Re: [OpenDaylight Discuss] [release] Certificate changes

[Andrew Grimberg]

On 03/28/2017 08:48 AM, Andrew Grimberg wrote:
> 
> To add to this, while we _can_ switch back to the COMODO cert for Nexus
> it's only good until the middle of December and we will _not_ be
> purchasing new certs now that we have Let's Encrypt capabilities
> configured in our Puppet management.
> 
> -Andy-

Greetings folks,

After all the discussion and a request from on high for me, I've
replaced the COMODO cert on the Nexus system.

-Andy-

-- 
Andrew J Grimberg
Lead, IT Release Engineering
The Linux Foundation



signature.asc
Description: OpenPGP digital signature
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Ryan Goulding]

+1.

Regards,

Ryan Goulding

On Thu, Mar 30, 2017 at 6:12 PM, Ed Warnicke <hagb...@gmail.com> wrote:

> I think it's also probably worth noting that we are basically talking
> about less than $80 a year and a small number of minutes to solve
> this problem:
>
> https://ssl.comodo.com/landing/ssl/index-new03.php?af=7697=sem=
> CUCSEM2017=Cj0KEQjw2fLGBRDopP-vg7PLgvsBEiQAUOnIXA9GgtA5W0JH7o0_
> Wt7EGiajYLoSUAxbkydr78bfzi4aAnm78P8HAQ
>
> Its not like its expensive or hard.
>
> Ed
>
> On Thu, Mar 30, 2017 at 10:09 AM, FREEMAN, BRIAN D <bf1...@att.com> wrote:
>
>> This type of change is really terrible from my perspective. We have
>> developers working on production features and we cant have a situation
>> where they simply can’t get their job done because of something as simple
>> as a certificate update. This is not a research project where a few people
>> just need to see the note on the coffee machine that they should use  joe’s
>> email to update their environment.
>>
>>
>>
>> We need to make sure that we don’t break the build process for
>> developers. I also agree that reducing barriers to entry for the community
>> needs to be lower not higher.
>>
>>
>>
>> My two cents is to fix the problem and put a certificate in that actually
>> is widely accepted by our tools. Down the road when the certificate
>> authority is available in the predominant tools being used a different
>> answer might be possible.
>>
>>
>>
>> Brian
>>
>>
>>
>>
>>
>>
>>
>> *From:* discuss-boun...@lists.opendaylight.org [mailto:
>> discuss-boun...@lists.opendaylight.org] *On Behalf Of *Colin Dixon
>> *Sent:* Thursday, March 30, 2017 12:51 PM
>> *To:* Ed Warnicke <hagb...@gmail.com>
>> *Cc:* OpenDaylight Discuss <discuss@lists.opendaylight.org>;
>> rele...@lists.opendaylight.org; OpenDaylight Infrastructure <
>> infrastruct...@lists.opendaylight.org>; Vishal Thapar <
>> vishal.tha...@ericsson.com>; Mohamed ElSerngawy <melserng...@inocybe.ca>;
>> Daniel Malachovsky -X (dmalacho - PANTHEON TECHNOLOGIES at Cisco) <
>> dmala...@cisco.com>
>>
>> *Subject:* Re: [OpenDaylight Discuss] [release] Certificate changes
>>
>>
>>
>> I'm somewhat on Ed's side here. A huge number of developers use Macs.
>> Most people will have Oracle JDKs of some kind turned on. Reasonably recent
>> ones aren't working. Despite this whole thread, I still don't have
>> instructions that have gotten the build to work on my Mac. I'll put some
>> more cycles into it later, but at this point I've personally lost ~2 hours
>> to the problem and I haven't seen clear instructions on how to fix it. :-(
>>
>>
>>
>> --Colin
>>
>>
>>
>>
>>
>> On Thu, Mar 30, 2017 at 12:39 PM, Ed Warnicke <hagb...@gmail.com> wrote:
>>
>> The question is... how many people *don't* find help and just *presume*
>> we are broken out of the box (literally don't build for reasons that are
>> not obvious to most people).
>>
>>
>>
>> Ed
>>
>>
>>
>> On Thu, Mar 30, 2017 at 9:05 AM, Vishal Thapar <
>> vishal.tha...@ericsson.com> wrote:
>>
>> I helped someone else using Win7 resolve. He too got it working by
>> getting the certificate via browser than though commandline. One thing we
>> noticed that fingerprint of the two [browser vs cli] was different. I too
>> confirmed the same in my own setup.
>>
>>
>>
>> Would it be possible to share certificate fingerprint so all can confirm
>> if they got it correct or not?
>>
>>
>>
>> Regards,
>>
>> Vishal.
>>
>>
>>
>> *From:* Colin Dixon [mailto:co...@colindixon.com]
>> *Sent:* 30 March 2017 21:30
>> *To:* Mohamed ElSerngawy <melserng...@inocybe.ca>
>> *Cc:* Vishal Thapar <vishal.tha...@ericsson.com>; Ed Warnicke <
>> hagb...@gmail.com>; OpenDaylight Discuss <discuss@lists.opendaylight.org>;
>> rele...@lists.opendaylight.org; OpenDaylight Infrastructure <
>> infrastruct...@lists.opendaylight.org>; Daniel Malachovsky -X (dmalacho
>> - PANTHEON TECHNOLOGIES at Cisco) <dmala...@cisco.com>
>>
>>
>> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> I haven't had more time to debug it since I found the issue. Hopefully
>> I'll have some time today.
>>
>>
>>
>> --Colin
>>
>>
>>
>>
>>
>> On Fri, Mar 2

Re: [OpenDaylight Discuss] [release] Certificate changes

[Colin Dixon]

l get lots of errors
>> like:
>>
>> [WARNING] Could not transfer metadata org.opendaylight.netconf:netco
>> nf-client:1.2.0-SNAPSHOT/maven-metadata.xml from/to
>> opendaylight-snapshot (https://nexus.opendaylight.or
>> g/content/repositories/opendaylight.snapshot/):
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>
>>
>>
>> I'll keep shaving the Yak for a bit. I suspect moving to Linux and
>> OpenJDK would fix it.
>>
>>
>>
>> --Colin
>>
>>
>>
>>
>>
>> On Thu, Mar 23, 2017 at 4:26 PM, Ed Warnicke <hagb...@gmail.com> wrote:
>>
>> Do we know what the root cause is of having to use that?
>>
>>
>>
>> Ed
>>
>>
>>
>> On Thu, Mar 23, 2017 at 1:24 PM, Colin Dixon <co...@colindixon.com>
>> wrote:
>>
>> While the -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts
>> option fixes the problem, it feels like the "wrong" answer. Is there a
>> right answer?
>>
>>
>>
>> --Colin
>>
>>
>>
>>
>>
>> On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar <
>> vishal.tha...@ericsson.com> wrote:
>>
>> Thank you Ivan, this worked for me.
>>
>>
>>
>> *From:* Ivan Hraško [mailto:ivan.hra...@pantheon.tech]
>> *Sent:* 20 March 2017 15:44
>> *To:* Vishal Thapar <vishal.tha...@ericsson.com>; Anil Belur <
>> abe...@linuxfoundation.org>
>> *Cc:* t...@lists.opendaylight.org; OpenDaylight Discuss <
>> discuss@lists.opendaylight.org>; rele...@lists.opendaylight.org;
>> OpenDaylight Infrastructure <infrastruct...@lists.opendaylight.org>
>> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> Hi
>>
>>
>>
>> you can try:
>>
>>
>>
>> mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME
>> /jre/lib/security/cacerts
>>
>>
>>
>> maybe it helps
>> --
>>
>> *Od:* Vishal Thapar <vishal.tha...@ericsson.com>
>> *Odoslané:* 20. marca 2017 11:04
>> *Komu:* Anil Belur
>> *Kópia:* t...@lists.opendaylight.org; OpenDaylight Discuss;
>> rele...@lists.opendaylight.org; OpenDaylight Infrastructure
>> *Predmet:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> Hi Anil,
>>
>>
>>
>> I got the certificate downloaded and checked my cert store to confirm
>> also, but still getting the same error.
>>
>>
>>
>> Regards,
>>
>> Vishal.
>>
>>
>>
>> *From:* Anil Belur [mailto:abe...@linuxfoundation.org
>> <abe...@linuxfoundation.org>]
>> *Sent:* 20 March 2017 14:48
>> *To:* Vishal Thapar <vishal.tha...@ericsson.com>
>> *Cc:* Andrew Grimberg <agrimb...@linuxfoundation.org>; OpenDaylight
>> Discuss <discuss@lists.opendaylight.org>; OpenDaylight Infrastructure <
>> infrastruct...@lists.opendaylight.org>; rele...@lists.opendaylight.org;
>> t...@lists.opendaylight.org
>> *Subject:* Re: [OpenDaylight Discuss] [release] Certificate changes
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar <
>> vishal.tha...@ericsson.com> wrote:
>>
>> Hi Andrew,
>>
>> I am facing cert issues when trying to build locally. Does this require
>> any specific version of Java? Do I need to manually update certificates?
>>
>> This is what I have:
>> $ java -version
>> java version "1.8.0_60"
>> Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
>> Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
>>
>> This is the error I am getting:
>>
>> Downloading: https://nexus.opendaylight.org/content/repositories/opendayl
>> ight.snapshot/org/opendaylight/neutron/model/0.8.0-SNAPSHOT/
>> maven-metadata.xml
>> [WARNING] Could not transfer metadata org.opendaylight.neutron:model
>> :0.8.0-SNAPSHOT/maven-metadata.xml from/to opendaylight-snapshot (
>> https://nexus.opendaylight.org/content/reposit
>> ories/opendaylight.snapshot/
>> <https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/>):
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find vali
>> d certification path to requested target
>>
>>
>>
>> Hello Vishal,
>>
>>
>>
>> This possibly looks like the cert chain may not be imported into your
>> $JAVA_HOME key store. For fixing this, I would try downloading the cert
>> file and using keytool to import the certificate{s}.
>>
>>
>>
>> --[cut]--
>>
>> openssl s_client -connect nexus.opendaylight.org:443 < /dev/null | sed
>> -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
>>
>> /bin/keytool -import -alias nexus.opendaylight.org:443 -keystore
>> /jre/lib/security/cacerts -file public.crt
>>
>> --[/cut]--
>>
>>
>>
>> Thanks,
>>
>> Anil
>>
>>
>>
>> ___
>> Discuss mailing list
>> Discuss@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/discuss
>>
>>
>>
>>
>>
>> ___
>> release mailing list
>> rele...@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/release
>>
>>
>>
>>
>>
>>
>> ___
>> release mailing list
>> rele...@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/release
>>
>>
>>
>>
>>
>
>
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Ed Warnicke]

> right answer?
>
>
>
> --Colin
>
>
>
>
>
> On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar <vishal.tha...@ericsson.com>
> wrote:
>
> Thank you Ivan, this worked for me.
>
>
>
> *From:* Ivan Hraško [mailto:ivan.hra...@pantheon.tech]
> *Sent:* 20 March 2017 15:44
> *To:* Vishal Thapar <vishal.tha...@ericsson.com>; Anil Belur <
> abe...@linuxfoundation.org>
> *Cc:* t...@lists.opendaylight.org; OpenDaylight Discuss <
> discuss@lists.opendaylight.org>; rele...@lists.opendaylight.org;
> OpenDaylight Infrastructure <infrastruct...@lists.opendaylight.org>
> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>
>
>
> Hi
>
>
>
> you can try:
>
>
>
> mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/
> cacerts
>
>
>
> maybe it helps
> --
>
> *Od:* Vishal Thapar <vishal.tha...@ericsson.com>
> *Odoslané:* 20. marca 2017 11:04
> *Komu:* Anil Belur
> *Kópia:* t...@lists.opendaylight.org; OpenDaylight Discuss;
> rele...@lists.opendaylight.org; OpenDaylight Infrastructure
> *Predmet:* Re: [release] [OpenDaylight Discuss] Certificate changes
>
>
>
> Hi Anil,
>
>
>
> I got the certificate downloaded and checked my cert store to confirm
> also, but still getting the same error.
>
>
>
> Regards,
>
> Vishal.
>
>
>
> *From:* Anil Belur [mailto:abe...@linuxfoundation.org
> <abe...@linuxfoundation.org>]
> *Sent:* 20 March 2017 14:48
> *To:* Vishal Thapar <vishal.tha...@ericsson.com>
> *Cc:* Andrew Grimberg <agrimb...@linuxfoundation.org>; OpenDaylight
> Discuss <discuss@lists.opendaylight.org>; OpenDaylight Infrastructure <
> infrastruct...@lists.opendaylight.org>; rele...@lists.opendaylight.org;
> t...@lists.opendaylight.org
> *Subject:* Re: [OpenDaylight Discuss] [release] Certificate changes
>
>
>
>
>
>
>
> On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar <vishal.tha...@ericsson.com>
> wrote:
>
> Hi Andrew,
>
> I am facing cert issues when trying to build locally. Does this require
> any specific version of Java? Do I need to manually update certificates?
>
> This is what I have:
> $ java -version
> java version "1.8.0_60"
> Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
> Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
>
> This is the error I am getting:
>
> Downloading: https://nexus.opendaylight.org/content/repositories/
> opendaylight.snapshot/org/opendaylight/neutron/model/0.
> 8.0-SNAPSHOT/maven-metadata.xml
> [WARNING] Could not transfer metadata org.opendaylight.neutron:
> model:0.8.0-SNAPSHOT/maven-metadata.xml from/to opendaylight-snapshot (
> https://nexus.opendaylight.org/content/reposit
> ories/opendaylight.snapshot/
> <https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/>):
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find vali
> d certification path to requested target
>
>
>
> Hello Vishal,
>
>
>
> This possibly looks like the cert chain may not be imported into your
> $JAVA_HOME key store. For fixing this, I would try downloading the cert
> file and using keytool to import the certificate{s}.
>
>
>
> --[cut]--
>
> openssl s_client -connect nexus.opendaylight.org:443 < /dev/null | sed
> -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
>
> /bin/keytool -import -alias nexus.opendaylight.org:443 -keystore
> /jre/lib/security/cacerts -file public.crt
>
> --[/cut]--
>
>
>
> Thanks,
>
> Anil
>
>
>
> ___
> Discuss mailing list
> Discuss@lists.opendaylight.org
> https://lists.opendaylight.org/mailman/listinfo/discuss
>
>
>
>
>
> ___
> release mailing list
> rele...@lists.opendaylight.org
> https://lists.opendaylight.org/mailman/listinfo/release
>
>
>
>
>
>
> ___
> release mailing list
> rele...@lists.opendaylight.org
> https://lists.opendaylight.org/mailman/listinfo/release
>
>
>
>
>
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Ed Warnicke]

Initial impressions *matter*.  For example, my local Mac updater reports I
am on Java 8_121... and yet for reasons I have yet to get around to
debugging, my maven is using Java 8 77.  I'm someone who can figure that
out without a lot of difficulty.  I can tell you from tons of experience
onboarding new devs to ODL, expecting that in general is to high a bar.

I get that we have in the past sometimes hit insurmountable bugs in the JVM
that could only be fixed in the most recent JDK... some realities are
beyond are capacity to change... but the cert situation is an unforced
error where we are trading a trivial monetary savings for producing
potentially a lot of initial bad experienes for prospective developers...
most of whom will *not* complain, and will *not* come back, and will simply
tell their friends ODL is broken out of the box.

*Not* keeping a cert compatible with all versions of Java 1.8 until we've
moved on definitively from Java 1.8 (ie: ODL no longer supports Java 1.8 at
all, much as we've deprecated Java 1.7) is deeply penny wise and pound
foolish.

Ed

On Tue, Mar 28, 2017 at 8:37 AM, Thanh Ha 
wrote:

> On Mon, Mar 27, 2017 at 11:32 PM, Ed Warnicke  wrote:
>
>> Anil,
>>
>> Thats nice... but at the end of the day, here's the net-net... a large
>> subset of the world's first experience trying to do ODL development is
>> going to be that we are inexplicably broken in a cryptic way.  I strongly
>> recommend we get a cert that is supported by *any* Oracle JDK 1.8, and wait
>> for Oracle JDK 1.8 to be deprecated for use for ODL development (typically
>> something that happens after 1.8 itself has EOLed) *before* using a Let's
>> Encrypt Cert.
>>
>> Initial exposure matters tremendously, and a first experience of "It's
>> broken" is not what we want.
>>
>> Ed
>>
>
> FWIW I don't think using expired versions of Java is good practice either.
> Oracle releases regular critical security patches [1] for a reason.
> According to [0] JDK8 Update 77 was expired on April 19, 2016. Users of
> Oracle's JDK should have received warnings that a new version is available
> and to update.
>
> As someone who used Mac and Windows in the past, I can understand it's
> annoying to receive those update popups and the temptation is to ignore it
> but as developers working on next generation network technology I don't
> think it's unreasonable that we also follow good security practices and
> keep our tools up to date.
>
> Regards,
> Thanh
>
> [0] http://www.oracle.com/technetwork/java/javase/8u77-
> relnotes-2944725.html
> [1] https://www.oracle.com/technetwork/topics/security/alerts-086861.html
>
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Vishal Thapar]

opendaylight.org<mailto:discuss@lists.opendaylight.org>>; 
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
OpenDaylight Infrastructure 
<infrastruct...@lists.opendaylight.org<mailto:infrastruct...@lists.opendaylight.org>>
Subject: Re: [release] [OpenDaylight Discuss] Certificate changes


Hi



you can try:



mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts



maybe it helps


Od: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>
Odoslané: 20. marca 2017 11:04
Komu: Anil Belur
Kópia: t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>; 
OpenDaylight Discuss; 
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
OpenDaylight Infrastructure
Predmet: Re: [release] [OpenDaylight Discuss] Certificate changes

Hi Anil,

I got the certificate downloaded and checked my cert store to confirm also, but 
still getting the same error.

Regards,
Vishal.

From: Anil Belur [mailto:abe...@linuxfoundation.org]
Sent: 20 March 2017 14:48
To: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>
Cc: Andrew Grimberg 
<agrimb...@linuxfoundation.org<mailto:agrimb...@linuxfoundation.org>>; 
OpenDaylight Discuss 
<discuss@lists.opendaylight.org<mailto:discuss@lists.opendaylight.org>>; 
OpenDaylight Infrastructure 
<infrastruct...@lists.opendaylight.org<mailto:infrastruct...@lists.opendaylight.org>>;
 rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>
Subject: Re: [OpenDaylight Discuss] [release] Certificate changes



On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>> wrote:
Hi Andrew,

I am facing cert issues when trying to build locally. Does this require any 
specific version of Java? Do I need to manually update certificates?

This is what I have:
$ java -version
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

This is the error I am getting:

Downloading: 
https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/org/opendaylight/neutron/model/0.8.0-SNAPSHOT/maven-metadata.xml
[WARNING] Could not transfer metadata 
org.opendaylight.neutron:model:0.8.0-SNAPSHOT/maven-metadata.xml from/to 
opendaylight-snapshot (https://nexus.opendaylight.org/content/reposit
ories/opendaylight.snapshot/): sun.security.validator.ValidatorException: PKIX 
path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target

Hello Vishal,

This possibly looks like the cert chain may not be imported into your 
$JAVA_HOME key store. For fixing this, I would try downloading the cert file 
and using keytool to import the certificate{s}.

--[cut]--
openssl s_client -connect 
nexus.opendaylight.org:443<http://nexus.opendaylight.org:443> < /dev/null | sed 
-ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
/bin/keytool -import -alias 
nexus.opendaylight.org:443<http://nexus.opendaylight.org:443> -keystore 
/jre/lib/security/cacerts -file public.crt
--[/cut]--

Thanks,
Anil

___
Discuss mailing list
Discuss@lists.opendaylight.org<mailto:Discuss@lists.opendaylight.org>
https://lists.opendaylight.org/mailman/listinfo/discuss


___
release mailing list
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>
https://lists.opendaylight.org/mailman/listinfo/release



___
release mailing list
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>
https://lists.opendaylight.org/mailman/listinfo/release


___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Colin Dixon]

curity/cacerts
>>
>>
>>
>> maybe it helps
>> --
>>
>> *Od:* Vishal Thapar <vishal.tha...@ericsson.com>
>> *Odoslané:* 20. marca 2017 11:04
>> *Komu:* Anil Belur
>> *Kópia:* t...@lists.opendaylight.org; OpenDaylight Discuss;
>> rele...@lists.opendaylight.org; OpenDaylight Infrastructure
>> *Predmet:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> Hi Anil,
>>
>>
>>
>> I got the certificate downloaded and checked my cert store to confirm
>> also, but still getting the same error.
>>
>>
>>
>> Regards,
>>
>> Vishal.
>>
>>
>>
>> *From:* Anil Belur [mailto:abe...@linuxfoundation.org
>> <abe...@linuxfoundation.org>]
>> *Sent:* 20 March 2017 14:48
>> *To:* Vishal Thapar <vishal.tha...@ericsson.com>
>> *Cc:* Andrew Grimberg <agrimb...@linuxfoundation.org>; OpenDaylight
>> Discuss <discuss@lists.opendaylight.org>; OpenDaylight Infrastructure <
>> infrastruct...@lists.opendaylight.org>; rele...@lists.opendaylight.org;
>> t...@lists.opendaylight.org
>> *Subject:* Re: [OpenDaylight Discuss] [release] Certificate changes
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar <
>> vishal.tha...@ericsson.com> wrote:
>>
>> Hi Andrew,
>>
>> I am facing cert issues when trying to build locally. Does this require
>> any specific version of Java? Do I need to manually update certificates?
>>
>> This is what I have:
>> $ java -version
>> java version "1.8.0_60"
>> Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
>> Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
>>
>> This is the error I am getting:
>>
>> Downloading: https://nexus.opendaylight.org/content/repositories/opendayl
>> ight.snapshot/org/opendaylight/neutron/model/0.8.0-SNAPSHOT/
>> maven-metadata.xml
>> [WARNING] Could not transfer metadata org.opendaylight.neutron:model
>> :0.8.0-SNAPSHOT/maven-metadata.xml from/to opendaylight-snapshot (
>> https://nexus.opendaylight.org/content/reposit
>> ories/opendaylight.snapshot/
>> <https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/>):
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find vali
>> d certification path to requested target
>>
>>
>>
>> Hello Vishal,
>>
>>
>>
>> This possibly looks like the cert chain may not be imported into your
>> $JAVA_HOME key store. For fixing this, I would try downloading the cert
>> file and using keytool to import the certificate{s}.
>>
>>
>>
>> --[cut]--
>>
>> openssl s_client -connect nexus.opendaylight.org:443 < /dev/null | sed
>> -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
>>
>> /bin/keytool -import -alias nexus.opendaylight.org:443 -keystore
>> /jre/lib/security/cacerts -file public.crt
>>
>> --[/cut]--
>>
>>
>>
>> Thanks,
>>
>> Anil
>>
>>
>>
>> ___
>> Discuss mailing list
>> Discuss@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/discuss
>>
>>
>>
>>
>>
>> ___
>> release mailing list
>> rele...@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/release
>>
>>
>>
>>
>>
>> ___
>> release mailing list
>> rele...@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/release
>>
>>
>
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Andrew Grimberg]

On 03/28/2017 08:37 AM, Thanh Ha wrote:
> On Mon, Mar 27, 2017 at 11:32 PM, Ed Warnicke  > wrote:
> 
> Anil,
> 
> Thats nice... but at the end of the day, here's the net-net... a
> large subset of the world's first experience trying to do ODL
> development is going to be that we are inexplicably broken in a
> cryptic way.  I strongly recommend we get a cert that is supported
> by *any* Oracle JDK 1.8, and wait for Oracle JDK 1.8 to be
> deprecated for use for ODL development (typically something that
> happens after 1.8 itself has EOLed) *before* using a Let's Encrypt Cert.
> 
> Initial exposure matters tremendously, and a first experience of
> "It's broken" is not what we want.
> 
> Ed
> 
> 
> FWIW I don't think using expired versions of Java is good practice
> either. Oracle releases regular critical security patches [1] for a
> reason. According to [0] JDK8 Update 77 was expired on April 19, 2016.
> Users of Oracle's JDK should have received warnings that a new version
> is available and to update.
> 
> As someone who used Mac and Windows in the past, I can understand it's
> annoying to receive those update popups and the temptation is to ignore
> it but as developers working on next generation network technology I
> don't think it's unreasonable that we also follow good security
> practices and keep our tools up to date.
> 
> Regards,
> Thanh
> 
> [0] http://www.oracle.com/technetwork/java/javase/8u77-relnotes-2944725.html
> [1] https://www.oracle.com/technetwork/topics/security/alerts-086861.html

To add to this, while we _can_ switch back to the COMODO cert for Nexus
it's only good until the middle of December and we will _not_ be
purchasing new certs now that we have Let's Encrypt capabilities
configured in our Puppet management.

-Andy-

-- 
Andrew J Grimberg
Lead, IT Release Engineering
The Linux Foundation



signature.asc
Description: OpenPGP digital signature
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Thanh Ha]

On Mon, Mar 27, 2017 at 11:32 PM, Ed Warnicke  wrote:

> Anil,
>
> Thats nice... but at the end of the day, here's the net-net... a large
> subset of the world's first experience trying to do ODL development is
> going to be that we are inexplicably broken in a cryptic way.  I strongly
> recommend we get a cert that is supported by *any* Oracle JDK 1.8, and wait
> for Oracle JDK 1.8 to be deprecated for use for ODL development (typically
> something that happens after 1.8 itself has EOLed) *before* using a Let's
> Encrypt Cert.
>
> Initial exposure matters tremendously, and a first experience of "It's
> broken" is not what we want.
>
> Ed
>

FWIW I don't think using expired versions of Java is good practice either.
Oracle releases regular critical security patches [1] for a reason.
According to [0] JDK8 Update 77 was expired on April 19, 2016. Users of
Oracle's JDK should have received warnings that a new version is available
and to update.

As someone who used Mac and Windows in the past, I can understand it's
annoying to receive those update popups and the temptation is to ignore it
but as developers working on next generation network technology I don't
think it's unreasonable that we also follow good security practices and
keep our tools up to date.

Regards,
Thanh

[0] http://www.oracle.com/technetwork/java/javase/8u77-relnotes-2944725.html
[1] https://www.oracle.com/technetwork/topics/security/alerts-086861.html
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Anil Belur]

On Tue, Mar 28, 2017 at 1:32 PM, Ed Warnicke  wrote:

> Anil,
>
> Thats nice... but at the end of the day, here's the net-net... a large
> subset of the world's first experience trying to do ODL development is
> going to be that we are inexplicably broken in a cryptic way.  I strongly
> recommend we get a cert that is supported by *any* Oracle JDK 1.8, and wait
> for Oracle JDK 1.8 to be deprecated for use for ODL development (typically
> something that happens after 1.8 itself has EOLed) *before* using a Let's
> Encrypt Cert.
>
> Initial exposure matters tremendously, and a first experience of "It's
> broken" is not what we want.
>
> Ed
>
>
Greetings Ed,

We are working on getting another CA (comodo) added, which should resolve
the issue in question without requiring to update latest JDK.

Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited,
L=Salford, ST=Greater Manchester, C=GB

Hopefully the work should be completed by tomorrow.

Thanks,
Anil
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Ed Warnicke]

Anil,

Thats nice... but at the end of the day, here's the net-net... a large
subset of the world's first experience trying to do ODL development is
going to be that we are inexplicably broken in a cryptic way.  I strongly
recommend we get a cert that is supported by *any* Oracle JDK 1.8, and wait
for Oracle JDK 1.8 to be deprecated for use for ODL development (typically
something that happens after 1.8 itself has EOLed) *before* using a Let's
Encrypt Cert.

Initial exposure matters tremendously, and a first experience of "It's
broken" is not what we want.

Ed

On Mon, Mar 27, 2017 at 7:28 PM, Anil Belur 
wrote:

>
>
> On Tuesday 28 March 2017 11:41 AM, Ed Warnicke wrote:
> > Anil,
> >
> > That's OpenJDK.  The cert has to be recognized by Oracle JDK as well.  It
> > is not.
> >
> > Ed
> >
> > On Mon, Mar 27, 2017 at 6:29 PM, Anil Belur 
> > wrote:
> >
> >>
> >> Hello Ed,
> >>
> >> With a more recent version of JDK shows IdenTrust is available which is
> >> intermediate CA being used is available in [1.].
> >>
> >> # keytool -list -v -keystore
> >> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.
> >> x86_64/jre/lib/security/cacerts
> >> | grep 'Issuer:' | grep 'CN=IdenTrust'
> >> ...
> >> Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
> >> Issuer: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
> >> Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
> >>
> >> We would recommend updating the more latest version of JDK, and let us
> >> know if this resolves the issue.
> >>
> >> [1.] https://bugs.openjdk.java.net/browse/JDK-8161008
> >>
> >> Thanks,
> >> Anil
> >>
> >>
>
> Ed, Please refer to output with Oracle JDK (jdk1.8.0_121) below:
>
> # /usr/java/jdk1.8.0_121/bin/keytool -list -v -keystore
> /usr/java/jdk1.8.0_121/jre/lib/security/cacerts | grep 'Issuer:' | egrep
> '(Iden|DST)'
> Enter keystore password:
>
> Issuer: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
> Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
> Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
>
> Let us know if this works. My apologies for the confusion.
>
> Thanks,
> Anil
>
>
>
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Anil Belur]

On Tuesday 28 March 2017 10:29 AM, Ed Warnicke wrote:
> Anil,
>
> The issue is that we are using a LetsEncrypt cert for nexus.opendaylight.org,
> and that's not a cert that is trusted by the OracleJDK.
> We need a cert from one of the trusted CA listed below:
>
> keytool -list -v -keystore
> /Library/Java/JavaVirtualMachines/jdk1.8.0_77.jdk/Contents/Home/jre//lib/security/cacerts
> | grep Issuer:
> Enter keystore password:
>
> *  WARNING WARNING WARNING  *
> * The integrity of the information stored in your keystore  *
> * has NOT been verified!  In order to verify its integrity, *
> * you must provide your keystore password.  *
> *  WARNING WARNING WARNING  *
>
> Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert
> Inc, C=US
> Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited,
> L=Salford, ST=Greater Manchester, C=GB
> Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server
> CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
> Town, ST=Western Cape, C=ZA
> Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
> Issuer: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
> Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
> Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
> Issuer: CN=UTN-USERFirst-Client Authentication and Email, OU=
> http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT,
> C=US
> Issuer: CN=AffirmTrust Networking, O=AffirmTrust, C=US
> Issuer: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust,
> Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust,
> Inc.", C=US
> Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
> USERTRUST Network, L=Salt Lake City, ST=UT, C=US
> Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5
> Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
> Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
> Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust
> AB, C=SE
> Issuer: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust,
> Inc. - for authorized use only", OU=See www.entrust.net/legal-terms,
> O="Entrust, Inc.", C=US
> Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
> Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
> Issuer: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
> Issuer: CN=Swisscom Root CA 2, OU=Digital Certificate Services, O=Swisscom,
> C=ch
> Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com,
> O=DigiCert Inc, C=US
> Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
> Issuer: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
> Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
> Inc.", C=US
> Issuer: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For
> authorized use only", OU=Certification Services Division, O="thawte, Inc.",
> C=US
> Issuer: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For
> authorized use only", O="thawte, Inc.", C=US
> Issuer: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center,
> O=Deutsche Telekom AG, C=DE
> Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
> Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The
> USERTRUST Network, L=Salt Lake City, ST=UT, C=US
> Issuer: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
> Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
> Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
> O=Baltimore, C=IE
> Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
> Inc.", C=US
> Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
> Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield
> Technologies, Inc.", C=US
> Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
> L=Milan, C=IT
> Issuer: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC
> Camerfirma SA CIF A82743287, C=EU
> Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center,
> O=T-Systems Enterprise Services GmbH, C=DE
> Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
> OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
> Network, O="VeriSign, Inc.", C=US
> Issuer: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center,
> O=T-Systems Enterprise Services GmbH, C=DE
> Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,
> OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
> Network, O="VeriSign, Inc.", C=US
> Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
> OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
> Network, O="VeriSign, Inc.", C=US
> Issuer: CN=XRamp Global 

Re: [OpenDaylight Discuss] [release] Certificate changes

[Ed Warnicke]

Anil,

The issue is that we are using a LetsEncrypt cert for nexus.opendaylight.org,
and that's not a cert that is trusted by the OracleJDK.
We need a cert from one of the trusted CA listed below:

keytool -list -v -keystore
/Library/Java/JavaVirtualMachines/jdk1.8.0_77.jdk/Contents/Home/jre//lib/security/cacerts
| grep Issuer:
Enter keystore password:

*  WARNING WARNING WARNING  *
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.  *
*  WARNING WARNING WARNING  *

Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert
Inc, C=US
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited,
L=Salford, ST=Greater Manchester, C=GB
Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western Cape, C=ZA
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
Issuer: CN=UTN-USERFirst-Client Authentication and Email, OU=
http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT,
C=US
Issuer: CN=AffirmTrust Networking, O=AffirmTrust, C=US
Issuer: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust,
Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust,
Inc.", C=US
Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust
AB, C=SE
Issuer: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust,
Inc. - for authorized use only", OU=See www.entrust.net/legal-terms,
O="Entrust, Inc.", C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
Issuer: CN=Swisscom Root CA 2, OU=Digital Certificate Services, O=Swisscom,
C=ch
Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com,
O=DigiCert Inc, C=US
Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For
authorized use only", OU=Certification Services Division, O="thawte, Inc.",
C=US
Issuer: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For
authorized use only", O="thawte, Inc.", C=US
Issuer: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center,
O=Deutsche Telekom AG, C=DE
Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield
Technologies, Inc.", C=US
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT
Issuer: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC
Camerfirma SA CIF A82743287, C=EU
Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center,
O=T-Systems Enterprise Services GmbH, C=DE
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Issuer: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center,
O=T-Systems Enterprise Services GmbH, C=DE
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,
OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Issuer: CN=XRamp Global Certification Authority, O=XRamp Security Services
Inc, OU=www.xrampsecurity.com, C=US
Issuer: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012
Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms,
O="Entrust, 

Re: [OpenDaylight Discuss] [release] Certificate changes

[Ed Warnicke]

Anil,

Has anyone checked to see if the cert we are using is repected by the
Oracle JDK?

Because I can trivially reproduce this issue with the Oracle JDK that comes
as stock on the Mac (where many of our developers work).
The SSL rating you mentioned is basically meaningless for this problem...
all that matters is:

a)  Is the cert respected by OpenJDK
and
b)  Is the cert respected by Oracle JDK

What I see from my experiment is that the answer to #b is *no*, and so we
must get a cert from a cert authority that *is*.

Ed

On Mon, Mar 27, 2017 at 4:59 PM, Anil Belur 
wrote:

>
>
> On Thursday 16 March 2017 03:01 AM, Andrew Grimberg wrote:
>
> On 03/13/2017 04:56 PM, Andrew Grimberg wrote:
>
> On 03/13/2017 03:15 PM, Andrew Grimberg wrote:
>
> Greetings folks,
>
> Google release Chrome 57 last week and if you happen to have updated you
> may find you can't access portions of OpenDaylight. LF is aware of this
> and will have a fix in place in by EOD today.
>
> -Andy-
>
>
> Greetings,
>
> The initial phase of this work is now done. All certificates except for
> Nexus have been switched over to Let's Encrypt certificates. We will be
> moving Nexus over tomorrow but as it's late in the day and we understand
> that Java can be touchy about the certs we don't want to make the change
> late in the business day even though we're certain it will work.
>
> Greetings folks,
>
> I know I said that the cert change for nexus would happen yesterday.
> However, given the issues that Jenkins was having with SNI it didn't
> happen. I have just now completed switching Nexus over to a Let's
> Encrypt (LE) certificate as well.
>
> I do not anticipate any issues given that the LE's CA is cross-signed by
> a CA that is in the Oracle JDK trust store but just in case folks using
> that JDK suddenly can't do local builds anymore, please let us know!
>
> -Andy-
>
>
>
>
> ___
> release mailing 
> listrelease@lists.opendaylight.orghttps://lists.opendaylight.org/mailman/listinfo/release
>
>
> Hi all,
>
> Just letting everyone know, I had a chat with Andy on the issue seen by
> few people. The recent certificate changes to nexus repository as seen on
> SSL report in [1.] shows A+ grade and no issues, therefore would not
> require to import the cert chain manually. Going forward, for those who are
> still seeing the issue, we recommend sharing a dump of the CA's certs
> installed, using the following command:
>
> --[cut]--
> /bin/keytool -list -v -keystore 
> /jre/lib/security/cacerts
> > cacerts.txt
> --[/cut]--
>
> [1.] https://www.ssllabs.com/ssltest/analyze.html?d=nexus.
> opendaylight.org=72.3.167.142
>
> Thanks,
> Anil
>
>
> ___
> Discuss mailing list
> Discuss@lists.opendaylight.org
> https://lists.opendaylight.org/mailman/listinfo/discuss
>
>
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Anil Belur]

On Thursday 16 March 2017 03:01 AM, Andrew Grimberg wrote:
> On 03/13/2017 04:56 PM, Andrew Grimberg wrote:
>> On 03/13/2017 03:15 PM, Andrew Grimberg wrote:
>>> Greetings folks,
>>>
>>> Google release Chrome 57 last week and if you happen to have updated you
>>> may find you can't access portions of OpenDaylight. LF is aware of this
>>> and will have a fix in place in by EOD today.
>>>
>>> -Andy-
>>
>> Greetings,
>>
>> The initial phase of this work is now done. All certificates except for
>> Nexus have been switched over to Let's Encrypt certificates. We will be
>> moving Nexus over tomorrow but as it's late in the day and we understand
>> that Java can be touchy about the certs we don't want to make the change
>> late in the business day even though we're certain it will work.
> Greetings folks,
>
> I know I said that the cert change for nexus would happen yesterday.
> However, given the issues that Jenkins was having with SNI it didn't
> happen. I have just now completed switching Nexus over to a Let's
> Encrypt (LE) certificate as well.
>
> I do not anticipate any issues given that the LE's CA is cross-signed by
> a CA that is in the Oracle JDK trust store but just in case folks using
> that JDK suddenly can't do local builds anymore, please let us know!
>
> -Andy-
>
>
>
> ___
> release mailing list
> rele...@lists.opendaylight.org
> https://lists.opendaylight.org/mailman/listinfo/release

Hi all,

Just letting everyone know, I had a chat with Andy on the issue seen by
few people. The recent certificate changes to nexus repository as seen
on SSL report in [1.] shows A+ grade and no issues, therefore would not
require to import the cert chain manually. Going forward, for those who
are still seeing the issue, we recommend sharing a dump of the CA's
certs installed, using the following command:

--[cut]--
/bin/keytool -list -v
-keystore /jre/lib/security/cacerts > cacerts.txt
--[/cut]--

[1.] 
https://www.ssllabs.com/ssltest/analyze.html?d=nexus.opendaylight.org=72.3.167.142

Thanks,
Anil



signature.asc
Description: OpenPGP digital signature
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Mohamed ElSerngawy]

Hi Colin,

I have the same issue and tried all the suggested fixes but didn't work.
I'm using Mac and java 8, did u succeed to fix it ?

Thanks

On Fri, Mar 24, 2017 at 5:58 AM, Daniel Malachovsky -X (dmalacho - PANTHEON
TECHNOLOGIES at Cisco) <dmala...@cisco.com> wrote:

> Hi,
>
>
>
> When I followed Anil’s how-to, I had problems too.
>
> Then I saved certificate manually via browser in Base-64 encoded X.509
> format and ran keytool command Anil sent. Everything worked.
> On Windows 7.
>
>
>
> dano
>
>
>
> *From:* release-boun...@lists.opendaylight.org [mailto:
> release-boun...@lists.opendaylight.org] *On Behalf Of *Vishal Thapar
> *Sent:* 24. marca 2017 5:13
> *To:* Colin Dixon; Ed Warnicke
> *Cc:* OpenDaylight Discuss; rele...@lists.opendaylight.org; OpenDaylight
> Infrastructure
>
> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>
>
>
> Colin,
>
>
>
> Did you confirm the fingerprint of the certificate to make sure it is
> added to keystore correctly?
>
>
>
> BTW, I have added 
> ‘-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts’
> to my MAVEN_OPTS so I don’t need to give it manually everytime.
>
>
>
> Also, I’m using Windows, not Linux.
>
>
>
> Regards,
>
> Vishal.
>
>
>
> *From:* Colin Dixon [mailto:co...@colindixon.com <co...@colindixon.com>]
> *Sent:* 24 March 2017 02:05
> *To:* Ed Warnicke <hagb...@gmail.com>
> *Cc:* Vishal Thapar <vishal.tha...@ericsson.com>; OpenDaylight Discuss <
> discuss@lists.opendaylight.org>; rele...@lists.opendaylight.org;
> OpenDaylight Infrastructure <infrastruct...@lists.opendaylight.org>
> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>
>
>
> (Dropping TSC.)
>
>
>
> Actually, I'm still working my way through this. I cannot seem to get my
> Mac to trust the new ODL nexus cert. Even following Anil's suggestions
> above and then trying it with -Djavax.net.ssl.
> trustStore=$JAVA_HOME/jre/lib/security/cacerts and I still get lots of
> errors like:
>
> [WARNING] Could not transfer metadata org.opendaylight.netconf:
> netconf-client:1.2.0-SNAPSHOT/maven-metadata.xml from/to
> opendaylight-snapshot (https://nexus.opendaylight.
> org/content/repositories/opendaylight.snapshot/): 
> sun.security.validator.ValidatorException:
> PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>
>
>
> I'll keep shaving the Yak for a bit. I suspect moving to Linux and OpenJDK
> would fix it.
>
>
>
> --Colin
>
>
>
>
>
> On Thu, Mar 23, 2017 at 4:26 PM, Ed Warnicke <hagb...@gmail.com> wrote:
>
> Do we know what the root cause is of having to use that?
>
>
>
> Ed
>
>
>
> On Thu, Mar 23, 2017 at 1:24 PM, Colin Dixon <co...@colindixon.com> wrote:
>
> While the -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts
> option fixes the problem, it feels like the "wrong" answer. Is there a
> right answer?
>
>
>
> --Colin
>
>
>
>
>
> On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar <vishal.tha...@ericsson.com>
> wrote:
>
> Thank you Ivan, this worked for me.
>
>
>
> *From:* Ivan Hraško [mailto:ivan.hra...@pantheon.tech]
> *Sent:* 20 March 2017 15:44
> *To:* Vishal Thapar <vishal.tha...@ericsson.com>; Anil Belur <
> abe...@linuxfoundation.org>
> *Cc:* t...@lists.opendaylight.org; OpenDaylight Discuss <
> discuss@lists.opendaylight.org>; rele...@lists.opendaylight.org;
> OpenDaylight Infrastructure <infrastruct...@lists.opendaylight.org>
> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>
>
>
> Hi
>
>
>
> you can try:
>
>
>
> mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/
> cacerts
>
>
>
> maybe it helps
> --
>
> *Od:* Vishal Thapar <vishal.tha...@ericsson.com>
> *Odoslané:* 20. marca 2017 11:04
> *Komu:* Anil Belur
> *Kópia:* t...@lists.opendaylight.org; OpenDaylight Discuss;
> rele...@lists.opendaylight.org; OpenDaylight Infrastructure
> *Predmet:* Re: [release] [OpenDaylight Discuss] Certificate changes
>
>
>
> Hi Anil,
>
>
>
> I got the certificate downloaded and checked my cert store to confirm
> also, but still getting the same error.
>
>
>
> Regards,
>
> Vishal.
>
>
>
> *From:* Anil Belur [mailto:abe...@linuxfoundation.org
> <abe...@linuxfoundation.org>]
> *Sent:* 20 March 2017 14:48
> *To:* Vishal Thapar <vishal.tha...@ericsson.com&

Re: [OpenDaylight Discuss] [release] Certificate changes

[Daniel Malachovsky -X (dmalacho - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

When I followed Anil’s how-to, I had problems too.
Then I saved certificate manually via browser in Base-64 encoded X.509 format 
and ran keytool command Anil sent. Everything worked.
On Windows 7.

dano

From: release-boun...@lists.opendaylight.org 
[mailto:release-boun...@lists.opendaylight.org] On Behalf Of Vishal Thapar
Sent: 24. marca 2017 5:13
To: Colin Dixon; Ed Warnicke
Cc: OpenDaylight Discuss; rele...@lists.opendaylight.org; OpenDaylight 
Infrastructure
Subject: Re: [release] [OpenDaylight Discuss] Certificate changes

Colin,

Did you confirm the fingerprint of the certificate to make sure it is added to 
keystore correctly?

BTW, I have added 
‘-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts’ to my 
MAVEN_OPTS so I don’t need to give it manually everytime.

Also, I’m using Windows, not Linux.

Regards,
Vishal.

From: Colin Dixon [mailto:co...@colindixon.com]
Sent: 24 March 2017 02:05
To: Ed Warnicke <hagb...@gmail.com<mailto:hagb...@gmail.com>>
Cc: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>; OpenDaylight 
Discuss 
<discuss@lists.opendaylight.org<mailto:discuss@lists.opendaylight.org>>; 
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
OpenDaylight Infrastructure 
<infrastruct...@lists.opendaylight.org<mailto:infrastruct...@lists.opendaylight.org>>
Subject: Re: [release] [OpenDaylight Discuss] Certificate changes

(Dropping TSC.)

Actually, I'm still working my way through this. I cannot seem to get my Mac to 
trust the new ODL nexus cert. Even following Anil's suggestions above and then 
trying it with -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts 
and I still get lots of errors like:
[WARNING] Could not transfer metadata 
org.opendaylight.netconf:netconf-client:1.2.0-SNAPSHOT/maven-metadata.xml 
from/to opendaylight-snapshot 
(https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/): 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

I'll keep shaving the Yak for a bit. I suspect moving to Linux and OpenJDK 
would fix it.

--Colin


On Thu, Mar 23, 2017 at 4:26 PM, Ed Warnicke 
<hagb...@gmail.com<mailto:hagb...@gmail.com>> wrote:
Do we know what the root cause is of having to use that?

Ed

On Thu, Mar 23, 2017 at 1:24 PM, Colin Dixon 
<co...@colindixon.com<mailto:co...@colindixon.com>> wrote:
While the -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts option 
fixes the problem, it feels like the "wrong" answer. Is there a right answer?

--Colin


On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>> wrote:
Thank you Ivan, this worked for me.

From: Ivan Hraško 
[mailto:ivan.hra...@pantheon.tech<mailto:ivan.hra...@pantheon.tech>]
Sent: 20 March 2017 15:44
To: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>; Anil Belur 
<abe...@linuxfoundation.org<mailto:abe...@linuxfoundation.org>>
Cc: t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>; 
OpenDaylight Discuss 
<discuss@lists.opendaylight.org<mailto:discuss@lists.opendaylight.org>>; 
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
OpenDaylight Infrastructure 
<infrastruct...@lists.opendaylight.org<mailto:infrastruct...@lists.opendaylight.org>>
Subject: Re: [release] [OpenDaylight Discuss] Certificate changes


Hi



you can try:



mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts



maybe it helps


Od: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>
Odoslané: 20. marca 2017 11:04
Komu: Anil Belur
Kópia: t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>; 
OpenDaylight Discuss; 
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
OpenDaylight Infrastructure
Predmet: Re: [release] [OpenDaylight Discuss] Certificate changes

Hi Anil,

I got the certificate downloaded and checked my cert store to confirm also, but 
still getting the same error.

Regards,
Vishal.

From: Anil Belur [mailto:abe...@linuxfoundation.org]
Sent: 20 March 2017 14:48
To: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>
Cc: Andrew Grimberg 
<agrimb...@linuxfoundation.org<mailto:agrimb...@linuxfoundation.org>>; 
OpenDaylight Discuss 
<discuss@lists.opendaylight.org<mailto:discuss@lists.opendaylight.org>>; 
OpenDaylight Infrastructure 
<infrastruct...@lists.opendaylight.org<mailto:infrastruct...@lists.opendaylight.org>>;
 rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>;

Re: [OpenDaylight Discuss] [release] Certificate changes

[Vishal Thapar]

Colin,

Did you confirm the fingerprint of the certificate to make sure it is added to 
keystore correctly?

BTW, I have added 
‘-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts’ to my 
MAVEN_OPTS so I don’t need to give it manually everytime.

Also, I’m using Windows, not Linux.

Regards,
Vishal.

From: Colin Dixon [mailto:co...@colindixon.com]
Sent: 24 March 2017 02:05
To: Ed Warnicke <hagb...@gmail.com>
Cc: Vishal Thapar <vishal.tha...@ericsson.com>; OpenDaylight Discuss 
<discuss@lists.opendaylight.org>; rele...@lists.opendaylight.org; OpenDaylight 
Infrastructure <infrastruct...@lists.opendaylight.org>
Subject: Re: [release] [OpenDaylight Discuss] Certificate changes

(Dropping TSC.)

Actually, I'm still working my way through this. I cannot seem to get my Mac to 
trust the new ODL nexus cert. Even following Anil's suggestions above and then 
trying it with -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts 
and I still get lots of errors like:
[WARNING] Could not transfer metadata 
org.opendaylight.netconf:netconf-client:1.2.0-SNAPSHOT/maven-metadata.xml 
from/to opendaylight-snapshot 
(https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/): 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

I'll keep shaving the Yak for a bit. I suspect moving to Linux and OpenJDK 
would fix it.

--Colin


On Thu, Mar 23, 2017 at 4:26 PM, Ed Warnicke 
<hagb...@gmail.com<mailto:hagb...@gmail.com>> wrote:
Do we know what the root cause is of having to use that?

Ed

On Thu, Mar 23, 2017 at 1:24 PM, Colin Dixon 
<co...@colindixon.com<mailto:co...@colindixon.com>> wrote:
While the -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts option 
fixes the problem, it feels like the "wrong" answer. Is there a right answer?

--Colin


On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>> wrote:
Thank you Ivan, this worked for me.

From: Ivan Hraško 
[mailto:ivan.hra...@pantheon.tech<mailto:ivan.hra...@pantheon.tech>]
Sent: 20 March 2017 15:44
To: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>; Anil Belur 
<abe...@linuxfoundation.org<mailto:abe...@linuxfoundation.org>>
Cc: t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>; 
OpenDaylight Discuss 
<discuss@lists.opendaylight.org<mailto:discuss@lists.opendaylight.org>>; 
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
OpenDaylight Infrastructure 
<infrastruct...@lists.opendaylight.org<mailto:infrastruct...@lists.opendaylight.org>>
Subject: Re: [release] [OpenDaylight Discuss] Certificate changes


Hi



you can try:



mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts



maybe it helps


Od: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>
Odoslané: 20. marca 2017 11:04
Komu: Anil Belur
Kópia: t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>; 
OpenDaylight Discuss; 
rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
OpenDaylight Infrastructure
Predmet: Re: [release] [OpenDaylight Discuss] Certificate changes

Hi Anil,

I got the certificate downloaded and checked my cert store to confirm also, but 
still getting the same error.

Regards,
Vishal.

From: Anil Belur [mailto:abe...@linuxfoundation.org]
Sent: 20 March 2017 14:48
To: Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>>
Cc: Andrew Grimberg 
<agrimb...@linuxfoundation.org<mailto:agrimb...@linuxfoundation.org>>; 
OpenDaylight Discuss 
<discuss@lists.opendaylight.org<mailto:discuss@lists.opendaylight.org>>; 
OpenDaylight Infrastructure 
<infrastruct...@lists.opendaylight.org<mailto:infrastruct...@lists.opendaylight.org>>;
 rele...@lists.opendaylight.org<mailto:rele...@lists.opendaylight.org>; 
t...@lists.opendaylight.org<mailto:t...@lists.opendaylight.org>
Subject: Re: [OpenDaylight Discuss] [release] Certificate changes



On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>> wrote:
Hi Andrew,

I am facing cert issues when trying to build locally. Does this require any 
specific version of Java? Do I need to manually update certificates?

This is what I have:
$ java -version
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

This is the error I am getting:

Downloading: 
https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/org/openday

Re: [OpenDaylight Discuss] [release] Certificate changes

[Ed Warnicke]

Do we know what the root cause is of having to use that?

Ed

On Thu, Mar 23, 2017 at 1:24 PM, Colin Dixon <co...@colindixon.com> wrote:

> While the -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts
> option fixes the problem, it feels like the "wrong" answer. Is there a
> right answer?
>
> --Colin
>
>
> On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar <vishal.tha...@ericsson.com
> > wrote:
>
>> Thank you Ivan, this worked for me.
>>
>>
>>
>> *From:* Ivan Hraško [mailto:ivan.hra...@pantheon.tech]
>> *Sent:* 20 March 2017 15:44
>> *To:* Vishal Thapar <vishal.tha...@ericsson.com>; Anil Belur <
>> abe...@linuxfoundation.org>
>> *Cc:* t...@lists.opendaylight.org; OpenDaylight Discuss <
>> discuss@lists.opendaylight.org>; rele...@lists.opendaylight.org;
>> OpenDaylight Infrastructure <infrastruct...@lists.opendaylight.org>
>> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> Hi
>>
>>
>>
>> you can try:
>>
>>
>>
>> mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME
>> /jre/lib/security/cacerts
>>
>>
>>
>> maybe it helps
>> --
>>
>> *Od:* Vishal Thapar <vishal.tha...@ericsson.com>
>> *Odoslané:* 20. marca 2017 11:04
>> *Komu:* Anil Belur
>> *Kópia:* t...@lists.opendaylight.org; OpenDaylight Discuss;
>> rele...@lists.opendaylight.org; OpenDaylight Infrastructure
>> *Predmet:* Re: [release] [OpenDaylight Discuss] Certificate changes
>>
>>
>>
>> Hi Anil,
>>
>>
>>
>> I got the certificate downloaded and checked my cert store to confirm
>> also, but still getting the same error.
>>
>>
>>
>> Regards,
>>
>> Vishal.
>>
>>
>>
>> *From:* Anil Belur [mailto:abe...@linuxfoundation.org
>> <abe...@linuxfoundation.org>]
>> *Sent:* 20 March 2017 14:48
>> *To:* Vishal Thapar <vishal.tha...@ericsson.com>
>> *Cc:* Andrew Grimberg <agrimb...@linuxfoundation.org>; OpenDaylight
>> Discuss <discuss@lists.opendaylight.org>; OpenDaylight Infrastructure <
>> infrastruct...@lists.opendaylight.org>; rele...@lists.opendaylight.org;
>> t...@lists.opendaylight.org
>> *Subject:* Re: [OpenDaylight Discuss] [release] Certificate changes
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar <
>> vishal.tha...@ericsson.com> wrote:
>>
>> Hi Andrew,
>>
>> I am facing cert issues when trying to build locally. Does this require
>> any specific version of Java? Do I need to manually update certificates?
>>
>> This is what I have:
>> $ java -version
>> java version "1.8.0_60"
>> Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
>> Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
>>
>> This is the error I am getting:
>>
>> Downloading: https://nexus.opendaylight.org/content/repositories/opendayl
>> ight.snapshot/org/opendaylight/neutron/model/0.8.0-SNAPSHOT/
>> maven-metadata.xml
>> [WARNING] Could not transfer metadata org.opendaylight.neutron:model
>> :0.8.0-SNAPSHOT/maven-metadata.xml from/to opendaylight-snapshot (
>> https://nexus.opendaylight.org/content/reposit
>> ories/opendaylight.snapshot/
>> <https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/>):
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find vali
>> d certification path to requested target
>>
>>
>>
>> Hello Vishal,
>>
>>
>>
>> This possibly looks like the cert chain may not be imported into your
>> $JAVA_HOME key store. For fixing this, I would try downloading the cert
>> file and using keytool to import the certificate{s}.
>>
>>
>>
>> --[cut]--
>>
>> openssl s_client -connect nexus.opendaylight.org:443 < /dev/null | sed
>> -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
>>
>> /bin/keytool -import -alias nexus.opendaylight.org:443 -keystore
>> /jre/lib/security/cacerts -file public.crt
>>
>> --[/cut]--
>>
>>
>>
>> Thanks,
>>
>> Anil
>>
>> ___
>> Discuss mailing list
>> Discuss@lists.opendaylight.org
>> https://lists.opendaylight.org/mailman/listinfo/discuss
>>
>>
>
> ___
> release mailing list
> rele...@lists.opendaylight.org
> https://lists.opendaylight.org/mailman/listinfo/release
>
>
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Colin Dixon]

While the -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts
option fixes the problem, it feels like the "wrong" answer. Is there a
right answer?

--Colin


On Mon, Mar 20, 2017 at 8:05 AM, Vishal Thapar <vishal.tha...@ericsson.com>
wrote:

> Thank you Ivan, this worked for me.
>
>
>
> *From:* Ivan Hraško [mailto:ivan.hra...@pantheon.tech]
> *Sent:* 20 March 2017 15:44
> *To:* Vishal Thapar <vishal.tha...@ericsson.com>; Anil Belur <
> abe...@linuxfoundation.org>
> *Cc:* t...@lists.opendaylight.org; OpenDaylight Discuss <
> discuss@lists.opendaylight.org>; rele...@lists.opendaylight.org;
> OpenDaylight Infrastructure <infrastruct...@lists.opendaylight.org>
> *Subject:* Re: [release] [OpenDaylight Discuss] Certificate changes
>
>
>
> Hi
>
>
>
> you can try:
>
>
>
> mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/
> cacerts
>
>
>
> maybe it helps
> --
>
> *Od:* Vishal Thapar <vishal.tha...@ericsson.com>
> *Odoslané:* 20. marca 2017 11:04
> *Komu:* Anil Belur
> *Kópia:* t...@lists.opendaylight.org; OpenDaylight Discuss;
> rele...@lists.opendaylight.org; OpenDaylight Infrastructure
> *Predmet:* Re: [release] [OpenDaylight Discuss] Certificate changes
>
>
>
> Hi Anil,
>
>
>
> I got the certificate downloaded and checked my cert store to confirm
> also, but still getting the same error.
>
>
>
> Regards,
>
> Vishal.
>
>
>
> *From:* Anil Belur [mailto:abe...@linuxfoundation.org
> <abe...@linuxfoundation.org>]
> *Sent:* 20 March 2017 14:48
> *To:* Vishal Thapar <vishal.tha...@ericsson.com>
> *Cc:* Andrew Grimberg <agrimb...@linuxfoundation.org>; OpenDaylight
> Discuss <discuss@lists.opendaylight.org>; OpenDaylight Infrastructure <
> infrastruct...@lists.opendaylight.org>; rele...@lists.opendaylight.org;
> t...@lists.opendaylight.org
> *Subject:* Re: [OpenDaylight Discuss] [release] Certificate changes
>
>
>
>
>
>
>
> On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar <vishal.tha...@ericsson.com>
> wrote:
>
> Hi Andrew,
>
> I am facing cert issues when trying to build locally. Does this require
> any specific version of Java? Do I need to manually update certificates?
>
> This is what I have:
> $ java -version
> java version "1.8.0_60"
> Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
> Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
>
> This is the error I am getting:
>
> Downloading: https://nexus.opendaylight.org/content/repositories/
> opendaylight.snapshot/org/opendaylight/neutron/model/0.
> 8.0-SNAPSHOT/maven-metadata.xml
> [WARNING] Could not transfer metadata org.opendaylight.neutron:
> model:0.8.0-SNAPSHOT/maven-metadata.xml from/to opendaylight-snapshot (
> https://nexus.opendaylight.org/content/reposit
> ories/opendaylight.snapshot/
> <https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/>):
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find vali
> d certification path to requested target
>
>
>
> Hello Vishal,
>
>
>
> This possibly looks like the cert chain may not be imported into your
> $JAVA_HOME key store. For fixing this, I would try downloading the cert
> file and using keytool to import the certificate{s}.
>
>
>
> --[cut]--
>
> openssl s_client -connect nexus.opendaylight.org:443 < /dev/null | sed
> -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
>
> /bin/keytool -import -alias nexus.opendaylight.org:443 -keystore
> /jre/lib/security/cacerts -file public.crt
>
> --[/cut]--
>
>
>
> Thanks,
>
> Anil
>
> ___
> Discuss mailing list
> Discuss@lists.opendaylight.org
> https://lists.opendaylight.org/mailman/listinfo/discuss
>
>
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss

Re: [OpenDaylight Discuss] [release] Certificate changes

[Ivan Hraško]

Hi


you can try:


mvn clean install -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts


maybe it helps


Od: Vishal Thapar <vishal.tha...@ericsson.com>
Odoslané: 20. marca 2017 11:04
Komu: Anil Belur
Kópia: t...@lists.opendaylight.org; OpenDaylight Discuss; 
rele...@lists.opendaylight.org; OpenDaylight Infrastructure
Predmet: Re: [release] [OpenDaylight Discuss] Certificate changes

Hi Anil,

I got the certificate downloaded and checked my cert store to confirm also, but 
still getting the same error.

Regards,
Vishal.

From: Anil Belur [mailto:abe...@linuxfoundation.org]
Sent: 20 March 2017 14:48
To: Vishal Thapar <vishal.tha...@ericsson.com>
Cc: Andrew Grimberg <agrimb...@linuxfoundation.org>; OpenDaylight Discuss 
<discuss@lists.opendaylight.org>; OpenDaylight Infrastructure 
<infrastruct...@lists.opendaylight.org>; rele...@lists.opendaylight.org; 
t...@lists.opendaylight.org
Subject: Re: [OpenDaylight Discuss] [release] Certificate changes



On Mon, Mar 20, 2017 at 5:41 PM, Vishal Thapar 
<vishal.tha...@ericsson.com<mailto:vishal.tha...@ericsson.com>> wrote:
Hi Andrew,

I am facing cert issues when trying to build locally. Does this require any 
specific version of Java? Do I need to manually update certificates?

This is what I have:
$ java -version
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

This is the error I am getting:

Downloading: 
https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/org/opendaylight/neutron/model/0.8.0-SNAPSHOT/maven-metadata.xml
[WARNING] Could not transfer metadata 
org.opendaylight.neutron:model:0.8.0-SNAPSHOT/maven-metadata.xml from/to 
opendaylight-snapshot (https://nexus.opendaylight.org/content/reposit
ories/opendaylight.snapshot/<https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/>):
 sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target

Hello Vishal,

This possibly looks like the cert chain may not be imported into your 
$JAVA_HOME key store. For fixing this, I would try downloading the cert file 
and using keytool to import the certificate{s}.

--[cut]--
openssl s_client -connect 
nexus.opendaylight.org:443<http://nexus.opendaylight.org:443> < /dev/null | sed 
-ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
/bin/keytool -import -alias 
nexus.opendaylight.org:443<http://nexus.opendaylight.org:443> -keystore 
/jre/lib/security/cacerts -file public.crt
--[/cut]--

Thanks,
Anil
___
Discuss mailing list
Discuss@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/discuss