Hi Nuwan, Ok. About this certification issue, I have added already the nginx certs to each carbon trust store (which attached in above reply) but not the carbon server's certs since I'm using default carbon key store in all nodes.
Thanks, On Wed, Jul 27, 2016 at 7:44 PM, Nuwan Dias <[email protected]> wrote: > No changes have been made to those. And it seems I was mistaken regarding > the config. I got to know from Harsha that is actually the Key Manager URL > we use in this instance. > > Like I said, this error is quite common. If you google it you will find > multiple instances of it and the reason always is the cert not being > available in the trust store. > > Our guess is that you are using two certs. One for nginx and one for > carbon. You may have put the cert of the carbon servers in the trust store > but may not have put the nginx cert into your trust store. You need to > validate the certs in the trust store and ensure all required certs are in > there. > > Thanks, > NuwanD. > > On Wed, Jul 27, 2016 at 7:40 PM, Kavitha Subramaniyam <[email protected]> > wrote: > >> Hi Nuwan, >> With the earlier packs we used the default values for the <PolicyDeployer> >> config in api-manager.xml and we didn't encounter this issue. >> Have there been any changes they might have made this configuration >> relevant to RC4 ? As of now we are using the default values. Do we have to >> update it? >> >> Thanks, >> >> On Wed, Jul 27, 2016 at 7:21 PM, Kavitha Subramaniyam <[email protected]> >> wrote: >> >>> Hi >>> Nuwan, I have checked the <PolicyDeployer> config in api-mgt.xml and it >>> is a default config for all nodes. I don't understand why this is looking >>> for server certificate though I have added cert it self to relevant >>> node(publisher cert added to publisher's key store too). >>> >>> @Amila, I have done setting BlockCondition element to false to other >>> nodes and, now I can't see the above error in both Publisher & Store nodes. >>> But anyway it is a need to fix this issue on GW nodes. I'm attaching conf >>> and key store/certs of one of GW node here with. Please have a look.. >>> >>> >>> Thanks, >>> Kavitha >>> >>> >>> On Wed, Jul 27, 2016 at 4:38 PM, Amila De Silva <[email protected]> wrote: >>> >>>> Hi Kavitha, >>>> >>>> KeyTemplate Retriever only needs to run on GW nodes. You can disable >>>> this on other nodes by setting BlockCondition element to false. >>>> For retrieving KeyTemplates, the retriever uses url of the KM to call >>>> the endpoint. One reason for this error occurring could be not having Certs >>>> of the Nginx in the client-truststore. >>>> Can you also share the Key Stores/Certs and the configurations? >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Jul 27, 2016 at 4:06 PM, Kavitha Subramaniyam <[email protected] >>>> > wrote: >>>> >>>>> Hi apim team, >>>>> >>>>> I'm getting a certification issue [1]in cluster nodes (every nodes: >>>>> publisher, store, gateway) which configured with APIM2.0.0RC4 pack. I have >>>>> imported all relevant certs to keystore properly as per below steps: >>>>> - Created certs in nginx and copied to /etc/nginx/ssl >>>>> - Updated relevant conf in /etc/nginx/conf.d >>>>> - Copied those certs in to each node respectively >>>>> /repository/resources/security >>>>> - Imported certs to client-truststore.jks using below command >>>>> >>>>> keytool -import -alias apimpublisher -file apimpublisher.crt -keystore >>>>> client-truststore.jks >>>>> >>>>> >>>>> Cluster details: clustered following the doc [2] >>>>> 1 Publisher, 2 Store, 2 gateway workers and 2 IS keymanager nodes >>>>> fronted by nginx >>>>> >>>>> >>>>> Further I tried this also: added certificate for apim to the keystore >>>>> of used java as below and checked it; *but the issue is still there*. >>>>> keytool -export -alias wso2carbon -keystore >>>>> <APIM_HOME>/repository/resources/security/wso2carbon.jks -storepass >>>>> wso2carbon -file mycert.pem >>>>> keytool -import -trustcacerts -file mycert.pem -alias wso2carbon >>>>> -keystore $JAVA_HOME/jre/lib/security/cacerts >>>>> >>>>> >>>>> Observed below Warn and Error on server startup. Please see the >>>>> attached log from publisher node (server startup with >>>>> -Djavax.net.debug=all) >>>>> >>>>> Could you please have a look into this and give your feedback? >>>>> >>>>> [1] >>>>> >>>>> TID: [-1] [] [2016-07-27 10:14:50,813] WARN >>>>> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} - >>>>> Failed retrieving throttling data from remote endpoint: >>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>>> valid certification path to requested target. Retrying after 15 seconds... >>>>> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} >>>>> TID: [-1] [] [2016-07-27 10:15:05,854] ERROR >>>>> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} - >>>>> Exception when retrieving throttling data from remote endpoint >>>>> {org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever} >>>>> javax.net.ssl.SSLHandshakeException: >>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>>> valid certification path to requested target >>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>>> at >>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) >>>>> at >>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) >>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) >>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) >>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >>>>> at >>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) >>>>> at >>>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) >>>>> at >>>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) >>>>> at >>>>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533) >>>>> at >>>>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401) >>>>> at >>>>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:178) >>>>> at >>>>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) >>>>> at >>>>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) >>>>> at >>>>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610) >>>>> at >>>>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445) >>>>> at >>>>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) >>>>> at >>>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) >>>>> at >>>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) >>>>> at >>>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) >>>>> at >>>>> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.retrieveKeyTemplateData(KeyTemplateRetriever.java:83) >>>>> at >>>>> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.loadKeyTemplatesFromWebService(KeyTemplateRetriever.java:111) >>>>> at >>>>> org.wso2.carbon.apimgt.gateway.throttling.util.KeyTemplateRetriever.run(KeyTemplateRetriever.java:54) >>>>> at java.util.TimerThread.mainLoop(Timer.java:555) >>>>> at java.util.TimerThread.run(Timer.java:505) >>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>> building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>>> valid certification path to requested target >>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >>>>> at >>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>> at >>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >>>>> at >>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >>>>> at >>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >>>>> at >>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) >>>>> ... 23 more >>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>>> unable to find valid certification path to requested target >>>>> at >>>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) >>>>> at >>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) >>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >>>>> ... 29 more >>>>> >>>>> >>>>> >>>>> [2] >>>>> https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Kavitha.S >>>>> *Software Engineer -QA* >>>>> Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> >>>>> [email protected] <[email protected]> >>>>> >>>> >>>> >>>> >>>> -- >>>> *Amila De Silva* >>>> >>>> WSO2 Inc. >>>> mobile :(+94) 775119302 >>>> >>>> >>> >>> >>> -- >>> Kavitha.S >>> *Software Engineer -QA* >>> Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> >>> [email protected] <[email protected]> >>> >> >> >> >> -- >> Kavitha.S >> *Software Engineer -QA* >> Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> >> [email protected] <[email protected]> >> > > > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 > -- Kavitha.S *Software Engineer -QA* Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
