Last active
September 16, 2018 12:08
-
-
Save sfc-gh-eraigosa/8bca54ce036b8fec00b3 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| When trying to connect auth to a private github instance, you might get this error: | |
| Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | |
| at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.7.0_79] | |
| at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916) ~[na:1.7.0_79] | |
| at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) ~[na:1.7.0_79] | |
| at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) ~[na:1.7.0_79] | |
| at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1469) ~[na:1.7.0_79] | |
| at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213) ~[na:1.7.0_79] | |
| at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901) ~[na:1.7.0_79] | |
| at sun.security.ssl.Handshaker.process_record(Handshaker.java:837) ~[na:1.7.0_79] | |
| at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1035) ~[na:1.7.0_79] | |
| at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344) ~[na:1.7.0_79] | |
| at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371) ~[na:1.7.0_79] | |
| at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355) ~[na:1.7.0_79] | |
| at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:261) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:118) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:314) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:357) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:218) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:194) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:85) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) ~[httpclient-4.3.1.jar:4.3.1] | |
| at org.apache.http.client.fluent.Request.execute(Request.java:143) ~[fluent-hc-4.3.1.jar:4.3.1] | |
| at io.cattle.platform.iaas.api.auth.github.GithubClient.getAccessToken(GithubClient.java:52) ~[cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na] | |
| at io.cattle.platform.iaas.api.auth.github.GithubTokenHandler.getToken(GithubTokenHandler.java:123) ~[cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na] | |
| at io.cattle.platform.iaas.api.auth.github.TokenResourceManager.getToken(TokenResourceManager.java:59) ~[cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na] | |
| at io.cattle.platform.iaas.api.auth.github.TokenResourceManager.createInternal(TokenResourceManager.java:50) ~[cattle-iaas-auth-logic-0.5.0-SNAPSHOT.jar:na] | |
| ... 50 common frames omitted | |
| Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | |
| at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) ~[na:1.7.0_79] | |
| at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.7.0_79] | |
| at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.7.0_79] | |
| at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) ~[na:1.7.0_79] | |
| at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) ~[na:1.7.0_79] | |
| at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) ~[na:1.7.0_79] | |
| at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1451) ~[na:1.7.0_79] | |
| ... 74 common frames omitted | |
| Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | |
| at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) ~[na:1.7.0_79] | |
| at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) ~[na:1.7.0_79] | |
| at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ~[na:1.7.0_79] | |
| ... 80 common frames omitted | |
| Workaround: | |
| 1) Get the private certificate from the running ghe instance: | |
| echo |openssl s_client -connect github.yourcorp.com:443 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > github-yourcorp.cer | |
| 2) Copy the cert into your running rancher-server container | |
| docker exec rancher-server bash -c "echo \"$(cat ./github-yourcorp.cer)\" > /etc/ssl/certs/java/github-yourcorp.cer" | |
| 3) Import the cert into cacerts db for java so that cattle can use it, (note in this case our rancher server container name is rancher-server). | |
| docker exec rancher-server bash -c "cd /etc/ssl/certs/java;keytool -import -file /etc/ssl/certs/java/github-yourcorp.cer -alias github-is-p -noprompt -storepass 'changeit' -keystore /etc/ssl/certs/java/cacerts" | |
| 4) Validate the key was imported into the key store | |
| docker exec rancher-server bash -c 'keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass "changeit"' |grep github | |
| 5) restart the container | |
| docker restart rancher-server | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment