You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@stratos.apache.org by "Michiel Blokzijl (mblokzij)" <mb...@cisco.com> on 2014/12/11 20:39:51 UTC

Using stratos with OpenStack API endpoints that have proper SSL certs

Hi,

I’m hitting the following issue in Stratos:

TID: [0] [STRATOS] [2014-12-11 17:25:24,018] ERROR {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator} -  Invalid Partition Detected : RegionOne-AZ-1-Core. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target connecting to POST https://us-internal-1.cloud.cisco.com:5000/v2.0/tokens HTTP/1.1 {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator}

Has anyone tested Stratos against Rackspace or another OpenStack API endpoint that has proper SSL certificates, rather than self-signed ones?

I tried the suggestions from https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException, but they didn’t help.

Cheers,

Michiel

Re: Using stratos with OpenStack API endpoints that have proper SSL certs

Posted by "Michiel Blokzijl (mblokzij)" <mb...@cisco.com>.

Hi Nirmal,
Thanks for that.

So I tried various things, incl. linking the various java security parameter files in the Oracle JDK to the ubuntu-provided JRE, and ensuring that the certificate is installed in the truststore (it shows up when I list the certs with the keytool).

I also tried adding the certificate to the client-truststore.jks (using the InstallCert program), keytool -list shows all the certificates in the chain are in that file, but I still get the same error.

I read the blogpost you mentioned but that seems to have more to do with securing communications between Stratos clients and the Stratos server, rather than the Stratos server and API endpoints.

Any idea what I might be doing wrong?

Best regards,

Michiel

On 12 Dec 2014, at 02:16, Nirmal Fernando <ni...@gmail.com> wrote:

> Sorry, Michiel, I missed to add the path.. it's repository/resources/security/
> 
> I remember when we test VCloud support few years back, we used to import the certs of the VCloud vendor too. Good read: http://hasini-gunasinghe.blogspot.com/2011/12/installing-new-keystore-into-wso2.html
> 
> On Fri, Dec 12, 2014 at 1:22 AM, Michiel Blokzijl (mblokzij) <mb...@cisco.com> wrote:
> Hi Nirmal,
> 
> I tried using the InstallCert java program that’s attached to this page, references from the wiki link I posted below. I ran it using the same java binary that I use to run Stratos, but that didn’t seem to make a difference.
> 
> I’m now trying to overwrite the cacerts of the Oracle JRE I use with the ones shipped with Ubuntu, to see if that fixes it..
> 
> Does Stratos have its’ own client-truststore? If so, where can I find it? (I didn’t spot the argument used to pass in a custom one)
> 
> Thanks!
> 
> Michiel
> 
> On 11 Dec 2014, at 19:47, Nirmal Fernando <ni...@gmail.com> wrote:
> 
>> Hi Michiel,
>> 
>> Could you please try the same after importing the cert of your Openstack server, into the client-truststore of Stratos server?
>> 
>> On Fri, Dec 12, 2014 at 1:09 AM, Michiel Blokzijl (mblokzij) <mb...@cisco.com> wrote:
>> Hi,
>> 
>> I’m hitting the following issue in Stratos:
>> 
>> TID: [0] [STRATOS] [2014-12-11 17:25:24,018] ERROR {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator} -  Invalid Partition Detected : RegionOne-AZ-1-Core. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target connecting to POST https://us-internal-1.cloud.cisco.com:5000/v2.0/tokens HTTP/1.1 {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator}
>> 
>> Has anyone tested Stratos against Rackspace or another OpenStack API endpoint that has proper SSL certificates, rather than self-signed ones?
>> 
>> I tried the suggestions from https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException, but they didn’t help.
>> 
>> Cheers,
>> 
>> Michiel
>> 
>> 
>> 
>> -- 
>> Best Regards,
>> Nirmal
>> 
>> Nirmal Fernando.
>> PPMC Member & Committer of Apache Stratos,
>> Senior Software Engineer, WSO2 Inc.
>> 
>> Blog: http://nirmalfdo.blogspot.com/
> 
> 
> 
> 
> -- 
> Best Regards,
> Nirmal
> 
> Nirmal Fernando.
> PPMC Member & Committer of Apache Stratos,
> Senior Software Engineer, WSO2 Inc.
> 
> Blog: http://nirmalfdo.blogspot.com/

Re: Using stratos with OpenStack API endpoints that have proper SSL certs

Posted by Nirmal Fernando <ni...@gmail.com>.

Sorry, Michiel, I missed to add the path.. it's
repository/resources/security/

I remember when we test VCloud support few years back, we used to import
the certs of the VCloud vendor too. Good read:
http://hasini-gunasinghe.blogspot.com/2011/12/installing-new-keystore-into-wso2.html

On Fri, Dec 12, 2014 at 1:22 AM, Michiel Blokzijl (mblokzij) <
mblokzij@cisco.com> wrote:

> Hi Nirmal,
>
> I tried using the InstallCert java program that’s attached to this page
> <http://nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target>,
> references from the wiki link I posted below. I ran it using the same java
> binary that I use to run Stratos, but that didn’t seem to make a difference.
>
> I’m now trying to overwrite the cacerts of the Oracle JRE I use with the
> ones shipped with Ubuntu, to see if that fixes it..
>
> Does Stratos have its’ own client-truststore? If so, where can I find it?
> (I didn’t spot the argument used to pass in a custom one)
>
> Thanks!
>
> Michiel
>
> On 11 Dec 2014, at 19:47, Nirmal Fernando <ni...@gmail.com> wrote:
>
> Hi Michiel,
>
> Could you please try the same after importing the cert of your Openstack
> server, into the client-truststore of Stratos server?
>
> On Fri, Dec 12, 2014 at 1:09 AM, Michiel Blokzijl (mblokzij) <
> mblokzij@cisco.com> wrote:
>
>> Hi,
>>
>> I’m hitting the following issue in Stratos:
>>
>> TID: [0] [STRATOS] [2014-12-11
>> 17:25:24,018] ERROR {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator}
>> -  Invalid Partition Detected : RegionOne-AZ-1-Core. Cause:
>> sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target connecting to POST
>> https://us-internal-1.cloud.cisco.com:5000/v2.0/tokens
>> HTTP/1.1 {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator}
>>
>> Has anyone tested Stratos against Rackspace or another OpenStack API
>> endpoint that has proper SSL certificates, rather than self-signed ones?
>>
>> I tried the suggestions from
>> https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException,
>> but they didn’t help.
>>
>> Cheers,
>>
>> Michiel
>>
>
>
>
> --
> Best Regards,
> Nirmal
>
> Nirmal Fernando.
> PPMC Member & Committer of Apache Stratos,
> Senior Software Engineer, WSO2 Inc.
>
> Blog: http://nirmalfdo.blogspot.com/
>
>
>


-- 
Best Regards,
Nirmal

Nirmal Fernando.
PPMC Member & Committer of Apache Stratos,
Senior Software Engineer, WSO2 Inc.

Blog: http://nirmalfdo.blogspot.com/

Re: Using stratos with OpenStack API endpoints that have proper SSL certs

Posted by "Michiel Blokzijl (mblokzij)" <mb...@cisco.com>.

Hi Nirmal,

I tried using the InstallCert java program that’s attached to this page, references from the wiki link I posted below. I ran it using the same java binary that I use to run Stratos, but that didn’t seem to make a difference.

I’m now trying to overwrite the cacerts of the Oracle JRE I use with the ones shipped with Ubuntu, to see if that fixes it..

Does Stratos have its’ own client-truststore? If so, where can I find it? (I didn’t spot the argument used to pass in a custom one)

Thanks!

Michiel

On 11 Dec 2014, at 19:47, Nirmal Fernando <ni...@gmail.com> wrote:

> Hi Michiel,
> 
> Could you please try the same after importing the cert of your Openstack server, into the client-truststore of Stratos server?
> 
> On Fri, Dec 12, 2014 at 1:09 AM, Michiel Blokzijl (mblokzij) <mb...@cisco.com> wrote:
> Hi,
> 
> I’m hitting the following issue in Stratos:
> 
> TID: [0] [STRATOS] [2014-12-11 17:25:24,018] ERROR {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator} -  Invalid Partition Detected : RegionOne-AZ-1-Core. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target connecting to POST https://us-internal-1.cloud.cisco.com:5000/v2.0/tokens HTTP/1.1 {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator}
> 
> Has anyone tested Stratos against Rackspace or another OpenStack API endpoint that has proper SSL certificates, rather than self-signed ones?
> 
> I tried the suggestions from https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException, but they didn’t help.
> 
> Cheers,
> 
> Michiel
> 
> 
> 
> -- 
> Best Regards,
> Nirmal
> 
> Nirmal Fernando.
> PPMC Member & Committer of Apache Stratos,
> Senior Software Engineer, WSO2 Inc.
> 
> Blog: http://nirmalfdo.blogspot.com/

Re: Using stratos with OpenStack API endpoints that have proper SSL certs

Posted by Nirmal Fernando <ni...@gmail.com>.

Hi Michiel,

Could you please try the same after importing the cert of your Openstack
server, into the client-truststore of Stratos server?

On Fri, Dec 12, 2014 at 1:09 AM, Michiel Blokzijl (mblokzij) <
mblokzij@cisco.com> wrote:

> Hi,
>
> I’m hitting the following issue in Stratos:
>
> TID: [0] [STRATOS] [2014-12-11
> 17:25:24,018] ERROR {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator}
> -  Invalid Partition Detected : RegionOne-AZ-1-Core. Cause:
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target connecting to POST
> https://us-internal-1.cloud.cisco.com:5000/v2.0/tokens
> HTTP/1.1 {org.apache.stratos.cloud.controller.validate.OpenstackNovaPartitionValidator}
>
> Has anyone tested Stratos against Rackspace or another OpenStack API
> endpoint that has proper SSL certificates, rather than self-signed ones?
>
> I tried the suggestions from
> https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException,
> but they didn’t help.
>
> Cheers,
>
> Michiel
>



-- 
Best Regards,
Nirmal

Nirmal Fernando.
PPMC Member & Committer of Apache Stratos,
Senior Software Engineer, WSO2 Inc.

Blog: http://nirmalfdo.blogspot.com/