+++ This bug was initially created as a clone of Bug #535800 +++ Using the sslservlet transport ( with default keys ) for communication between JON agents and JON server. No custom SSL certificates or keys etc. After upgrade of JON Server to 2.3.0 the agent auto upgrade fails with following messages: 2009-10-06 13:04:15,110 FATAL [RHQ Agent Update Thread] (org.rhq.enterprise.agent.AgentUpdateThread)- {PromptCommand.update.download-failed}Failed to download the agent update binary. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 2009-10-06 13:04:15,110 FATAL [RHQ Agent Update Thread] (org.rhq.enterprise.agent.AgentUpdateThread)- {AgentUpdateThread.exception}The agent update thread encountered an exception: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target --- Additional comment from John Mazzitelli on 2009-10-27 15:44:20 EDT --- This is because the agent downloads the upgrade binary jar using a normal JDK URLConnection object, as opposed to going through agent-server mechanism. We need to fix this so it will at least use the SSL cert assigned to the agent if it has one (for the agent-server comm). Alternative approach is to have the agent go through the normal agent-server RPC channel, but this would then prohibit the ability for someone to deploy the agent update binaries on a separate download server. You can tell the agent to point to a different download URL when it needs to obtain the agent update binary (this is to allow, say, a Apache HTTP server to serve up the agent binaries, freeing the RHQ Server from having to serve that static content itself). --- Additional comment from Red Hat Bugzilla on 2009-11-10 16:04:50 EST --- This bug was previously known as http://jira.rhq-project.org/browse/RHQ-2459 --- Additional comment from John Mazzitelli on 2010-06-11 09:29:11 EDT --- I wanted to just document the workaround in more detail. You'll see these two settings in agent-configuration.xml. If you set them to some external HTTP-accessible locations, and you copy the <server-install-dir>/jbossas/server/default/deploy/rhq.ear/rhq-downloads/rhq-agent/* files so they are HTTP-accessible (i.e. copy them to some git-repo with HTTP access or some Apache web server) then you can have the agent do the auto-upgrade and still have it go over https to the RHQ server. Note that these settings can be changed in agent-configuration.xml if you are preconfiguring the agent or you can answer the setup questions from the console when you first setup the agent (these are advanced questions, so you need to pass to the agent the -a option). <!-- _______________________________________________________________ rhq.agent.agent-update.version-url If this is defined, it will be the URL the agent uses when it needs to retrieve information about the latest available agent update binary. If this is not defined, the agent will ask its server for the agent update binary version information. --> <!-- <entry key="rhq.agent.agent-update.version-url" value="http://127.0.0.1:7080/agentupdate/version" /> --> <!-- _______________________________________________________________ rhq.agent.agent-update.download-url If this is defined, it will be the URL the agent uses when it needs to download the latest available agent update binary. If this is not defined, the agent will download the agent update binary from its server. --> <!-- <entry key="rhq.agent.agent-update.download-url" value="http://127.0.0.1:7080/agentupdate/download" /> -->
git commit to master: 2c6438cd554b64aa97f2b83d1d5fe7f005d9f68f to test, configure the agent to talk to the server over a secure channel: https://docs.jboss.org/author/display/RHQ/Securing+Communications then when the agent has started, just try this from the agent prompt: > update -v This should not give you any errors, it should tell you the version of the agent update binary as found on the server. Then if you try this: > update -o that should download the agent update binary. The agent should not print out any errors on the console and if you look at the .jar that was downloaded, it should be a complete agent update binary file.
tweek to new class - git commit 7c4577c895a469b5ddce6aa91eb6935eb5cf6cc9
As this is MODIFIED or ON_QA, setting milestone to ER1.
auto-upgrade enabled, binary is being downloaded -> http://d.pr/i/KqI1 no exceptions in agent.log -> http://d.pr/f/Icic