOWAn4bpzMIGZBgsqhkiG9w0BCRAC
CzGBiaCBhjByMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UE
BxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExJjAkBgNVBAMTHVRFUkVOQSBlU2NpZW5j
ZSBQZXJzb25hbCBDQSAzAhAKebGg8bOvnIyfOWAn4bpzMA0GCSqGSIb3DQEBAQUABIIBAAlh
wZpUkIK/kEuHl6+ThVIcWni+413g80Z4nA2kizLn67bGYqLNPzkEXWT37geWbAgw3GZx7lHu
rmfqvxUZC3d3RIVubvLKQKZf/4N0PzMOxpdZlnYuWPpGydQ1FOv+jgJwxXcfnyJPuinBueuZ
nTI8aB/TnlrbsS6UgD1K7VmhJgr2q/ClXp41OgyVXiPi7v2nRa9eOmUnQ/MdhceDtjtH3h7y
SPBdKnz+CU8Ziu2dx9gB417x9khCvNaZHEFSdoniCWT6fypFRPODXxF/dGkUCZsMiK4W35k3
mKkfNhFdsFtJJTO4Daj1eP7zMbe+UNVb2E7GvoPlPSWhyWDX3z0AAAAAAAA=
--------------ms020800040402030301010200--
10:46 a.m.
New subject: sun.security.validator.ValidatorException after update to 4.2.3
Hi,
solution was obvious. Upgrade process modified apache's ssl.conf and
reverted my customization.
for example - my custom cert...
SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
...was replaced by this
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
the same for SSLCertificateKeyFile and SSLCACertificateFile
After reverting this changes everything works as usual but it makes me
unsure if I have my 3rd party certificate configured the right way...
Cheers,
Jiri
On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
Hi,
after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login
into admin portal because
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
I am using custom 3rd party certificate
Any hints how to resolve this issue?
Thanks in advance,
Jiri Slezka
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
7:11 p.m.
New subject: sun.security.validator.ValidatorException after update to 4.2.3
Adding Didi
Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka(a)slu.cz> ha scritto:
Hi,
solution was obvious. Upgrade process modified apache's ssl.conf and
reverted my customization.
for example - my custom cert...
SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
...was replaced by this
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
the same for SSLCertificateKeyFile and SSLCACertificateFile
After reverting this changes everything works as usual but it makes me
unsure if I have my 3rd party certificate configured the right way...
Cheers,
Jiri
On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
> Hi,
>
> after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login
> into admin portal because
>
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> I am using custom 3rd party certificate
>
> Any hints how to resolve this issue?
>
> Thanks in advance,
>
> Jiri Slezka
>
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
10:10 a.m.
New subject: sun.security.validator.ValidatorException after update to 4.2.3
On Tue, May 8, 2018 at 7:11 PM, Sandro Bonazzola <sbonazzo(a)redhat.com> wrote:
Adding Didi
Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka(a)slu.cz> ha scritto:
>
> Hi,
>
> solution was obvious. Upgrade process modified apache's ssl.conf and
> reverted my customization.
>
> for example - my custom cert...
>
> SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
>
> ...was replaced by this
>
> SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
>
> the same for SSLCertificateKeyFile and SSLCACertificateFile
Actually that was intended, see [1]. But I admit I didn't specifically
think about 3rd-party CAs, sorry.
You were notified about this by engine-setup, right?
"Apache httpd SSL was already configured in the past,
but some needed changes are missing there.
Configure again? (Automatic, Manual) [Automatic]:"
Please open a bug about this. Not sure exactly what the bug
should say - perhaps that on upgrade, engine-setup should only
touch specific values there, which do not include SSL*File,
perhaps show to the user what we are actually going to change,
perhaps default to 'No' - not sure about this - and change to
'Yes, No'.
[1] https://bugzilla.redhat.com/1558500
>
> After reverting this changes everything works as usual but it makes me
> unsure if I have my 3rd party certificate configured the right way...
You are welcome to review other changes we did and decide for yourself.
See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew/
https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/
>
> Cheers,
>
> Jiri
>
>
> On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
> > Hi,
> >
> > after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login
> > into admin portal because
> >
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > find valid certification path to requested target
> >
> > I am using custom 3rd party certificate
> >
> > Any hints how to resolve this issue?
I am not sure this should have happened.
If engine-setup replaced all relevant SSL*File options, it should have
worked, and at most you should have received a pop-up in your browser.
Please also check/share engine-setup log from /var/log/ovirt-engine/setup
and the actual changes to ssl.conf.
Thanks!
Best regards,
> >
> > Thanks in advance,
> >
> > Jiri Slezka
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
--
Didi
1:15 p.m.
New subject: sun.security.validator.ValidatorException after update to 4.2.3
On Wed, May 9, 2018 at 10:10 AM, Yedidyah Bar David <didi(a)redhat.com> wrote:
On Tue, May 8, 2018 at 7:11 PM, Sandro Bonazzola
<sbonazzo(a)redhat.com> wrote:
> Adding Didi
>
> Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka(a)slu.cz> ha scritto:
>>
>> Hi,
>>
>> solution was obvious. Upgrade process modified apache's ssl.conf and
>> reverted my customization.
>>
>> for example - my custom cert...
>>
>> SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
>>
>> ...was replaced by this
>>
>> SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
>>
>> the same for SSLCertificateKeyFile and SSLCACertificateFile
Actually that was intended, see [1]. But I admit I didn't specifically
think about 3rd-party CAs, sorry.
You were notified about this by engine-setup, right?
"Apache httpd SSL was already configured in the past,
but some needed changes are missing there.
Configure again? (Automatic, Manual) [Automatic]:"
Please open a bug about this. Not sure exactly what the bug
should say - perhaps that on upgrade, engine-setup should only
touch specific values there, which do not include SSL*File,
perhaps show to the user what we are actually going to change,
perhaps default to 'No' - not sure about this - and change to
'Yes, No'.
Filed this for now:
https://bugzilla.redhat.com/show_bug.cgi?id=1576377
Feel free to comment there and/or add yourself to CC.
Thanks,
[1] https://bugzilla.redhat.com/1558500
>>
>> After reverting this changes everything works as usual but it makes me
>> unsure if I have my 3rd party certificate configured the right way...
You are welcome to review other changes we did and decide for yourself.
See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew/
https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/
>>
>> Cheers,
>>
>> Jiri
>>
>>
>> On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
>> > Hi,
>> >
>> > after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login
>> > into admin portal because
>> >
>> > sun.security.validator.ValidatorException: PKIX path building failed:
>> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> > find valid certification path to requested target
>> >
>> > I am using custom 3rd party certificate
>> >
>> > Any hints how to resolve this issue?
I am not sure this should have happened.
If engine-setup replaced all relevant SSL*File options, it should have
worked, and at most you should have received a pop-up in your browser.
Please also check/share engine-setup log from /var/log/ovirt-engine/setup
and the actual changes to ssl.conf.
Thanks!
Best regards,
>> >
>> > Thanks in advance,
>> >
>> > Jiri Slezka
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users(a)ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users
>> >
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
--
Didi
--
Didi
2390
days inactive
2392
days old
4 comments
3 participants
participants (3)
-
Jiří Sléžka -
Sandro Bonazzola -
Yedidyah Bar David