unable to find valid certification path to requested target on oVirt Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Come Celebrate our 10 Year Anniversary!Sun Java keytool importing EV certificates into a single keystorefind the path of jdk and set JAVAHOMEBirt on Tomcat unable to find JARsUnable to find valid certification path to requested target while CAS authenticationHow can I persist certificates in Java's cacerts?wso2 Governance Registry Active Directory integration unable to find valid certification path to requested targetPreserve imported CA Certificates through Java upgradesjrun ssl peer not authenticatedovirt change export pathJRE fails to establish LDAPS connection with AD after RootCA cert imported to cacerts truststore

Can Deduction Guide have an explicit(bool) specifier?

A German immigrant ancestor has a "Registration Affidavit of Alien Enemy" on file. What does that mean exactly?

Are bags of holding fireproof?

Pointing to problems without suggesting solutions

Is Bran literally the world's memory?

How is an IPA symbol that lacks a name (e.g. ɲ) called?

Coin Game with infinite paradox

Why are two-digit numbers in Jonathan Swift's "Gulliver's Travels" (1726) written in "German style"?

Why did Europeans not widely domesticate foxes?

Who can become a wight?

lm and glm function in R

What's the connection between Mr. Nancy and fried chicken?

What were wait-states, and why was it only an issue for PCs?

Why isn't everyone flabbergasted about Bran's "gift"?

How to charge percentage of transaction cost?

Lights are flickering on and off after accidentally bumping into light switch

Is my guitar’s action too high?

Can 'non' with gerundive mean both lack of obligation and negative obligation?

Can a Wizard take the Magic Initiate feat and select spells from the Wizard list?

Who's this lady in the war room?

Compiling and throwing simple dynamic exceptions at runtime for JVM

Does Prince Arnaud cause someone holding the Princess to lose?

Would I be safe to drive a 23 year old truck for 7 hours / 450 miles?

Why these surprising proportionalities of integrals involving odd zeta values?

unable to find valid certification path to requested target on oVirt

Announcing the arrival of Valued Associate #679: Cesar Manara

Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)

Come Celebrate our 10 Year Anniversary!Sun Java keytool importing EV certificates into a single keystorefind the path of jdk and set JAVAHOMEBirt on Tomcat unable to find JARsUnable to find valid certification path to requested target while CAS authenticationHow can I persist certificates in Java's cacerts?wso2 Governance Registry Active Directory integration unable to find valid certification path to requested targetPreserve imported CA Certificates through Java upgradesjrun ssl peer not authenticatedovirt change export pathJRE fails to establish LDAPS connection with AD after RootCA cert imported to cacerts truststore

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

I installed latest CentOS 7 yesterday. Clean install. And I follow this tutorial:
https://www.ovirt.org/documentation/install-guide/chap-Installing_oVirt.html

The only different is I configured httpd listen 1080 for http and 1443 for https. Because I installed nginx before. And I configure nginx redirect 443 to 1443 port if the hostname is correct.

But in the "Connecting to the Administration Portal" step, I got error:

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

https://i.imgur.com/bnTwTDK.png

I tried a lot of solution, but no one works.

tried_solution_1:

cat /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"

https://i.imgur.com/uAbJmfn.png
not works.

tried_solution_2:

add cert to keystore manually:

for f in *.pem; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.cer; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.der; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
#/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts is linked to /etc/pki/java/cacerts

I run this script in everywhere under /etc/pki/ovirt-engine/ , but it still not works.

https://i.imgur.com/ZME9n6q.png

asked Dec 26 '18 at 18:50

JK-Hu

add a comment |

I installed latest CentOS 7 yesterday. Clean install. And I follow this tutorial:
https://www.ovirt.org/documentation/install-guide/chap-Installing_oVirt.html

The only different is I configured httpd listen 1080 for http and 1443 for https. Because I installed nginx before. And I configure nginx redirect 443 to 1443 port if the hostname is correct.

But in the "Connecting to the Administration Portal" step, I got error:

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

https://i.imgur.com/bnTwTDK.png

I tried a lot of solution, but no one works.

tried_solution_1:

cat /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"

https://i.imgur.com/uAbJmfn.png
not works.

tried_solution_2:

add cert to keystore manually:

for f in *.pem; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.cer; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.der; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
#/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts is linked to /etc/pki/java/cacerts

I run this script in everywhere under /etc/pki/ovirt-engine/ , but it still not works.

https://i.imgur.com/ZME9n6q.png

asked Dec 26 '18 at 18:50

JK-Hu

add a comment |

I installed latest CentOS 7 yesterday. Clean install. And I follow this tutorial:
https://www.ovirt.org/documentation/install-guide/chap-Installing_oVirt.html

The only different is I configured httpd listen 1080 for http and 1443 for https. Because I installed nginx before. And I configure nginx redirect 443 to 1443 port if the hostname is correct.

But in the "Connecting to the Administration Portal" step, I got error:

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

https://i.imgur.com/bnTwTDK.png

I tried a lot of solution, but no one works.

tried_solution_1:

cat /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"

https://i.imgur.com/uAbJmfn.png
not works.

tried_solution_2:

add cert to keystore manually:

for f in *.pem; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.cer; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.der; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
#/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts is linked to /etc/pki/java/cacerts

I run this script in everywhere under /etc/pki/ovirt-engine/ , but it still not works.

https://i.imgur.com/ZME9n6q.png

asked Dec 26 '18 at 18:50

JK-Hu

I installed latest CentOS 7 yesterday. Clean install. And I follow this tutorial:
https://www.ovirt.org/documentation/install-guide/chap-Installing_oVirt.html

The only different is I configured httpd listen 1080 for http and 1443 for https. Because I installed nginx before. And I configure nginx redirect 443 to 1443 port if the hostname is correct.

But in the "Connecting to the Administration Portal" step, I got error:

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

https://i.imgur.com/bnTwTDK.png

I tried a lot of solution, but no one works.

tried_solution_1:

cat /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
ENGINE_HTTPS_PKI_TRUST_STORE="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"

https://i.imgur.com/uAbJmfn.png
not works.

tried_solution_2:

add cert to keystore manually:

for f in *.pem; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.cer; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
for f in *.der; do keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$f" -import -file "$f"; done
#/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts is linked to /etc/pki/java/cacerts

I run this script in everywhere under /etc/pki/ovirt-engine/ , but it still not works.

https://i.imgur.com/ZME9n6q.png

centos centos7 java ovirt

asked Dec 26 '18 at 18:50

JK-Hu

asked Dec 26 '18 at 18:50

JK-Hu

asked Dec 26 '18 at 18:50

JK-Hu

asked Dec 26 '18 at 18:50

JK-Hu

asked Dec 26 '18 at 18:50

JK-Hu

add a comment |

1 Answer
1

active

oldest

votes

I have a clean install with oVirt and installed my own certificates, anyway I got the same error as you and managed to solve it this way.

Important to say that the files you see in this comands, I assume you created them like the appendix D at the oVirt docs.

At the end of the appendix, before restarting the services, execute this:

keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file "/tmp/apache.cer"

Note the "-storepass" is the default, obviously you should put your own store password if you have one.

Then restart the services, It worked for me.

EDIT:

If you are going to use a comercial certificate, make sure you have the following files with the appendix names like this:

/tmp/3rd-party-ca-cert.pem -> CA and CA Root

/tmp/apache.p12 -> Certificate and Private key

/tmp/apache.cer -> Certificate only

/tmp/apache.key -> Private key only

And double check your CA and CA Root that matches your CA's certificate like this chain:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.MYDOMAIN.com
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA

 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

Please, note that in the "i:" field (issuer field), the CN (Common Name) matches the next certificate, if this is not like this, check the file "/tmp/3rd-party-ca-cert.pem" and get the correct ones.

I don't know wich solution are you using, because it can be used for external and internal websocket connections.

edited Apr 16 at 16:12

answered Apr 16 at 11:48

Christian A.

162

New contributor

add a comment |

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f946690%2funable-to-find-valid-certification-path-to-requested-target-on-ovirt%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

I have a clean install with oVirt and installed my own certificates, anyway I got the same error as you and managed to solve it this way.

Important to say that the files you see in this comands, I assume you created them like the appendix D at the oVirt docs.

At the end of the appendix, before restarting the services, execute this:

keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file "/tmp/apache.cer"

Note the "-storepass" is the default, obviously you should put your own store password if you have one.

Then restart the services, It worked for me.

EDIT:

If you are going to use a comercial certificate, make sure you have the following files with the appendix names like this:

/tmp/3rd-party-ca-cert.pem -> CA and CA Root

/tmp/apache.p12 -> Certificate and Private key

/tmp/apache.cer -> Certificate only

/tmp/apache.key -> Private key only

And double check your CA and CA Root that matches your CA's certificate like this chain:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.MYDOMAIN.com
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA

 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

Please, note that in the "i:" field (issuer field), the CN (Common Name) matches the next certificate, if this is not like this, check the file "/tmp/3rd-party-ca-cert.pem" and get the correct ones.

I don't know wich solution are you using, because it can be used for external and internal websocket connections.

edited Apr 16 at 16:12

answered Apr 16 at 11:48

Christian A.

162

New contributor

add a comment |

I have a clean install with oVirt and installed my own certificates, anyway I got the same error as you and managed to solve it this way.

Important to say that the files you see in this comands, I assume you created them like the appendix D at the oVirt docs.

At the end of the appendix, before restarting the services, execute this:

keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file "/tmp/apache.cer"

Note the "-storepass" is the default, obviously you should put your own store password if you have one.

Then restart the services, It worked for me.

EDIT:

If you are going to use a comercial certificate, make sure you have the following files with the appendix names like this:

/tmp/3rd-party-ca-cert.pem -> CA and CA Root

/tmp/apache.p12 -> Certificate and Private key

/tmp/apache.cer -> Certificate only

/tmp/apache.key -> Private key only

And double check your CA and CA Root that matches your CA's certificate like this chain:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.MYDOMAIN.com
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA

 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

Please, note that in the "i:" field (issuer field), the CN (Common Name) matches the next certificate, if this is not like this, check the file "/tmp/3rd-party-ca-cert.pem" and get the correct ones.

I don't know wich solution are you using, because it can be used for external and internal websocket connections.

edited Apr 16 at 16:12

answered Apr 16 at 11:48

Christian A.

162

New contributor

add a comment |

I have a clean install with oVirt and installed my own certificates, anyway I got the same error as you and managed to solve it this way.

Important to say that the files you see in this comands, I assume you created them like the appendix D at the oVirt docs.

At the end of the appendix, before restarting the services, execute this:

keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file "/tmp/apache.cer"

Note the "-storepass" is the default, obviously you should put your own store password if you have one.

Then restart the services, It worked for me.

EDIT:

If you are going to use a comercial certificate, make sure you have the following files with the appendix names like this:

/tmp/3rd-party-ca-cert.pem -> CA and CA Root

/tmp/apache.p12 -> Certificate and Private key

/tmp/apache.cer -> Certificate only

/tmp/apache.key -> Private key only

And double check your CA and CA Root that matches your CA's certificate like this chain:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.MYDOMAIN.com
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA

 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

Please, note that in the "i:" field (issuer field), the CN (Common Name) matches the next certificate, if this is not like this, check the file "/tmp/3rd-party-ca-cert.pem" and get the correct ones.

I don't know wich solution are you using, because it can be used for external and internal websocket connections.

edited Apr 16 at 16:12

answered Apr 16 at 11:48

Christian A.

162

New contributor

I have a clean install with oVirt and installed my own certificates, anyway I got the same error as you and managed to solve it this way.

Important to say that the files you see in this comands, I assume you created them like the appendix D at the oVirt docs.

At the end of the appendix, before restarting the services, execute this:

keytool -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -alias "$YOURALIAS" -import -file "/tmp/apache.cer"

Note the "-storepass" is the default, obviously you should put your own store password if you have one.

Then restart the services, It worked for me.

EDIT:

If you are going to use a comercial certificate, make sure you have the following files with the appendix names like this:

/tmp/3rd-party-ca-cert.pem -> CA and CA Root

/tmp/apache.p12 -> Certificate and Private key

/tmp/apache.cer -> Certificate only

/tmp/apache.key -> Private key only

And double check your CA and CA Root that matches your CA's certificate like this chain:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.MYDOMAIN.com
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA

 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

Please, note that in the "i:" field (issuer field), the CN (Common Name) matches the next certificate, if this is not like this, check the file "/tmp/3rd-party-ca-cert.pem" and get the correct ones.

I don't know wich solution are you using, because it can be used for external and internal websocket connections.

edited Apr 16 at 16:12

answered Apr 16 at 11:48

Christian A.

162

New contributor

edited Apr 16 at 16:12

answered Apr 16 at 11:48

Christian A.

162

New contributor

answered Apr 16 at 11:48

Christian A.

162

answered Apr 16 at 11:48

Christian A.

162

New contributor

Christian A. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Server Fault!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Otdfbt

1 Answer
1

Your Answer

Post as a guest

1 Answer
1

1 Answer
1

Post as a guest

Popular posts from this blog

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

1 Answer 1

1 Answer 1

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

1 Answer
1

1 Answer
1

1 Answer
1