Description of problem: Customer has an OCP 3.10 cluster with custom certs, following [0]the customer sees the (attaching full log shortly) error message [1]. Customer worked around the issue in some instance due to the ability to "add the cert from our master to cacerts file in my jre/lib/security directory on my Mac using keytool" but could not perform the same action using a windows machine. [0] https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/html-single/fuse_on_openshift_guide/#get-started-s2i-binary [1] [WARNING] F8: Cannot access cluster for detecting mode: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 19.883 s [INFO] Finished at: 2018-10-15T16:44:39-05:00 [INFO] Final Memory: 43M/673M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal io.fabric8:fabric8-maven-plugin:3.5.40:deploy (default-cli) on project booster: An error has occurred. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException Version-Release number of selected component (if applicable): OCP 3.9 7.1.0.fuse-710019-redhat-00002
Eric Jones, Is the customer certificate a self signed certificate? If it is what is the users expectation? IMO he should - like they did - add the cert to the JRE, so why would this be a workaround. Is the bug that the doesn't work on windows?
Or is that the user wants to trust the cert no matter with using something like a system param of KUBERNETES_TRUST_CERT=true
Hi Kurt, I am fairly sure that it is not a Self-Signed cert, just a cert provided by the customer, not the default cert generated by the installation of OpenShift. The reason I logged the bug because the install should have the ability to trust the cluster's certificates (like a system/cluster parameter similar to KUBERNETES_TRUST_CERT=true). Is that possible at this time and the customer and I simply missed a setting?
Any updates?
Hi Eric, Sorry I guess I was hoping we'd get some feedback from the customer on if setting KUBERNETES_TRUST_CERT=true does the trick. It'd be better to explicitly trust the server certificate on the client side as the customer did on his Mac. So is the real answer here to figure out why this doesn't work on windows? --Kurt
OCP 3.6-3.10 is no longer on full support [1]. Marking CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Target Release to the appropriate version where needed. [1]: https://access.redhat.com/support/policy/updates/openshift
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days