Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ... 22 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 28 more
Hi Carol,
What hostname are you using to connect to? The development certificate in the repository is valid for ‘localhost’ or ‘127.0.0.1’ though the former is preferred.
You’ll also have to instruct java to trust the certificate authority that signed that certificate. There’s an open issue to make a command-line argument for this, but adding the java flags -Djavax.net.ssl.trustStore=path/to/keywhiz/repository/server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies
work in the meantime. Normally, these flags aren’t needed outside of development, because the certificate authority would be put in the default JRE truststore.
--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/a8bb34a2-a18a-4c17-affa-7e41af0d7c14%40googlegroups.com.
unable to find valid certification path to requested target.
Carol
Exception in thread "main" java.lang.RuntimeException: java.security.KeyStoreException: problem accessing trust storejava.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
google says this is likely an issue with the keystore password. I can't look at that trustore using keytool and that password. Is it possible the password ponieswork is not correct?
Carol
Yes, that’s the correct password for the dev_and_test_truststore.p12 file checked into the keywhiz repository. If you have created your own keystore file, it could definitely be different. Here’s how I invoke keytool to list the contents:
~/Development/keywhiz master keytool -list -keystore server/src/main/resources/dev_and_test_truststore.p12 -storetype PKCS12 -storepass ponies
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
ca, May 21, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 4B:FE:F0:C8:E2:7B:05:C7:EC:00:9E:B0:4B:CD:07:5F:06:7E:B3:15
Does invoking keytool that way work for you?
Also note java 8 (or newer) is required for Keywhiz. We’re using PKCS12 format keystore files, which are only supported as truststores in java 8 and will become the default in java 9. If your keytool is packaged with JDK 7 or earlier, it may not work as expected. Unfortunately, I don’t think keytool has an option to spit out its version.
--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/ce7e2fa2-68e2-40dd-a3ab-42d871cd13c1%40googlegroups.com.
Exception in thread "main" java.io.IOException: Hostname Carols-MacBook-Pro.local not verified:
certificate: sha1/5mFHv+tKWhzfTWCX4GUQDrbJIxE=
DN: CN=localhost, OU=server
subjectAltNames: [127.0.0.1, localhost]
at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:260)
You asked in an earlier post about hostname. Looks like my hostname is set to Hostname Carols-MacBook-Pro.local. Do you need to change the hostname or do you know if there is a way to override it? This is the command I'm using:
java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar login
---------------------------------------------------------------------------------------------------------------------------------------------------------------
On Thursday, May 21, 2015 at 12:49:40 PM UTC-6, Justin Cummins wrote:AlrAha, I see what’s wrong. Try:
java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar --url https://localhost:4444 login
That’s the same command you had, but with --url https://localhost:4444
added. The CLI tries to figure out the server URL if it is not specified. I plan to change the default to be this value. Also, I will have it display the assumed URL.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/681ad464-ee12-418b-b55a-21967789ce76%40googlegroups.com.
java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar --url https://localhost:4444 add secrets --name edgesecret < request.json
Exception in thread "main" java.lang.RuntimeException: Please login by running a command without piping.
For example: keywhiz.cli login
at keywhiz.cli.ClientUtils.readPassword(ClientUtils.java:191)
at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:119)
at keywhiz.cli.CliMain.main(CliMain.java:68)
I can follow that command with the list command and it still works. Is my format for the add secrets correct? request.json is a json file based on the example in the doc. In the keywhiz log file, I see a missing session cookie message, but nothing else.
So two questions, Is the secrets file used in the cli a json file and two, is there something more that needs to get passed on an add secret command?
Exception in thread "main" java.lang.RuntimeException: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.lang.String out of START_OBJECT token
at [Source: {"metadata":{"owner":"root","group":"root","mode":"0400"}, "name":"edgesecret", "description":"example uaa edge secret", "withVersion":false, "content":"a2V5dGFiIGNvbnRlbnQ="}; line: 1, column: 2]
at com.google.common.base.Throwables.propagate(Throwables.java:160)
at keywhiz.cli.commands.AddAction.getMetadata(AddAction.java:178)
at keywhiz.cli.commands.AddAction.run(AddAction.java:118)
at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:140)
at keywhiz.cli.CliMain.main(CliMain.java:68)
Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.lang.String out of START_OBJECT token
at [Source: {"metadata":{"owner":"root","group":"root","mode":"0400"}, "name":"edgesecret", "description":"example uaa edge secret", "withVersion":false, "content":"a2V5dGFiIGNvbnRlbnQ="}; line: 1, column: 2]
at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)
The json for metadata looks good to me, so not sure why it can't deserialize. Has anyone been able to add a secret from the cli and if so, can you provide the format used?
How about this?
> alias keywhiz.cli='java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar --url https://localhost:4444'
> keywhiz.cli login
> keywhiz.cli add secrets --name edgesecret --json '{"owner":"root","group":"root","mode":"0400"}' < edgesecret.txt
The --json
argument is just for metadata (and perhaps should be named that), not a request object serialized to JSON. Generally, it’s not needed because the defaults from the mountpoint will be fine. However, I put an example above that should work.
For this example the bytes in edgesecret.txt
will be exactly what is served as the secret edgesecret
.
--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/a00f0b80-23c3-4569-941e-fcd0a927b516%40googlegroups.com.
alias cli='java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar -Duser.name=keywhizAdmin ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar --url https://localhost:4444'
Carols-MacBook-Pro:keywhiz carolbloch$ cli login
password for 'keywhizAdmin':
Carols-MacBook-Pro:keywhiz carolbloch$ cli add secrets --name edgesecret --json '{"owner":"root","group":"root","mode":"0400"}' < edgesecret.txt
Exception in thread "main" java.lang.RuntimeException: Please login by running a command without piping.
For example: keywhiz.cli login
at keywhiz.cli.ClientUtils.readPassword(ClientUtils.java:191)
at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:119)
at keywhiz.cli.CliMain.main(CliMain.java:68)
I'm providing the same password that works on the admin web page: adminPass.
Carol
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/a07b8412-5740-4ea4-984e-29f948366eff%40googlegroups.com.