https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156069#M36335 <P>Dear team</P><P>(I posted the same content in github <A href="https://github.com/sequenceiq/cloudbreak/issues/1825" target="_blank">https://github.com/sequenceiq/cloudbreak/issues/1825</A> )</P><P>I am trying to use cloudbreak to create Hadoop cluster with our Openstack environment.</P><P>but got some errors when create credentials.</P><P>Enviroment:</P><P>1. Openstack version: Juno</P><P>2. CentOS Linux release 7.2</P><P>I found the same problem in <A href="https://github.com/sequenceiq/cloudbreak/issues/948">#948</A> , and tried the same approach,</P><P>1. copy .crt file into docker</P><P>2. use "keytool -import" to import it into /etc/ssl/certs/java/cacerts</P><P>3. restart container cbreak_cloudbreak_1</P><P>4. run "credential create" and got failed.</P><P>CLI:</P><PRE>&lt;code&gt;credential create --OPENSTACK --name ynwm --description "keystone.(masked)" --userName sso --password (masked) --tenantName query-engine-test --endPoint <A href="https://keystone.(masked):5000/v2.0/" target="_blank">https://keystone.(masked):5000/v2.0/</A> --sshKeyString "ssh-rsa AAA.....(masked)..5Q== sso_created" --publicInAccount true </PRE> <P>error:</P><PRE>&lt;code&gt;Command failed java.lang.RuntimeException: Failed to verify the credential: Could not verify credential [credential: 'ynwm'], detailed message: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target </PRE> <P style="margin-left: 20px;">I found another document </P><P><A href="https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/openstack/deployer.md">https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/openstack/deployer.md</A></P><P><A href="https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/configuration.md"></A></P><P>In which it says, </P><BLOCKQUOTE> <P>If your OpenStack is secured with a self-signed certificate, you need to import that certificate into Cloudbreak, or else Cloudbreak won't be able to communicate with your OpenStack. To import the certificate, place the certificate file in the generated certs directory /certs/trusted/. The trusted directory does not exist by default, so you need to create it. Cloudbreak will automatically pick up these certificates and import them into its truststore upon start.</P><P>so I copied my .crt file into certs/trusted,</P><P>and restarted cbd, </P></BLOCKQUOTE><PRE>&lt;code&gt;[sso@cloudbreak02 ~/tools/cloudbreak-deployment]$ sudo docker exec -it cbreak_cloudbreak_1 bash root@dd24262dd30c:/# ls -al /certs/trusted/ total 16 drwxr-xr-x 2 root root 4096 Jul 29 01:41 . drwxr-xr-x 3 root root 4096 Jul 29 01:39 .. -rw-r--r-- 1 root root 4753 Jul 27 08:17 sso.crt root@dd24262dd30c:/# </PRE> <PRE>&lt;code&gt;sudo cbd start sudo cbd util cloudbreak-shell credential create --OPENSTACK ....(the same with the command above) </PRE> <P>however still got the SSL error:</P><PRE>&lt;code&gt;/cbreak_cloudbreak_1 | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target /cbreak_cloudbreak_1 | at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) /cbreak_cloudbreak_1 | at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) /cbreak_cloudbreak_1 | at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) /cbreak_cloudbreak_1 | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) /cbreak_cloudbreak_1 | ... 82 common frames omitted </PRE> <P>Thanks for any possible help</P> Fri, 29 Jul 2016 09:06:14 GMT sso 2016-07-29T09:06:14Z https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156069#M36335 <P>Dear team</P><P>(I posted the same content in github <A href="https://github.com/sequenceiq/cloudbreak/issues/1825" target="_blank">https://github.com/sequenceiq/cloudbreak/issues/1825</A> )</P><P>I am trying to use cloudbreak to create Hadoop cluster with our Openstack environment.</P><P>but got some errors when create credentials.</P><P>Enviroment:</P><P>1. Openstack version: Juno</P><P>2. CentOS Linux release 7.2</P><P>I found the same problem in <A href="https://github.com/sequenceiq/cloudbreak/issues/948">#948</A> , and tried the same approach,</P><P>1. copy .crt file into docker</P><P>2. use "keytool -import" to import it into /etc/ssl/certs/java/cacerts</P><P>3. restart container cbreak_cloudbreak_1</P><P>4. run "credential create" and got failed.</P><P>CLI:</P><PRE>&lt;code&gt;credential create --OPENSTACK --name ynwm --description "keystone.(masked)" --userName sso --password (masked) --tenantName query-engine-test --endPoint <A href="https://keystone.(masked):5000/v2.0/" target="_blank">https://keystone.(masked):5000/v2.0/</A> --sshKeyString "ssh-rsa AAA.....(masked)..5Q== sso_created" --publicInAccount true </PRE> <P>error:</P><PRE>&lt;code&gt;Command failed java.lang.RuntimeException: Failed to verify the credential: Could not verify credential [credential: 'ynwm'], detailed message: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target </PRE> <P style="margin-left: 20px;">I found another document </P><P><A href="https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/openstack/deployer.md">https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/openstack/deployer.md</A></P><P><A href="https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/configuration.md"></A></P><P>In which it says, </P><BLOCKQUOTE> <P>If your OpenStack is secured with a self-signed certificate, you need to import that certificate into Cloudbreak, or else Cloudbreak won't be able to communicate with your OpenStack. To import the certificate, place the certificate file in the generated certs directory /certs/trusted/. The trusted directory does not exist by default, so you need to create it. Cloudbreak will automatically pick up these certificates and import them into its truststore upon start.</P><P>so I copied my .crt file into certs/trusted,</P><P>and restarted cbd, </P></BLOCKQUOTE><PRE>&lt;code&gt;[sso@cloudbreak02 ~/tools/cloudbreak-deployment]$ sudo docker exec -it cbreak_cloudbreak_1 bash root@dd24262dd30c:/# ls -al /certs/trusted/ total 16 drwxr-xr-x 2 root root 4096 Jul 29 01:41 . drwxr-xr-x 3 root root 4096 Jul 29 01:39 .. -rw-r--r-- 1 root root 4753 Jul 27 08:17 sso.crt root@dd24262dd30c:/# </PRE> <PRE>&lt;code&gt;sudo cbd start sudo cbd util cloudbreak-shell credential create --OPENSTACK ....(the same with the command above) </PRE> <P>however still got the SSL error:</P><PRE>&lt;code&gt;/cbreak_cloudbreak_1 | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target /cbreak_cloudbreak_1 | at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) /cbreak_cloudbreak_1 | at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) /cbreak_cloudbreak_1 | at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) /cbreak_cloudbreak_1 | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) /cbreak_cloudbreak_1 | ... 82 common frames omitted </PRE> <P>Thanks for any possible help</P> Fri, 29 Jul 2016 09:06:14 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156069#M36335 sso 2016-07-29T09:06:14Z https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156070#M36336 <PRE>/cbreak_cloudbreak_1 | Importing certificates to the default Java certificate trust store. /cbreak_registrator_1 | 2016/07/29 01:44:42 registrator: added: dd24262dd30c af7ab373046f:cbreak_cloudbreak_1:8080 /cbreak_consul_1 | 2016/07/29 01:44:42 [INFO] agent: Synced service 'af7ab373046f:cbreak_cloudbreak_1:8080' /cbreak_cloudbreak_1 | Certificate was added to keystore /cbreak_cloudbreak_1 | Certificate added to default Java trust store with alias sso.crt. /cbreak_cloudbreak_1 | Starting the Cloudbreak application... /cbreak_cloudbreak_1 | + '[' true == false ']' /cbreak_cloudbreak_1 | + java -jar /cloudbreak.jar</PRE><P>I checked log file and found "Certificate added to default Java trust store with alias sso.crt", </P><P>so I think the .crt file is added correctly.</P><P>However I still get SSL error when access the HTTPS endpoint.</P> Fri, 29 Jul 2016 10:04:56 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156070#M36336 sso 2016-07-29T10:04:56Z https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156071#M36337 <P>Self response:</P><P>This problem is resolved.</P><P>Because I imported a wrong .crt file, which is not for our HTTPS server, the "credential create" command failed.</P><P>After putting the correct .crt file under "certs/trusted", I created a new </P><P>credential successfully.</P> Fri, 29 Jul 2016 14:09:22 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156071#M36337 sso 2016-07-29T14:09:22Z https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156072#M36338 <P>Glad that it worked out, let us know if you believe something is missing from the docs and can be improved.</P> Fri, 29 Jul 2016 16:13:19 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/cloudbreak-openstack-SSL-error-after-put-crt-file-in-certs/m-p/156072#M36338 Krisz 2016-07-29T16:13:19Z