Thank you for visiting the Rackspace Community
The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

Fixing outdated certificate problem for Rackspace using the JClouds API

Hi,

   We have an application running on the Rackspace hosting platform accessing the Rackspace Cloud Files using Apache JClouds API. Just about yesterday we ran into a problem where we could no longer generate temporary URLs for our flies.  Here's a snippet of the stacktrace of the error:

Caused by: org.jclouds.http.HttpResponseException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target connecting to POST identity.api.rackspacecloud.com/.../tokens HTTP/1.1

        at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(BaseHttpCommandExecutorService.java:117)

        at org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:90)

        at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:73)

        at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:44)

        at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:156)

        at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123)

        at com.sun.proxy.$Proxy167.authenticateWithTenantNameAndCredentials(Unknown Source)

        at org.jclouds.rackspace.cloudidentity.v2_0.functions.AuthenticateApiKeyCredentials.authenticateWithTenantName(AuthenticateApiKeyCredentials.java:48)

        at org.jclouds.rackspace.cloudidentity.v2_0.functions.AuthenticateApiKeyCredentials.authenticateWithTenantName(AuthenticateApiKeyCredentials.java:36)

        at org.jclouds.openstack.keystone.v2_0.functions.internal.BaseAuthenticator.apply(BaseAuthenticator.java:81)

        at org.jclouds.openstack.keystone.v2_0.functions.internal.BaseAuthenticator.apply(BaseAuthenticator.java:36)

        at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:148)

        at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524)

        at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2317)

        at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2280)

        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2195)

        ... 121 more

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)

        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)

        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)

        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)

        at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)

        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)

        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)

        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)

        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)

        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)

        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)

        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)

        at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.writePayloadToConnection(JavaUrlHttpCommandExecutorService.java:294)

        at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.convert(JavaUrlHttpCommandExecutorService.java:170)

        at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.convert(JavaUrlHttpCommandExecutorService.java:64)

        at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(BaseHttpCommandExecutorService.java:95)

        ... 136 more

You get the idea.

So support told us that this is basically caused by an outdated certificate and we need to replace it with this certificate:

https://curl.haxx.se/ca/cacert.pem


I downloaded the file and attempted to store it in the linux trusted certificates folder. Here are the steps I performed
in updating the certificate:

1. Create a folder /usr/local/share/ca-certificates/myapp
2. Copy cacert.pem into the above folder
3. Rename cacert.pem to cacert.crt (also tried converting into der format with the .crt extension)
4. Execute sudo update-ca-certificates -f

For the Keystore:
1. cd into /etc/ssl/certs/java folder
2. copy cacert.pem into this folder
3. Execute keytool -import -trustcacerts -file ./cacert.pem -alias rackspace -keystore ./cacerts
(After no. 3, I get a warning that says that the certificate is already installed in <debian:****>, but I still proceed with the import)

However, I still get the same error stack. Has anybody experienced the same thing? How did you solve this problem?

Thanks,
Rainier
Parents
No Data
Reply
  • UPDATE, I tried nearly every combination of the above without success. What did work was replacing the cacerts file in java6 with that of the file from java8. Now i have no idea if this is OK to do. Hoping one of you kind folk may know the answer. Best Regards H

Children
No Data