Letsencrypt: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
maxxer
Advanced member
Advanced member
Posts: 136
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Letsencrypt: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

Postby maxxer » Fri Aug 02, 2019 12:50 pm

Hi.

Zimbra 8.6.0_GA_1153.RHEL7_64_20141215151110.

When running certain activities (like zextras' HSM operations) I'm getting the following exception in mailboxd.log:

Code: Select all

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException (Alerts.java:192)

then

Code: Select all

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild (PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate (PKIXValidator.java:230)

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build (SunCertPathBuilder.java:145)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild (SunCertPathBuilder.java:131)


I've tried all what I could find online:

Code: Select all

/opt/zimbra/java/bin/keytool -alias DSTRootCAX3 -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/dst-root.ca
/opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt
zmupdateauthkeys
/opt/zimbra/java/bin/keytool -import -alias new2 -keystore /opt/zimbra/java/jre/lib/security/cacerts  -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial.crt


I really don't know what else to do to fix that error. Any suggetion is welcome, thanks


User avatar
maxxer
Advanced member
Advanced member
Posts: 136
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: Letsencrypt: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building fail

Postby maxxer » Fri Aug 02, 2019 2:06 pm

Ended up being a Powerstore backend problem, not zimbra one.

We had configured an OVH (Swift compatible) storage, and the cert error given was against ovh's endpoint!!

I followed this guide for saving the certificate of the ovh backend, then imported with the following:

Code: Select all

/opt/zimbra/java/bin/keytool -import -alias ovh20190802 -keystore /opt/zimbra/java/jre/lib/security/cacerts  -storepass changeit -file /tmp/storage_sbg5_cloud_ovh_net.crt


And finally it worked!

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 17 guests