Home / server / Questions / 946690
Accepted
JK-Hu
Asked: 2018-12-27 10:50:56 +0800 CST

unable to find valid certification path to requested target on oVirt

  • 772

I installed latest CentOS 7 yesterday. Clean install. And I follow this tutorial: https://www.ovirt.org/documentation/install-guide/chap-Installing_oVirt.html

The only different is I configured httpd listen 1080 for http and 1443 for https. Because I installed nginx before. And I configure nginx redirect 443 to 1443 port if the hostname is correct.

But in the "Connecting to the Administration Portal" step, I got error:

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

https://i.imgur.com/bnTwTDK.png

I tried a lot of solution, but no one works.

tried_solution_1: 

cat /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"

https://i.imgur.com/uAbJmfn.png not works.

tried_solution_2:

add cert to keystore manually:

for f in *.pem;  do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.cer;  do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.der;  do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
#/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts is linked to /etc/pki/java/cacerts

I run this script in everywhere under /etc/pki/ovirt-engine/ , but it still not works.

https://i.imgur.com/ZME9n6q.png

centos

1 Answers

  1. Best Answer

    I have a clean install with oVirt and installed my own certificates, anyway I got the same error as you and managed to solve it this way.

    Important to say that the files you see in this comands, I assume you created them like the appendix D at the oVirt docs.

    At the end of the appendix, before restarting the services, execute this:

    keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file "/tmp/apache.cer"

    Note the "-storepass" is the default, obviously you should put your own store password if you have one.

    Then restart the services, It worked for me.

    EDIT:

    If you are going to use a comercial certificate, make sure you have the following files with the appendix names like this:

    • /tmp/3rd-party-ca-cert.pem -> CA and CA Root
    • /tmp/apache.p12 -> Certificate and Private key
    • /tmp/apache.cer -> Certificate only
    • /tmp/apache.key -> Private key only

    And double check your CA and CA Root that matches your CA's certificate like this chain:

    Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.MYDOMAIN.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA

 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

    Please, note that in the "i:" field (issuer field), the CN (Common Name) matches the next certificate, if this is not like this, check the file "/tmp/3rd-party-ca-cert.pem" and get the correct ones.

    I don't know wich solution are you using, because it can be used for external and internal websocket connections.

    • 0