Support Questions

Find answers, ask questions, and share your expertise

cloudbreak openstack SSL error , after put .crt file in certs/trusted

avatar
Contributor

Dear team

(I posted the same content in github https://github.com/sequenceiq/cloudbreak/issues/1825 )

I am trying to use cloudbreak to create Hadoop cluster with our Openstack environment.

but got some errors when create credentials.

Enviroment:

1. Openstack version: Juno

2. CentOS Linux release 7.2

I found the same problem in #948 , and tried the same approach,

1. copy .crt file into docker

2. use "keytool -import" to import it into /etc/ssl/certs/java/cacerts

3. restart container cbreak_cloudbreak_1

4. run "credential create" and got failed.

CLI:

<code>credential create --OPENSTACK --name ynwm --description "keystone.(masked)" --userName sso --password (masked) --tenantName query-engine-test --endPoint https://keystone.(masked):5000/v2.0/ --sshKeyString "ssh-rsa AAA.....(masked)..5Q== sso_created" --publicInAccount true 

error:

<code>Command failed java.lang.RuntimeException: Failed to verify the credential: Could not verify credential [credential: 'ynwm'], detailed message: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I found another document

https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/openstack/deployer.md

In which it says,

If your OpenStack is secured with a self-signed certificate, you need to import that certificate into Cloudbreak, or else Cloudbreak won't be able to communicate with your OpenStack. To import the certificate, place the certificate file in the generated certs directory /certs/trusted/. The trusted directory does not exist by default, so you need to create it. Cloudbreak will automatically pick up these certificates and import them into its truststore upon start.

so I copied my .crt file into certs/trusted,

and restarted cbd,

<code>[sso@cloudbreak02 ~/tools/cloudbreak-deployment]$ sudo docker exec -it cbreak_cloudbreak_1 bash
root@dd24262dd30c:/# ls -al /certs/trusted/
total 16
drwxr-xr-x 2 root root 4096 Jul 29 01:41 .
drwxr-xr-x 3 root root 4096 Jul 29 01:39 ..
-rw-r--r-- 1 root root 4753 Jul 27 08:17 sso.crt
root@dd24262dd30c:/#
<code>sudo cbd start
sudo cbd util cloudbreak-shell
credential create --OPENSTACK ....(the same with the command above)

however still got the SSL error:

<code>/cbreak_cloudbreak_1 | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
/cbreak_cloudbreak_1 |  at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
/cbreak_cloudbreak_1 |  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
/cbreak_cloudbreak_1 |  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
/cbreak_cloudbreak_1 |  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
/cbreak_cloudbreak_1 |  ... 82 common frames omitted

Thanks for any possible help

1 ACCEPTED SOLUTION

avatar
Contributor

Self response:

This problem is resolved.

Because I imported a wrong .crt file, which is not for our HTTPS server, the "credential create" command failed.

After putting the correct .crt file under "certs/trusted", I created a new

credential successfully.

View solution in original post

3 REPLIES 3

avatar
Contributor
/cbreak_cloudbreak_1 | Importing certificates to the default Java certificate  trust store.
/cbreak_registrator_1 | 2016/07/29 01:44:42 registrator: added: dd24262dd30c af7ab373046f:cbreak_cloudbreak_1:8080
/cbreak_consul_1 |     2016/07/29 01:44:42 [INFO] agent: Synced service 'af7ab373046f:cbreak_cloudbreak_1:8080'
/cbreak_cloudbreak_1 | Certificate was added to keystore
/cbreak_cloudbreak_1 | Certificate added to default Java trust store with alias sso.crt.
/cbreak_cloudbreak_1 | Starting the Cloudbreak application...
/cbreak_cloudbreak_1 | + '[' true == false ']'
/cbreak_cloudbreak_1 | + java -jar /cloudbreak.jar

I checked log file and found "Certificate added to default Java trust store with alias sso.crt",

so I think the .crt file is added correctly.

However I still get SSL error when access the HTTPS endpoint.

avatar
Contributor

Self response:

This problem is resolved.

Because I imported a wrong .crt file, which is not for our HTTPS server, the "credential create" command failed.

After putting the correct .crt file under "certs/trusted", I created a new

credential successfully.

avatar
Super Collaborator

Glad that it worked out, let us know if you believe something is missing from the docs and can be improved.