Unable to find valid certification path to requested target

Hi, it's me again....

 

"Discover Patches" stopped working now... it worked fine until Wednesday.

From log I get :

SCR-ERROR: Unable to download URL: https://novell.cdn.heatsoftware.com/novell/ZEN2017U4_A.xml: com.lumension.scr.exception.UnableToAccesURL: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Any idea?

 

Thx in advance & BR, Dirk

 

  • Are you sure it was working until Wednesday?

    Around the 1st week of March there were some issues.....Some Certs expired, which broke some people and when replaced some folks did not have the trust for the new certs depending on how long ago their Java TrustStore had been around.....generally a small number of customers.

    Around March 3rd/4th is when the last known change happened.  I could see you being broken since then, though.....

    What Version of ZCM?  If on ZCM 20.1, there should not be a known issue since the 20.1 upgrades the JavaTrust Store.  (Do not try to rebuild your truststore w/o a full set of steps from support.)

    What ZCM Version and OS of ZCM Primary?

     

  • Looks like you are on ZCM 2017.4......if so drop an email to craig_d_wilson@yahoo.com, reference the forums and I will get you some steps to try....

  • Ouch, sent e-mail but forgot about the reference...
  • If you already issued the set of 3 commands to rebuild your truststore and restart the ZCM services on your primary, I don't have too many great suggestions.

    The one “THOUGHT” is that something changed on your Internet Firewall/Router Setup. In some cases, these products will insert their OWN cert into the middle.

    What they do is ‘decrypt’ the SSL connections so it can inspect, and then re-encrypt between both sides.  This results in the appliance needing to trust whatever CERT is used by the Internet FW Appliance.

    Perhaps there was a change in the cert there….It's not terribly difficult to add a cert, but maybe a trace may help..

    If on Linux Try...

    curl -vvI --tlsv1.2 https://novell.cdn.heatsoftware.com/novell/ssl

    Looks at the cert details it returns...make sure it shows HEATSOFTWARE and AMAZON.  If it shows something else, then there is definitely some type of appliance in the middle changing certs around.  If it does show HEATSOFTWARE and AMAZON I won't say it eliminates that possibility.

  • Running Windows Server ...

    The proxy itself seems to be ok: I can access the xml from a workstation behind the same proxy.
    When I try the same thing from server I get a cert warning...
  • So likely the Proxy may be playing some role...it may be important to know if the CERT being presented to Java is the Proxy Server's Cert.  If so, it may need to be added to the TrustStore.   

    I know the process is rather simple, but I've not had to do that for a few years, so I'm not going to give those exact steps.  I presume the Proxy Server is set in the ZPM setup section of the ZCC?

  • Hmm... it seems I have to ask all our network guys about latest changes: Accessing the internet from server is almost impossible: Showing me cert errors for every https: , followed by "no response from proxy" if I try to continue

    I'll see what I can get there, thx for your suggestions

    Update: I don't think there's an issue with ZPM right now.... just checked, that system update is broken too... so, for now it's more likely a proxy issue

  • Verified Answer

    Final Update :

    Just a network issue: After latest changes to DHCP and DNS the proxy forgot about the rule because he still tried to use the old IP. This was changed months before... My colleagues fixed the entry and it's working again.