Ovirt version 4.4.9.5-1.el8 getting error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Hi All, I just have installed a Ovirt host using all the default settings from the manual. I started with a CentOS 8 minimum install Then I followed the Ovirt installation guide to install Ovirt version 4.4.9.5-1.el8 Now I try to log on to the Administration portal and I get the following message : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target When searching the internet then I get several answers but all about using certificates from third-parties. I don’t use third-party certificates. When I look in the OVIRT administration guide they only talk about third party certificates So can anyone help to fix this error?

Looping in @Steve Goodman <sgoodman@redhat.com> from the doc team as feedback on the installation experience from a new user. Il giorno sab 18 dic 2021 alle ore 23:41 <florianvanoudgaarden@gmail.com> ha scritto:
Hi All,
I just have installed a Ovirt host using all the default settings from the manual. I started with a CentOS 8 minimum install Then I followed the Ovirt installation guide to install Ovirt version 4.4.9.5-1.el8
Can you please provide links to the guide you followed?
Now I try to log on to the Administration portal and I get the following message :
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Did you run engine-setup? Or did you just start the service without setting up the engine?
When searching the internet then I get several answers but all about using certificates from third-parties. I don’t use third-party certificates.
When I look in the OVIRT administration guide they only talk about third party certificates So can anyone help to fix this error? _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YG6RHJHW56MP5W...
-- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo@redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*

I followed this guide https://www.ovirt.org/documentation/installing_ovirt_as_a_standalone_manager...

Hi, On Tue, Dec 21, 2021 at 8:00 PM <florianvanoudgaarden@gmail.com> wrote:
I followed this guide https://www.ovirt.org/documentation/installing_ovirt_as_a_standalone_manager...
Did you change anything around https/certificates? Do you have anything non-standard about naming/name-resolution? Perhaps check/share /var/log/ovirt-engine/engine.log (can be via some paste bin or file sharing service)? Best regards, -- Didi

Thanks for the feedback, and I'm sorry that this problem arose. I'll pay attention to this thread, and if the installation guide requires some clarification, I'll make sure we take care of it. On Tue, Dec 21, 2021, 18:55 Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Looping in @Steve Goodman <sgoodman@redhat.com> from the doc team as feedback on the installation experience from a new user.
Il giorno sab 18 dic 2021 alle ore 23:41 <florianvanoudgaarden@gmail.com> ha scritto:
Hi All,
I just have installed a Ovirt host using all the default settings from the manual. I started with a CentOS 8 minimum install Then I followed the Ovirt installation guide to install Ovirt version 4.4.9.5-1.el8
Can you please provide links to the guide you followed?
Now I try to log on to the Administration portal and I get the following message :
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Did you run engine-setup? Or did you just start the service without setting up the engine?
When searching the internet then I get several answers but all about using certificates from third-parties. I don’t use third-party certificates.
When I look in the OVIRT administration guide they only talk about third party certificates So can anyone help to fix this error? _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YG6RHJHW56MP5W...
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo@redhat.com <https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*

Thanks for the feedback, and I'm sorry that this problem arose. I'll pay attention to this thread, and if the installation guide requires some clarification, I'll make sure we take care of it.
On Tue, Dec 21, 2021, 18:55 Sandro Bonazzola <sbonazzo(a)redhat.com> wrote: Was looking at the engine.log file. After restarting the ovir-engine.service I did a tail -f of the engine log. When logging in the log says : 2021-12-22 10:04:24,334+01 INFO [org.ovirt.engine.extension.aaa.jdbc.core.Tasks] (default task-1) [] (house keeping) deleting failed logins prior to 2021-12-15 09:04:24Z. 2021-12-22 10:04:24,401+01 INFO [org.ovirt.engine.extension.aaa.jdbc.core.Tasks] (default task-1) [] (house keeping) deleting failed logins prior to 2021-12-15 09:04:24Z. 2021-12-22 10:04:24,441+01 INFO [org.ovirt.engine.core.sso.service.AuthenticationService] (default task-1) [] User admin@internal-authz with profile [internal] successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2021-12-22 10:04:24,791+01 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-1) [] server_error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 2021-12-22 10:08:32,749+01 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-100) [37356828] Lock Acquired to object 'EngineLock:{exclusiveLocks='[772a6439-b8eb-4fd0-9a87-42bf8dba90a8=PROVIDER]', sharedLocks=''}' 2021-12-22 10:08:32,767+01 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-100) [37356828] Running command: SyncNetworkProviderCommand internal: true. 2021-12-22 10:08:32,888+01 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-100) [37356828] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Connection refused (Connection refused) and code 5050) 2021-12-22 10:08:32,902+01 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-100) [37356828] EVENT_ID: PROVIDER_SYNCHRONIZED_FAILED(216), Failed to synchronize networks of Provider ovirt-provider-ovn. 2021-12-22 10:08:32,904+01 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-100) [37356828] Lock freed to object 'EngineLock:{exclusiveLocks='[772a6439-b8eb-4fd0-9a87-42bf8dba90a8=PROVIDER]', sharedLocks=''}'

On Wed, Dec 22, 2021 at 11:12 AM <florianvanoudgaarden@gmail.com> wrote:
Thanks for the feedback, and I'm sorry that this problem arose. I'll pay attention to this thread, and if the installation guide requires some clarification, I'll make sure we take care of it.
On Tue, Dec 21, 2021, 18:55 Sandro Bonazzola <sbonazzo(a)redhat.com> wrote: Was looking at the engine.log file. After restarting the ovir-engine.service I did a tail -f of the engine log. When logging in the log says : 2021-12-22 10:04:24,334+01 INFO [org.ovirt.engine.extension.aaa.jdbc.core.Tasks] (default task-1) [] (house keeping) deleting failed logins prior to 2021-12-15 09:04:24Z. 2021-12-22 10:04:24,401+01 INFO [org.ovirt.engine.extension.aaa.jdbc.core.Tasks] (default task-1) [] (house keeping) deleting failed logins prior to 2021-12-15 09:04:24Z. 2021-12-22 10:04:24,441+01 INFO [org.ovirt.engine.core.sso.service.AuthenticationService] (default task-1) [] User admin@internal-authz with profile [internal] successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2021-12-22 10:04:24,791+01 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-1) [] server_error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Did you change anything around https/certificates? Do you have anything non-standard about naming/name-resolution? Best regards, -- Didi

Not that I'm aware off. The only thing I saw was that the FQDN during the engine-setup was changed to a hostname from the company where I host the main website. I gave the FQDN during the minimal install ovirthost01.<mydomain>.nl and engine setup had changed it to <random>.<domainhosting-company>.nl I changed it back to my given hostname at that point in the engine setup. But if this explains the error I get, then I will reinstall my server with an internal domain name that can't be found on the internet at all.

On Wed, Dec 22, 2021 at 4:23 PM <florianvanoudgaarden@gmail.com> wrote:
Not that I'm aware off. The only thing I saw was that the FQDN during the engine-setup was changed to a hostname from the company where I host the main website. I gave the FQDN during the minimal install ovirthost01.<mydomain>.nl and engine setup had changed it to <random>.<domainhosting-company>.nl I changed it back to my given hostname at that point in the engine setup.
Sorry, I do not follow. Please provide more details. engine-setup asks you for the FQDN of the engine, and provides a default (which is normally the local machine's hostname). Was it at this point that you input something else? What do you mean in "setup had changed it"? And in "I changed it back"? Generally speaking: If you want a name that's not the hostname of the machine, there is no problem with that. This name: 1. Should be resolvable, ideally in DNS (but /etc/hosts works as well) 2. The name resolution result IP address should be reverse-resolvable (either a PTR record or /etc/hosts) to the name you input 3. The result IP address should be attached to a nic of the local machine, and allow connections to it
But if this explains the error I get, then I will reinstall my server with an internal domain name that can't be found on the internet at all.
It might explain it, indeed. Being on the Internet or not is irrelevant here, in general. Best regards, -- Didi

Hi Didi, You were correct, I don't have a DNS server running here. and I forgot the entry in the local hosts file on the server running Ovirt. I changed the hosts file on my laptop, so that's why I didn't realize the entry was missing in the local hosts file on the ovirt host Now I'm in the Ovirt web gui And going to bang my head against a wall for forgetting about the local hosts file. :p It was mentioned in the installation guide, so I made a screw-up here. My apologies for wasting time here. Florian

On Wed, Dec 22, 2021 at 6:02 PM <florianvanoudgaarden@gmail.com> wrote:
Hi Didi,
You were correct, I don't have a DNS server running here. and I forgot the entry in the local hosts file on the server running Ovirt. I changed the hosts file on my laptop, so that's why I didn't realize the entry was missing in the local hosts file on the ovirt host Now I'm in the Ovirt web gui And going to bang my head against a wall for forgetting about the local hosts file. :p It was mentioned in the installation guide, so I made a screw-up here. My apologies for wasting time here.
Thanks for the report! :-) I'd still consider it a bug, though. Can you perhaps check the setup log (in /var/log/ovirt-engine/setup) to see exactly what happened? If the FQDN you input was not resolvable at all on the engine machine, I think engine-setup should have prevented you from continuing. If it resolves to a wrong address, that's a different issue - IIRC we do not check for this currently, not sure. Best regards, -- Didi
participants (4)
-
florianvanoudgaarden@gmail.com
-
Sandro Bonazzola
-
Steve Goodman
-
Yedidyah Bar David