Unable to run scheduled tasks over SSL sun.security.validator.ValidatorException even after adding
155 views
Skip to first unread message
Tom Chiverton
Apr 13, 2016, 11:08:11 AM4/13/16
to Lucee
My server uses Lucee 4.x behind Apache on Amazon Linux 64bit with Java 1.8.
When my scheduled tasks run, the below exception is logged, and so obviously nothing gets run. I've been to the server admin and pressed 'install' aftering entering my server's address.
Nothing appears to happen that is different from pressing 'list' there, and even after a restart my tasks break.
Is there anyway to check the certificates have been installed ?
It's a Lets Encrypt certificate if it helps. Can I maybe add it's chain/root certificate by hand somewhere ?
"ERROR","Thread-124","04/13/2016","15:07:09","","schedule task:queue tick;sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at lucee.commons.net.http.httpclient4.HTTPEngine4Impl.execute(HTTPEngine4Impl.java:423)
at lucee.commons.net.http.httpclient4.HTTPEngine4Impl._invoke(HTTPEngine4Impl.java:253)
at lucee.commons.net.http.httpclient4.HTTPEngine4Impl.get(HTTPEngine4Impl.java:113)
at lucee.commons.net.http.HTTPEngine.get(HTTPEngine.java:86)
at lucee.runtime.schedule.ExecutionThread.execute(ExecutionThread.java:108)
at lucee.runtime.schedule.ExecutionThread.run(ExecutionThread.java:58)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 31 more
"
When my scheduled tasks run, the below exception is logged, and so obviously nothing gets run. I've been to the server admin and pressed 'install' aftering entering my server's address.
Nothing appears to happen that is different from pressing 'list' there, and even after a restart my tasks break.
Is there anyway to check the certificates have been installed ?
It's a Lets Encrypt certificate if it helps. Can I maybe add it's chain/root certificate by hand somewhere ?
"ERROR","Thread-124","04/13/2016","15:07:09","","schedule task:queue tick;sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at lucee.commons.net.http.httpclient4.HTTPEngine4Impl.execute(HTTPEngine4Impl.java:423)
at lucee.commons.net.http.httpclient4.HTTPEngine4Impl._invoke(HTTPEngine4Impl.java:253)
at lucee.commons.net.http.httpclient4.HTTPEngine4Impl.get(HTTPEngine4Impl.java:113)
at lucee.commons.net.http.HTTPEngine.get(HTTPEngine.java:86)
at lucee.runtime.schedule.ExecutionThread.execute(ExecutionThread.java:108)
at lucee.runtime.schedule.ExecutionThread.run(ExecutionThread.java:58)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 31 more
"
Julian Halliwell
Apr 13, 2016, 3:34:45 PM4/13/16
to lu...@googlegroups.com
The exception you are getting is different, but I wonder if it's
related to this scheduler-specific issue?
https://luceeserver.atlassian.net/browse/LDEV-649
related to this scheduler-specific issue?
https://luceeserver.atlassian.net/browse/LDEV-649
Nando Breiter
Apr 13, 2016, 6:21:23 PM4/13/16
to lu...@googlegroups.com
I've been to the server admin and pressed 'install' aftering entering my server's address.
Did you enter a domain or an IP address? Speculation on my part, but perhaps you might be able to install the certs via the Lucee admin if you enter the domain and the certs are installed on a web server in front of Lucee, Apache in your case. If the certs aren't already installed somewhere, I don't see how the Lucee admin could pick them up and install them.
Nothing appears to happen that is different from pressing 'list' there, and even after a restart my tasks break.
I run all scheduled tasks via localhost:8888 if possible to avoid the hassle of installing and maintaining certs using the java keytool, which is what I've done in the past. Every time the JVM is updated, the certs need to be reinstalled.
Is there anyway to check the certificates have been installed ?
It's a Lets Encrypt certificate if it helps. Can I maybe add it's chain/root certificate by hand somewhere ?
My experience in regards to installing certs for api's, if you are able to install the cert via the admin interface by entering the domain, it will install the entire chain. If you install the certs using the java keytool, you'll need to install each cert in the entire chain individually.
Tom Chiverton
Apr 14, 2016, 4:06:47 AM4/14/16
to Lucee
I entered the domain in the Lucee admin. The Apache config uses SNI. If I had to guess the scheduler isn't correctly doing this.
It does sound a lot like the same issue as https://luceeserver.atlassian.net/browse/LDEV-649
I've added the Lets Encrypt cert and chain files to the cacerts file with keytool, and even moved to the latest 1.8 JVM.
No change :-/
I can't run using localhost:8888 because there are many applications on the box with differing domains.
I guess I can fall back to wget in cron ...
Tom
It does sound a lot like the same issue as https://luceeserver.atlassian.net/browse/LDEV-649
I've added the Lets Encrypt cert and chain files to the cacerts file with keytool, and even moved to the latest 1.8 JVM.
No change :-/
I can't run using localhost:8888 because there are many applications on the box with differing domains.
I guess I can fall back to wget in cron ...
Tom
Tom Chiverton
Apr 14, 2016, 4:11:44 AM4/14/16
to Lucee
Ohh, the workaround from https://luceeserver.atlassian.net/browse/LDEV-649 *does* work - change the URL to be http:// and enter '8888' as the port.
Tom
Tom
Julian Halliwell
Apr 14, 2016, 4:22:04 AM4/14/16
to lu...@googlegroups.com
Can't you use the domain of the app with the function you want to run?
You're basically calling Tomcat directly over http and it has to know
which host goes with which app (as registered in server.xml).
You're basically calling Tomcat directly over http and it has to know
which host goes with which app (as registered in server.xml).
Nando Breiter
Apr 14, 2016, 5:54:23 AM4/14/16
to lu...@googlegroups.com
I can't run using localhost:8888 because there are many applications on the box with differing domains.
Same here (many domains), but I append an app key to the scheduled task urls and have code that sets which app the request applies to, which allows me to run these requests via localhost.
I guess I can fall back to wget in cron ...
Tom
On Wednesday, April 13, 2016 at 11:21:23 PM UTC+1, Nando Breiter wrote:I've been to the server admin and pressed 'install' aftering entering my server's address.Did you enter a domain or an IP address? Speculation on my part, but perhaps you might be able to install the certs via the Lucee admin if you enter the domain and the certs are installed on a web server in front of Lucee, Apache in your case. If the certs aren't already installed somewhere, I don't see how the Lucee admin could pick them up and install them.Nothing appears to happen that is different from pressing 'list' there, and even after a restart my tasks break.I run all scheduled tasks via localhost:8888 if possible to avoid the hassle of installing and maintaining certs using the java keytool, which is what I've done in the past. Every time the JVM is updated, the certs need to be reinstalled.
Is there anyway to check the certificates have been installed ?
It's a Lets Encrypt certificate if it helps. Can I maybe add it's chain/root certificate by hand somewhere ?My experience in regards to installing certs for api's, if you are able to install the cert via the admin interface by entering the domain, it will install the entire chain. If you install the certs using the java keytool, you'll need to install each cert in the entire chain individually.
--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/4a9deece-6f9d-4c81-9fd2-70b6e2b73ff0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
David Eurenius
Apr 14, 2016, 8:16:59 AM4/14/16
to Lucee
We are also facing this issue, we opted for configuring all Scheduled tasks to run on tomcat directly (port 8888) thus skipping IIS (in our case) and all SSL Cert issues.
We are able to run it on http://DNS name:8888/path/to/scheduledtask script/
--David
Reply all
Reply to author
Forward
0 new messages