Certificate issue

[Nils Jaburek]

Hi,

I get the error below when I try to sync Openremote designer with my controller. Is the problem on my side or on the other end?

Downloading account configuration failed : sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.

I have attached a log from my Openremote console.

/Nils

[Robnas]

same problem here, i think they have to add a new certificate

[orc trial]

same here

[Eric Bariaux]

Server certificate was about to expire and has been updated yesterday with a valid certificate.

If you have issues on the client side, you might need to import the certificate in the trust store.

keytool -keystore cacerts -import -trustcacerts -alias designer -file xxx.crt

xxx.crt being the certificate file you can download from the server

cacerts location will be dependent on your Java installation.

[Nils Jaburek]

If anyone having problems with this as well, here is what I have done to resolve the certificate issue on my Windows installation. Another way may be to upgrade to a later Java version since that may come with updated root certs. However, I did not want to change anything that works for the moment.

 

You need to download the root certificate “Digicert Global Root G2” and intermedia certificate “RapidSSL TLS RSA CA G1” from https://knowledge.digicert.com/generalinformation/INFO1548.html. I also attach the certificates here if you prefer that instead of downloading.

Your Java path folder may differ from mine, so you must replace path to cacers file in the lines below. In example I put downloaded root files to C:\Install. I could be a good idea to make a backup copy of the file "C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts" before you proceed.

From a command prompt, navigate to the Bin folder of your JDK, “C:\Program Files\Java\jdk1.8.0_66\jre\bin” on my installation.

Run the commands below. You will get prompted to enter keystore password, this is by default “changeit”.

 

Keytool -keystore "C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts" -import -trustcacerts -alias Root -file C:\Install\RapidRoot.crt

Keytool -keystore "C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts" -import -trustcacerts -alias intermediate -file C:\Install\RapidIntermedia.crt

 

After this you must restart your local Openremote service.

[Robnas]

Hi Eric,

could you tell me the location of this certificate i cannot find it on openremote.io or am i looking in the wrong way?

[Robnas]

Hello,

i tries this post:

https://groups.google.com/forum/#!searchin/openremotecommunity/certificate%7Csort:date/openremotecommunity/lkAYO2KX7wc/GesyXT7wAAAJ

the importing works and ive also put it in the java home dir but still  no luck with syncing....

On Tuesday, 19 November 2019 11:01:35 UTC+1, Eric Bariaux wrote:

[Robnas]

this worked for me:

keytool -keystore /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/security/cacerts -import -trustcacerts -alias designer_selfsigned1 -file openremote.crt

[Nathan Fettinger]

To centralize everything into a single place, and prevent you from having to download a file from an unknown user on the internet, here are the directions (works for me on a Raspberry Pi):

The server is using a self signed certificate. Download a copy from the server by using this command:

openssl s_client -showcerts -connect designer.openremote.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > openremote.crt

Now you need to import the certificate using root permissions (sudo):

keytool -keystore /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/security/cacerts -import -trustcacerts -alias designer_selfsigned1 -file openremote.crt

If the process requests a keystore password, enter it now. Note, if you have never set a keystore password before, use this default one:

changeit

Now restart the machine (if you cant do this, you can find a different syncing method using Google):

shutdown -r now