Hi Neethiraj, Following is the output of above command. Sorry i have changed domain name to now example.com
CONNECTED(00000003) depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN = example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN = example.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN = example.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com -----BEGIN CERTIFICATE----- MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2 MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK bA+MDpEjs64kRdaC2w== -----END CERTIFICATE----- 1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com -----BEGIN CERTIFICATE----- MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2 MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95 nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk 3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3 kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91 chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1 iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G L1ndgIax4Q== -----END CERTIFICATE----- --- Server certificate subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com --- No client certificate CA names sent --- SSL handshake has read 2368 bytes and written 663 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256 Session-ID: 634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825 Session-ID-ctx: Master-Key: 84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740F30621A58484E8BF6E03 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1444161895 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- DONE On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj < sneethi...@hortonworks.com> wrote: > Aneela: > > > To verify the certificate (chain), can you run the following command and > send us the output of the command ? > > > $ openssl s_client -showcerts -connect platalytics.com:636 < /dev/null > > > > Thanks, > > Selva- > > From: Aneela Saleem <ane...@platalytics.com> > Reply-To: "user@ranger.incubator.apache.org" < > user@ranger.incubator.apache.org> > Date: Monday, October 5, 2015 at 1:16 PM > To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > > Subject: Re: Issues with usersync (LDAPS certificate not validated) > > No there are no intermediate certificates. No i'm not using same trust > store for performing ldapsearch. I'm using > *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file > > On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu < > spolavar...@hortonworks.com> wrote: > >> Are there any intermediate certs? If so, are they also added in the trust >> store? >> And just to make sure, in the ldap configuration, are you using same >> trust store for performing ldapsearch? >> >> >> From: Aneela Saleem >> Reply-To: "user@ranger.incubator.apache.org" >> Date: Sunday, October 4, 2015 at 10:15 AM >> >> To: "user@ranger.incubator.apache.org" >> Subject: Re: Issues with usersync (LDAPS certificate not validated) >> >> Is there any issue with JAVA keystore? >> >> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com> >> wrote: >> >>> Yes following command works fine >>> >>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H >>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub >>> 'cn=aneela' >>> >>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> >>> wrote: >>> >>>> It is surprising that it will just stop working. Are you able to do >>>> ldapsearch from command line? Just to make sure there is nothing wrong on >>>> the OpenLDAP side? >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> From: Aneela Saleem <ane...@platalytics.com> >>>> Reply-To: <user@ranger.incubator.apache.org> >>>> Date: Thursday, October 1, 2015 at 11:55 PM >>>> >>>> To: <user@ranger.incubator.apache.org> >>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>> >>>> I also checked it on another machine. Same issue is there >>>> >>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> >>>> wrote: >>>> >>>>> I guess no JDK changes. And i re-checked certificate infact generated >>>>> a new one. Still same issue. >>>>> >>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> >>>>> wrote: >>>>> >>>>>> Aneela, >>>>>> Please check whether the certificate has expired. >>>>>> Dilli >>>>>> >>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> >>>>>> wrote: >>>>>> >>>>>>> Any other changes you can think of? JDK changes, etcs? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Bosco >>>>>>> >>>>>>> >>>>>>> From: Aneela Saleem <ane...@platalytics.com> >>>>>>> Reply-To: <user@ranger.incubator.apache.org> >>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>>>>> To: <user@ranger.incubator.apache.org> >>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>>>> >>>>>>> It was working fine one month ago. But now the same issue is >>>>>>> occurred. >>>>>>> >>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem < >>>>>>> ane...@platalytics.com> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I followed all the following steps i.e., >>>>>>>> >>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>> >>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>> (where cert.pem has the the LDAPS cert) >>>>>>>> >>>>>>>> Add java option >>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>>>>> /ranger-usersync/userSyncCAcerts >>>>>>>> To >>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>>>> >>>>>>>> Where it invokes java command like the following >>>>>>>> >>>>>>>> nohup java >>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>> . . . >>>>>>>> >>>>>>>> >>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>>>>> validation issues. Following are the logs >>>>>>>> >>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>>>> Starting User Sync Service! >>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>>>> Enabling Unix Auth Service! >>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>> initializing sink: >>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>>>>>> native-hadoop library for your platform... using builtin-java classes >>>>>>>> where >>>>>>>> applicable >>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>> Enabling Protocol: [SSLv2Hello] >>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>> Enabling Protocol: [TLSv1] >>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>> Enabling Protocol: [TLSv1.1] >>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>>> Enabling Protocol: [TLSv1.2] >>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder created >>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>> initializing source: >>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>>> Begin: initial load of user/group from source==>sink >>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>> [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started >>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder >>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization started >>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - >>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000 >>>>>>>> milliseconds. Error details: >>>>>>>> javax.naming.CommunicationException: simple bind failed: >>>>>>>> platalytics.com:636 [Root exception is >>>>>>>> javax.net.ssl.SSLHandshakeException: >>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>>> find >>>>>>>> valid certification path to requested target] >>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>>>>>> at >>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>>>>>> at >>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>>>>>> at >>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>>>>>>> at >>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>>>>>> at >>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>>>>>> at >>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>>>>>> at >>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>>>>>> at >>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>>>>>>> at >>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>>>>>>> at >>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>>> find >>>>>>>> valid certification path to requested target >>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>>>>>> at >>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>>>>>>> at >>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>>>>>> at >>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>>>>>> at >>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>>>>>>> at >>>>>>>> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>>>>>>> at >>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>>>>>>> ... 14 more >>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>>>>> building failed: >>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>>> find >>>>>>>> valid certification path to requested target >>>>>>>> at >>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>>>>>> at >>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>>>>> at >>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>>>>>> at >>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>>>>>> at >>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>>>>>> at >>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>>>>>> ... 27 more >>>>>>>> Caused by: >>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>>> find >>>>>>>> valid certification path to requested target >>>>>>>> at >>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>>>>>> at >>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>>>>>> at >>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>>>>>> ... 33 more >>>>>>>> >>>>>>>> And following is the output of nohup command: >>>>>>>> >>>>>>>> Host key verification failed. >>>>>>>> >>>>>>>> Can someone please help me figure out the issue? >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >