"PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Ask questions about your setup or get help installing ZCS server (ZD section below).
mr_tps
Posts: 8
Joined: Tue Mar 19, 2019 5:46 am

"PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Postby mr_tps » Sat Mar 23, 2019 1:21 pm

Setting Zimbra mail server with openidconsumer setup.
I am following instructions on this link :https://wiki.zimbra.com/wiki/Authentication/OpenIDConsumer

But while executing below link error created.

[url]<zimbra_host_base_url>/service/extension/openid/consumer?openid_identifier=<user-supplied-identifier>[/url]

In the zmmailboxd.out in mail server it return this error :

Code: Select all

2019-03-23 08:42:40.526:WARN:oejs.ServletHandler:qtp1935637221-278:https:https://<zimbra_host_base_url>/service/extension/openid/consumer?openid_identifier=<user-supplied-identifier>:
javax.servlet.ServletException: 0x704: I/O transport error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.authRequest(OpenIDConsumerHandler.java:267)
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.doPost(OpenIDConsumerHandler.java:135)
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.doGet(OpenIDConsumerHandler.java:123)
        at com.zimbra.cs.extension.ExtensionDispatcherServlet.service(ExtensionDispatcherServlet.java:111)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)


User avatar
DualBoot
Elite member
Elite member
Posts: 1073
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: "PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Postby DualBoot » Sat Mar 23, 2019 1:37 pm

maybe a problem related to self-signed certificate.
mr_tps
Posts: 8
Joined: Tue Mar 19, 2019 5:46 am

Re: "PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Postby mr_tps » Mon Mar 25, 2019 4:44 am

That I know thanks, but how to prevent it in dev server ?
User avatar
DualBoot
Elite member
Elite member
Posts: 1073
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: "PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Postby DualBoot » Mon Mar 25, 2019 11:10 am

You need to import the self-signed certificate on each keystore of Zimbra servers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 459
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P12 RHEL6 Network Edition
Contact:

Re: "PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Postby JDunphy » Mon Mar 25, 2019 3:34 pm

Perhaps this:

http://forums.zimbra.org/viewtopic.php? ... 4&start=10
Research keytool

Example of adding intermediate cert to java keystore with letsencrypt intermediate ... but link above shows how to add your own private CA.

Code: Select all

# su - zimbra
% wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -O lets.pem
% /opt/zimbra/common/bin/keytool -import -alias letsenc-ca -keystore /opt/zimbra/common/etc/java/cacerts -storepass changeit -file /root/lets.pem
% /opt/zimbra/bin/zmcertmgr verifycrt comm private.key your.crt intermediate.crt

Generally, it is easier to chain these and have zmcertmgr attempt to do the right thing so I don't add an intermediate this way myself with keytool... except with self-signed that requires you follow some arcane set of steps with zmcertmgr which I always forget which is why people try keytool directly as the first link does. :-)

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 9 guests