This error almost always occurs due to the server certificate not being available on the trust store of the client.
If this error appears on the Publisher logs, that means the publisher is the client and it is trying to connect to a server. According to the error logs it tries to connect to the server located at <PolicyDeployer><ServiceURL> in the api-manager.xml. If the certificate of that server isn't available on the trust store of the publisher, this error can occur. You will need to list the certs in the trust store and check if the relevant cert is properly imported to it. Thanks, NuwanD. On Wed, Jul 27, 2016 at 4:06 PM, Kavitha Subramaniyam <kavi...@wso2.com> wrote: > Hi apim team, > > I'm getting a certification issue [1]in cluster nodes (every nodes: > publisher, store, gateway) which configured with APIM2.0.0RC4 pack. I have > imported all relevant certs to keystore properly as per below steps: > - Created certs in nginx and copied to /etc/nginx/ssl > - Updated relevant conf in /etc/nginx/conf.d > - Copied those certs in to each node respectively > /repository/resources/security > - Imported certs to client-truststore.jks using below command > > keytool -import -alias apimpublisher -file apimpublisher.crt -keystore > client-truststore.jks > > > Cluster details: clustered following the doc [2] > 1 Publisher, 2 Store, 2 gateway workers and 2 IS keymanager nodes fronted > by nginx > > > Further I tried this also: added certificate for apim to the keystore of > used java as below and checked it; *but the issue is still there*. > keytool -export -alias wso2carbon -keystore > <APIM_HOME>/repository/resources/security/wso2carbon.jks -storepass > wso2carbon -file mycert.pem > keytool -import -trustcacerts -file mycert.pem -alias wso2carbon -keystore > $JAVA_HOME/jre/lib/security/cacerts > > > Observed below Warn and Error on server startup. Please see the attached > log from publisher node (server startup with -Djavax.net.debug=all) > > Could you please have a look into this and give your feedback? > > [1] > > TID: [-1] [] [2016-07-27 10:14:50,813] WARN > {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} - > Failed retrieving throttling data from remote endpoint: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target. Retrying after 15 seconds... > {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} > TID: [-1] [] [2016-07-27 10:15:05,854] ERROR > {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} - > Exception when retrieving throttling data from remote endpoint > {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:178) > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) > at > org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.retrieveKeyTemplateData(KeyTemplateRetriever.java:83) > at > org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.loadKeyTemplatesFromWebService(KeyTemplateRetriever.java:111) > at > org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.run(KeyTemplateRetriever.java:54) > at java.util.TimerThread.mainLoop(Timer.java:555) > at java.util.TimerThread.run(Timer.java:505) > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) > ... 23 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > ... 29 more > > > > [2] https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0 > > > > > > > -- > Kavitha.S > *Software Engineer -QA* > Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> > kavi...@wso2.com <thili...@wso2.com> > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev