Deepika, I just checked the expiration dates on the key stores in SDNC. Our server certificate (in /opt/onap/sdnc/data/stores/org.onap.sdnc.p12) is due to expire on 4/26/2020 – so very soon, but not quite yet. It could be that AAI’s server certificate has expired – sorry, but I’m not familiar enough with their code structure to check that for you.
Your best bet is probably to shift to El Alto, if that’s a possibility for you. If that’s not possible and you want to try at least updating the SDNC certs, you can find recent copies of our sdnc key files in this recent Gerrit commit (we just refreshed them for Frankfurt): https://gerrit.onap.org/r/c/sdnc/oam/+/105729 You could try pulling the last 3 files in that commit (the ones under installation/src/main/stores), copy them to /opt/onap/sdnc/data/stores in your SDNC container and bounce it to see if that helps. Note: that truststoreONAPall.jks file contains the CA (certificate authority) certs. The only one there that I think is relevant is AAF’s cert, and that doesn’t expire until 2038 – so I don’t think you need to worry about that file. Hope this helps! Dan From: onap-discuss <[email protected]> on behalf of "deepika.s84 via lists.onap.org" <[email protected]> Reply-To: onap-discuss <[email protected]>, "[email protected]" <[email protected]> Date: Wednesday, April 22, 2020 at 10:03 AM To: onap-discuss <[email protected]> Subject: [onap-discuss] #sdnc - certificate validity failed with AAI Hi All, We are testing the SDNC dublin code for a Usecase. We are seeing the following error, which occurs when SDNC try to interact (i.e., read/write) with AAI. We are facing this issue after the certificate update made in AAI (https://gerrit.onap.org/r/c/aai/oom/+/104416<https://urldefense.proofpoint.com/v2/url?u=https-3A__gerrit.onap.org_r_c_aai_oom_-2B_104416&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=qLcfee4a2vOwYSub0bljcQ&m=5NEviN694yfcBf-kY1rUuXcaXpZB1w56Hw3zfpGwWhg&s=ceviLBCQlamt0uXKnlRk6c0Jj0fE6C_N7HzrilSHGpk&e=>). I think the trust store file in SDNC (i.e.,sdnc/oam/installation/sdnc/src/main/resources/truststoreONAPall.jks) validity is expired 16:05:20.218 WARN [qtp447788015-189] AaiUpdateService javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) ~[?:?] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) ~[?:?] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) ~[?:?] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) ~[?:?] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:?] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?] at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:?] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[?:?] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:?] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:?] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:?] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340) ~[?:?] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315) ~[?:?] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264) ~[?:?] The error seems to be related to the certificate expiry. I noticed the certificate update made in AAI Could anyone tell us how to update truststoreONAPall.jks? or Any fix to solve this issue. Thanks, Deepika -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20816): https://lists.onap.org/g/onap-discuss/message/20816 Mute This Topic: https://lists.onap.org/mt/73196174/21656 Mute #sdnc: https://lists.onap.org/mk?hashtag=sdnc&subid=2740164 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
