[ovirt-users] Re: Using third-party certificate: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Thanks, this put me in the correct track. In my case, I just needed to run step 2, as the rest of the configuration is being handled in a different way and works well. I also tried to restart the host and it still works. Thanks for the help! El 2021-10-01 00:13, Edward Berger escribió: I have an engine with a similar issue. You might want to revert to the old self signed cert created by installation, and then follow the instructions at https://ovirt.org/documentation/administration_guide/index.html to try re-installing the third party cert after you're sure the original cert is working properly. My temp fix for this (didn't survive an engine VM reboot) was to cat the cert I was installing with its intermediate-root cert into a file named full.crt and then running a command as root like... keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file full.crt and then systemctl restart ovirt-engine #to pick up the change. Still trying to track down what's different on this one vs others that work. key size is larger cert has alternative name. On Thu, Sep 30, 2021 at 4:47 PM Nicolás wrote: Please, any help with this? El 29/9/21 a las 13:21, nico...@devels.es escribió: Hi, I'm making a bare metal oVirt installation, version 4.4.8. 'ovirt-engine' command ends well, however, we're using a third-party certificate (from LetsEncrypt) both for the apache server and the ovirt-websocket-proxy. So we changed configuration files regarding httpd and ovirt-websocket-proxy. Once changed the configurations, if I try to log in to the oVirt engine, I get a "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error. In prior versions we used to add the chain to the /etc/pki/ovirt-engine/.truststore file, however, simply listing the current certificates seems not to be working on 4.4.8. # LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -alias intermedia_le -storepass mypass keytool error: java.io.IOException: Invalid keystore format Is there something I'm missing here? Thank ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5VWVBQGIWJSPWVTV5UK2I2VXBNDV6GSS/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKYBE6TJZFMAXX2G6GPMXIQYW7F5LABY/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HQJS3WEZPYJV3DTI4FNNWK4FC4GFD3HV/
[ovirt-users] Re: Using third-party certificate: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have an engine with a similar issue. You might want to revert to the old self signed cert created by installation, and then follow the instructions at https://ovirt.org/documentation/administration_guide/index.html to try re-installing the third party cert after you're sure the original cert is working properly. My temp fix for this (didn't survive an engine VM reboot) was to cat the cert I was installing with its intermediate-root cert into a file named full.crt and then running a command as root like... keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file full.crt and then systemctl restart ovirt-engine #to pick up the change. Still trying to track down what's different on this one vs others that work. key size is larger cert has alternative name. On Thu, Sep 30, 2021 at 4:47 PM Nicolás wrote: > Please, any help with this? > > El 29/9/21 a las 13:21, nico...@devels.es escribió: > > Hi, > > > > I'm making a bare metal oVirt installation, version 4.4.8. > > 'ovirt-engine' command ends well, however, we're using a third-party > > certificate (from LetsEncrypt) both for the apache server and the > > ovirt-websocket-proxy. So we changed configuration files regarding > > httpd and ovirt-websocket-proxy. > > > > Once changed the configurations, if I try to log in to the oVirt > > engine, I get a "PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > > find valid certification path to requested target" error. > > > > In prior versions we used to add the chain to the > > /etc/pki/ovirt-engine/.truststore file, however, simply listing the > > current certificates seems not to be working on 4.4.8. > > > > # LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore > > -alias intermedia_le -storepass mypass > > keytool error: java.io.IOException: Invalid keystore format > > > > Is there something I'm missing here? > > > > Thank > > ___ > > Users mailing list -- users@ovirt.org > > To unsubscribe send an email to users-le...@ovirt.org > > Privacy Statement: https://www.ovirt.org/privacy-policy.html > > oVirt Code of Conduct: > > https://www.ovirt.org/community/about/community-guidelines/ > > List Archives: > > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/5VWVBQGIWJSPWVTV5UK2I2VXBNDV6GSS/ > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKYBE6TJZFMAXX2G6GPMXIQYW7F5LABY/ > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/K7Q2WDCSCZPSKL2IHJA6C2BIFGYLH3IZ/
[ovirt-users] Re: Using third-party certificate: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Please, any help with this? El 29/9/21 a las 13:21, nico...@devels.es escribió: Hi, I'm making a bare metal oVirt installation, version 4.4.8. 'ovirt-engine' command ends well, however, we're using a third-party certificate (from LetsEncrypt) both for the apache server and the ovirt-websocket-proxy. So we changed configuration files regarding httpd and ovirt-websocket-proxy. Once changed the configurations, if I try to log in to the oVirt engine, I get a "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error. In prior versions we used to add the chain to the /etc/pki/ovirt-engine/.truststore file, however, simply listing the current certificates seems not to be working on 4.4.8. # LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -alias intermedia_le -storepass mypass keytool error: java.io.IOException: Invalid keystore format Is there something I'm missing here? Thank ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5VWVBQGIWJSPWVTV5UK2I2VXBNDV6GSS/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKYBE6TJZFMAXX2G6GPMXIQYW7F5LABY/