This error almost always occurs due to the server certificate not being
available on the trust store of the client.
If this error appears on the Publisher logs, that means the publisher is
the client and it is trying to connect to a server. According to the error
logs it tries to connect to the server located at
<PolicyDeployer><ServiceURL> in the api-manager.xml. If the certificate of
that server isn't available on the trust store of the publisher, this error
can occur. You will need to list the certs in the trust store and check if
the relevant cert is properly imported to it.
Thanks,
NuwanD.
On Wed, Jul 27, 2016 at 4:06 PM, Kavitha Subramaniyam <kavi...@wso2.com>
wrote:
> Hi apim team,
>
> I'm getting a certification issue [1]in cluster nodes (every nodes:
> publisher, store, gateway) which configured with APIM2.0.0RC4 pack. I have
> imported all relevant certs to keystore properly as per below steps:
> - Created certs in nginx and copied to /etc/nginx/ssl
> - Updated relevant conf in /etc/nginx/conf.d
> - Copied those certs in to each node respectively
> /repository/resources/security
> - Imported certs to client-truststore.jks using below command
>
> keytool -import -alias apimpublisher -file apimpublisher.crt -keystore
> client-truststore.jks
>
>
> Cluster details: clustered following the doc [2]
> 1 Publisher, 2 Store, 2 gateway workers and 2 IS keymanager nodes fronted
> by nginx
>
>
> Further I tried this also: added certificate for apim to the keystore of
> used java as below and checked it; *but the issue is still there*.
> keytool -export -alias wso2carbon -keystore
> <APIM_HOME>/repository/resources/security/wso2carbon.jks -storepass
> wso2carbon -file mycert.pem
> keytool -import -trustcacerts -file mycert.pem -alias wso2carbon -keystore
> $JAVA_HOME/jre/lib/security/cacerts
>
>
> Observed below Warn and Error on server startup. Please see the attached
> log from publisher node (server startup with -Djavax.net.debug=all)
>
> Could you please have a look into this and give your feedback?
>
> [1]
>
> TID: [-1] [] [2016-07-27 10:14:50,813] WARN
> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} -
> Failed retrieving throttling data from remote endpoint:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target. Retrying after 15 seconds...
> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever}
> TID: [-1] [] [2016-07-27 10:15:05,854] ERROR
> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} -
> Exception when retrieving throttling data from remote endpoint
> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever}
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533)
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401)
> at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:178)
> at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
> at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
> at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
> at
> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.retrieveKeyTemplateData(KeyTemplateRetriever.java:83)
> at
> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.loadKeyTemplatesFromWebService(KeyTemplateRetriever.java:111)
> at
> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.run(KeyTemplateRetriever.java:54)
> at java.util.TimerThread.mainLoop(Timer.java:555)
> at java.util.TimerThread.run(Timer.java:505)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
> ... 23 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> ... 29 more
>
>
>
> [2] https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0
>
>
>
>
>
>
> --
> Kavitha.S
> *Software Engineer -QA*
> Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194>
> kavi...@wso2.com <thili...@wso2.com>
>
--
Nuwan Dias
Software Architect - WSO2, Inc. http://wso2.com
email : nuw...@wso2.com
Phone : +94 777 775 729
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
