sun.security.validator.ValidatorException after update to 4.2.3
This is a cryptographically signed message in MIME format. --------------ms020800040402030301010200 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi, after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login into admin portal because sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I am using custom 3rd party certificate Any hints how to resolve this issue? Thanks in advance, Jiri Slezka --------------ms020800040402030301010200 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC Cn8wggUJMIID8aADAgECAhACt8ndrdK9CetZxFyQDGB4MA0GCSqGSIb3DQEBCwUAMGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2Vy dC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0xNDExMTgx MjAwMDBaFw0yNDExMTgxMjAwMDBaMHIxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1I b2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEmMCQGA1UEAxMd VEVSRU5BIGVTY2llbmNlIFBlcnNvbmFsIENBIDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCwp9Jj5Aej1xPkS1GV3LvBdemFmkUR//nSzBodqsU3dv2BCRD30r4gt5oRsYty qDGF2nnItxV1SkwVoDxFeRzOIHYNYvBRHaiGvCQjEXzPRTocOSVfWpmq/zAL/QOEqpJogeM+ 0IBGiJcAENJshl7UcfjYbBnN5qStk74f52VWFf/aiF7MVJnsUr3oriQvXYOzs8N/NXyyQyim atBbumJVCNszF1X+XHCGfPNvxlNFW9ktv7azK0baminfLcsh6ubCdINZc+Nof2lU387NCDgg oh3KsYVcZTSuhh7qp6MjxE5VqOZod1hpXXzDOkjK+DAMC57iZXssncp24eaN08VlAgMBAAGj ggGmMIIBojASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjB5BggrBgEFBQcB AQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcw AoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB LmNydDCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lD ZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29t L0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggr BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUjJ8RLubj egSlHlWLRggEpu2XcKYwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZI hvcNAQELBQADggEBAI5HEV91Oen8WHFCoJkeu2Av+b/kWTV2qH/YNI1Xsbou2hHKhh4IyNkF OxA/TUiuK2qQnQ5hAS0TIrs9SJ1Ke+DjXd/cTBiw7lCYSW5hkzigFV+iSivninpItafWqYBS WxITl1KHBS9YBskhEqO5GLliDMPiAgjqUBQ/H1qZMlZNQIuFu0UaFUQuZUpJFr4+0zpzPxsB iWU2muAoGItwbaP55EYshM7+v/J+x6kIhAJt5Dng8fOmOvR9F6Vw2/E0EZ6oQ8g1fdhwM101 S1OI6J1tUil1r7ES/svNqVWVb7YkUEBcPo8ppfHnTI/uxsn2tslsWefsOGJxNYUUSMAb9Eow ggVuMIIEVqADAgECAhAKebGg8bOvnIyfOWAn4bpzMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV BAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzAN BgNVBAoTBlRFUkVOQTEmMCQGA1UEAxMdVEVSRU5BIGVTY2llbmNlIFBlcnNvbmFsIENBIDMw HhcNMTcxMTE2MDAwMDAwWhcNMTgxMjE1MTIwMDAwWjCBlDETMBEGCgmSJomT8ixkARkWA29y ZzEWMBQGCgmSJomT8ixkARkWBnRlcmVuYTETMBEGCgmSJomT8ixkARkWA3RjczELMAkGA1UE BhMCQ1oxJTAjBgNVBAoTHFNpbGVzaWFuIFVuaXZlcnNpdHkgaW4gT3BhdmExHDAaBgNVBAMT E0ppcmkgU2xlemthIHNsZTAwMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/ VwOD1hlYL6l7GzxNqV1ne7/iMF/gHvPfTwejsC2s9sby7It82qXPRBVA2s1Cjb1A3ucpdlDN MXM83Lvh881XfkxhS2YLLyiZDmlSzAqfoMLxQ2/E0m1UugttzGJF7/10pEwj0FJFhnIVwA/E 8svCcbhxwO9BBpUz8JG1C6fTd0qyzJtNXVyH+WuHQbU2jgu2JJ7miiEKE1Fis0hFf1rKxTzX aVGyXiQLOn7TZDfPtXrJEG7eWYlFUP58edyuJELpWHTPHn8xJKYTy8Qq5BgFNyCRQT/6imsh tZlDBZSEeqyoSNtLsC57ZrjqgtLCEQFK9EX27dOy0/u95zS0OIWdAgMBAAGjggHbMIIB1zAf BgNVHSMEGDAWgBSMnxEu5uN6BKUeVYtGCASm7ZdwpjAdBgNVHQ4EFgQUF1mSlcyDz9wWit9V jCz+zJ9CrpswDAYDVR0TAQH/BAIwADAdBgNVHREEFjAUgRJqaXJpLnNsZXprYUBzbHUuY3ow DgYDVR0PAQH/BAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDA0BgNVHSAE LTArMAwGCiqGSIb3TAUCAgEwDAYKYIZIAYb9bAQfATANBgsqhkiG90wFAgMDAzCBhQYDVR0f BH4wfDA8oDqgOIY2aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1RFUkVOQWVTY2llbmNlUGVy c29uYWxDQTMuY3JsMDygOqA4hjZodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BZVNj aWVuY2VQZXJzb25hbENBMy5jcmwwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUFBzABhhhodHRw Oi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRpZ2lj ZXJ0LmNvbS9URVJFTkFlU2NpZW5jZVBlcnNvbmFsQ0EzLmNydDANBgkqhkiG9w0BAQsFAAOC AQEADtFRxKphkcHVdWjR/+i1+cdHfkbicraHlU5Mpw8EX6nemKu4GGAWfzH+Y7p6ImZwUHWf /SSbrX+57xaFUBOr3jktQm1GRmGUZESEmsUDB8UZXzdQC79/tO9MzRhvEBXuQhdxdoO64Efx VqtYAB2ydqz7yWh56ioSwaQZEXo5rO1kZuAcmVz8Smd1r/Mur/h8Y+qbrsJng1GS25aMhFts UV6z9zXuHFkT9Ck8SLdCEDzjzYNjXIDB5n+QOmPXnXrZMlGiI/aOqa5k5Sv6xCIPdH2kbpyd M1YiH/ChmU9gWJvy0Jq42KGLvWBvuHEzcb3f473Fvn4GWsXu0zDS2oh2/TGCA8MwggO/AgEB MIGGMHIxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlB bXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEmMCQGA1UEAxMdVEVSRU5BIGVTY2llbmNlIFBl cnNvbmFsIENBIDMCEAp5saDxs6+cjJ85YCfhunMwDQYJYIZIAWUDBAIBBQCgggINMBgGCSqG SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE4MDUwNzE1NDEwM1owLwYJ KoZIhvcNAQkEMSIEICVXkIyGY0Vn2bfo9/HNUIM1ozaasiIOr8tqAebw1DwvMGwGCSqGSIb3 DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG 9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgZcGCSsG AQQBgjcQBDGBiTCBhjByMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDES MBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExJjAkBgNVBAMTHVRFUkVOQSBl U2NpZW5jZSBQZXJzb25hbCBDQSAzAhAKebGg8bOvnIyfOWAn4bpzMIGZBgsqhkiG9w0BCRAC CzGBiaCBhjByMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UE BxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExJjAkBgNVBAMTHVRFUkVOQSBlU2NpZW5j ZSBQZXJzb25hbCBDQSAzAhAKebGg8bOvnIyfOWAn4bpzMA0GCSqGSIb3DQEBAQUABIIBAAlh wZpUkIK/kEuHl6+ThVIcWni+413g80Z4nA2kizLn67bGYqLNPzkEXWT37geWbAgw3GZx7lHu rmfqvxUZC3d3RIVubvLKQKZf/4N0PzMOxpdZlnYuWPpGydQ1FOv+jgJwxXcfnyJPuinBueuZ nTI8aB/TnlrbsS6UgD1K7VmhJgr2q/ClXp41OgyVXiPi7v2nRa9eOmUnQ/MdhceDtjtH3h7y SPBdKnz+CU8Ziu2dx9gB417x9khCvNaZHEFSdoniCWT6fypFRPODXxF/dGkUCZsMiK4W35k3 mKkfNhFdsFtJJTO4Daj1eP7zMbe+UNVb2E7GvoPlPSWhyWDX3z0AAAAAAAA= --------------ms020800040402030301010200--
Hi, solution was obvious. Upgrade process modified apache's ssl.conf and reverted my customization. for example - my custom cert... SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem ...was replaced by this SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer the same for SSLCertificateKeyFile and SSLCACertificateFile After reverting this changes everything works as usual but it makes me unsure if I have my 3rd party certificate configured the right way... Cheers, Jiri On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
Hi,
after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login into admin portal because
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am using custom 3rd party certificate
Any hints how to resolve this issue?
Thanks in advance,
Jiri Slezka
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Adding Didi Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka@slu.cz> ha scritto:
Hi,
solution was obvious. Upgrade process modified apache's ssl.conf and reverted my customization.
for example - my custom cert...
SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
...was replaced by this
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
the same for SSLCertificateKeyFile and SSLCACertificateFile
After reverting this changes everything works as usual but it makes me unsure if I have my 3rd party certificate configured the right way...
Cheers,
Jiri
On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
Hi,
after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login into admin portal because
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am using custom 3rd party certificate
Any hints how to resolve this issue?
Thanks in advance,
Jiri Slezka
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org
On Tue, May 8, 2018 at 7:11 PM, Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Adding Didi
Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka@slu.cz> ha scritto:
Hi,
solution was obvious. Upgrade process modified apache's ssl.conf and reverted my customization.
for example - my custom cert...
SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
...was replaced by this
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
the same for SSLCertificateKeyFile and SSLCACertificateFile
Actually that was intended, see [1]. But I admit I didn't specifically think about 3rd-party CAs, sorry. You were notified about this by engine-setup, right? "Apache httpd SSL was already configured in the past, but some needed changes are missing there. Configure again? (Automatic, Manual) [Automatic]:" Please open a bug about this. Not sure exactly what the bug should say - perhaps that on upgrade, engine-setup should only touch specific values there, which do not include SSL*File, perhaps show to the user what we are actually going to change, perhaps default to 'No' - not sure about this - and change to 'Yes, No'. [1] https://bugzilla.redhat.com/1558500
After reverting this changes everything works as usual but it makes me unsure if I have my 3rd party certificate configured the right way...
You are welcome to review other changes we did and decide for yourself. See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/
Cheers,
Jiri
On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
Hi,
after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login into admin portal because
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am using custom 3rd party certificate
Any hints how to resolve this issue?
I am not sure this should have happened. If engine-setup replaced all relevant SSL*File options, it should have worked, and at most you should have received a pop-up in your browser. Please also check/share engine-setup log from /var/log/ovirt-engine/setup and the actual changes to ssl.conf. Thanks! Best regards,
Thanks in advance,
Jiri Slezka
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org
-- Didi
On Wed, May 9, 2018 at 10:10 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Tue, May 8, 2018 at 7:11 PM, Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Adding Didi
Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka@slu.cz> ha scritto:
Hi,
solution was obvious. Upgrade process modified apache's ssl.conf and reverted my customization.
for example - my custom cert...
SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
...was replaced by this
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
the same for SSLCertificateKeyFile and SSLCACertificateFile
Actually that was intended, see [1]. But I admit I didn't specifically think about 3rd-party CAs, sorry.
You were notified about this by engine-setup, right?
"Apache httpd SSL was already configured in the past, but some needed changes are missing there. Configure again? (Automatic, Manual) [Automatic]:"
Please open a bug about this. Not sure exactly what the bug should say - perhaps that on upgrade, engine-setup should only touch specific values there, which do not include SSL*File, perhaps show to the user what we are actually going to change, perhaps default to 'No' - not sure about this - and change to 'Yes, No'.
Filed this for now: https://bugzilla.redhat.com/show_bug.cgi?id=1576377 Feel free to comment there and/or add yourself to CC. Thanks,
[1] https://bugzilla.redhat.com/1558500
After reverting this changes everything works as usual but it makes me unsure if I have my 3rd party certificate configured the right way...
You are welcome to review other changes we did and decide for yourself. See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/
Cheers,
Jiri
On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
Hi,
after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login into admin portal because
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am using custom 3rd party certificate
Any hints how to resolve this issue?
I am not sure this should have happened. If engine-setup replaced all relevant SSL*File options, it should have worked, and at most you should have received a pop-up in your browser. Please also check/share engine-setup log from /var/log/ovirt-engine/setup and the actual changes to ssl.conf.
Thanks!
Best regards,
Thanks in advance,
Jiri Slezka
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org
-- Didi
-- Didi
participants (3)
-
Jiří Sléžka -
Sandro Bonazzola -
Yedidyah Bar David