[ https://issues.apache.org/jira/browse/CLOUDSTACK-1475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14537734#comment-14537734 ]
Kees commented on CLOUDSTACK-1475: ---------------------------------- On the storage SSVM java is started with a custom truststore: ./certs/realhostip.keystore: ps -ef | grep java root 5208 4998 7 08:04 pts/0 00:01:06 java -Djavax.net.ssl.trustStore=./certs/realhostip.keystore etc etc This truststore contains only a few certificates (probably the ones used for my replacement of the realhostip-service for the console SSVM). Problem is that any uploads to S3-secondary storage (via https) fail because the common CA-certs are not available. Message in /var/log/cloud.log: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Solutions could be: 1) Remove the Djavax.net.ssl.trustStore option (it may not be necessary) 2) Include common CA-certs in realhostip.keystore: keytool -importkeystore -noprompt -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore Option 2 can be used as a work-around (but fresh SSVM's will fail) > RegisterISO error after Update SSL Certificate > ---------------------------------------------- > > Key: CLOUDSTACK-1475 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1475 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Affects Versions: 4.0.1, 4.1.0 > Reporter: Wei Zhou > Assignee: Wei Zhou > Fix For: 4.1.1, 4.2.0 > > > After updating SSL Certificate, and restart cloud-management service. > whentry to registerISO from the url which is shown in "downloadISO", it will > fail with the error message "sun.security.validator.ValidatorException: PKIX > path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target". > Another problem is that, the url of DownloadISO always(!) be > **-**-**-**.realhostip.com -- This message was sent by Atlassian JIRA (v6.3.4#6332)