Overview
If you are unable to download add-ons, a common troubleshooting step is to check App and Add-On Diagnostics in the Admin Console (Add-ons > Diagnostics). Here you might get an error like the one detailed below:
Error: Unable to find certificate chain.
java.security.cert.CertPathBuilderException: Unable to find certificate chain. at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
This article helps you resolve the above error.
Solution
Verify if the instance is configured to use FIPS mode
- Repeat the below steps for each Web Application node that you have.
- In the server's Linux terminal, go to the
/usr/local/jive/java/jre/lib/security
directory. - Run the following command:
cat java.security | grep FIPS
- You should see an output as below:
# FIPS mode provided by Bouncy Castle
security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
If you find that FIPS mode is not configured, you can configure it by following this article on Configuring FIPS.
If you have at least one web application node where the above error is not present, then follow the steps below:
- Check the certificate chain through the following command:
openssl s_client -showcerts -connect addons-registry-aws.aws-us-east-1-prod.svc.jivehosted.com:443
.
Note the names of all the certificates on the certificate chain. - Check to see if the certificates are present in the Java Keystore on all the web app nodes:
- As the
jive
user, browse to~/java/jre/bin
. - Use:
./keytool -list -v -keystore /usr/local/jive/java/jre/lib/security/cacerts -storetype BCFKS -storepass changeit
- If you search the output and do not find the certificates from step 1, this confirms the issue at hand.
- The certificates may already be installed in the web app nodes not presenting the issue. The certificates need to be present on the Keystore across all web app nodes.
- Locate the Keystore on the web app node that is not affected by this behavior.
- Create a backup of the Keystore with the
cp cacerts cacerts.bck
command. - Copy the
cacerts
andcacerts.bck
files from above node to the/usr/local/jive/java/jre/lib/security
directory of all webapp nodes. - Perform a rolling restart on the Jive instance.
If you do not have a working web app node, then you may install the certificate(s) manually on each web app node with the following instructions:
- Save each certificate from the certificate chain as a
.crt
file. - Create a backup of the Keystore with the
cp cacerts cacerts.bck
command. - Import the .crt certificate to the Keystore using the following keytool command and answer yes to import it. Please replace <filename> with the actual .crt filename and <internal_ca_alias> with the alias you want to use to import the certificate:
/usr/local/jive/java/bin/keytool -storetype BCFKS -keystore cacerts -storepass changeit -import -alias <internal_ca_alias> -file <filename>.crt
- Import each certificate on the certificate chain.
- Perform the same actions (Steps 2 through 4) across all web app nodes.
- Perform a rolling restart on the Jive instance.
Testing
When you run App and Add-On Diagnostics in the Admin Console (Add-ons > Diagnostics), you no longer get the error, "Unable to Find Certificate Chain".
Comments
0 comments
Please sign in to leave a comment.