Hi Kavitha, KeyTemplate Retriever only needs to run on GW nodes. You can disable this on other nodes by setting BlockCondition element to false. For retrieving KeyTemplates, the retriever uses url of the KM to call the endpoint. One reason for this error occurring could be not having Certs of the Nginx in the client-truststore. Can you also share the Key Stores/Certs and the configurations?
On Wed, Jul 27, 2016 at 4:06 PM, Kavitha Subramaniyam <[email protected]> wrote: > Hi apim team, > > I'm getting a certification issue [1]in cluster nodes (every nodes: > publisher, store, gateway) which configured with APIM2.0.0RC4 pack. I have > imported all relevant certs to keystore properly as per below steps: > - Created certs in nginx and copied to /etc/nginx/ssl > - Updated relevant conf in /etc/nginx/conf.d > - Copied those certs in to each node respectively > /repository/resources/security > - Imported certs to client-truststore.jks using below command > > keytool -import -alias apimpublisher -file apimpublisher.crt -keystore > client-truststore.jks > > > Cluster details: clustered following the doc [2] > 1 Publisher, 2 Store, 2 gateway workers and 2 IS keymanager nodes fronted > by nginx > > > Further I tried this also: added certificate for apim to the keystore of > used java as below and checked it; *but the issue is still there*. > keytool -export -alias wso2carbon -keystore > <APIM_HOME>/repository/resources/security/wso2carbon.jks -storepass > wso2carbon -file mycert.pem > keytool -import -trustcacerts -file mycert.pem -alias wso2carbon -keystore > $JAVA_HOME/jre/lib/security/cacerts > > > Observed below Warn and Error on server startup. Please see the attached > log from publisher node (server startup with -Djavax.net.debug=all) > > Could you please have a look into this and give your feedback? > > [1] > > TID: [-1] [] [2016-07-27 10:14:50,813] WARN > {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} - > Failed retrieving throttling data from remote endpoint: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target. Retrying after 15 seconds... > {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} > TID: [-1] [] [2016-07-27 10:15:05,854] ERROR > {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} - > Exception when retrieving throttling data from remote endpoint > {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:178) > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) > at > org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.retrieveKeyTemplateData(KeyTemplateRetriever.java:83) > at > org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.loadKeyTemplatesFromWebService(KeyTemplateRetriever.java:111) > at > org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.run(KeyTemplateRetriever.java:54) > at java.util.TimerThread.mainLoop(Timer.java:555) > at java.util.TimerThread.run(Timer.java:505) > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) > ... 23 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > ... 29 more > > > > [2] https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0 > > > > > > > -- > Kavitha.S > *Software Engineer -QA* > Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> > [email protected] <[email protected]> > -- *Amila De Silva* WSO2 Inc. mobile :(+94) 775119302
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
