[jira] [Commented] (CLOUDSTACK-1475) RegisterISO error after Update SSL Certificate

Mon, 11 May 2015 01:57:38 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-1475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14537734#comment-14537734
 ] 

Kees commented on CLOUDSTACK-1475:
----------------------------------

On the storage SSVM java is started with a custom truststore: 
./certs/realhostip.keystore:
ps -ef | grep java
root      5208  4998  7 08:04 pts/0    00:01:06 java 
-Djavax.net.ssl.trustStore=./certs/realhostip.keystore etc etc

This truststore contains only a few certificates (probably the ones used for my 
replacement of the realhostip-service for the console SSVM).
Problem is that any uploads to S3-secondary storage (via https) fail because 
the common CA-certs are not available. 

Message in /var/log/cloud.log:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

Solutions could be:
1) Remove the Djavax.net.ssl.trustStore option (it may not be necessary)
2) Include common CA-certs in realhostip.keystore:
keytool -importkeystore -noprompt -srckeystore /etc/ssl/certs/java/cacerts 
-destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore

Option 2 can be used as a work-around (but fresh SSVM's will fail)


> RegisterISO error after Update SSL Certificate
> ----------------------------------------------
>
>                 Key: CLOUDSTACK-1475
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1475
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.0.1, 4.1.0
>            Reporter: Wei Zhou
>            Assignee: Wei Zhou
>             Fix For: 4.1.1, 4.2.0
>
>
> After updating SSL Certificate, and restart cloud-management service.
> whentry to registerISO from the url which is shown in "downloadISO", it will 
> fail with the error message "sun.security.validator.ValidatorException: PKIX 
> path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target".
> Another problem is that, the url of DownloadISO always(!) be 
> **-**-**-**.realhostip.com



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to