955215 – JON Agent auto upgrade fails using sslservlet

Bug 955215 - JON Agent auto upgrade fails using sslservlet

Summary: JON Agent auto upgrade fails using sslservlet

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Operations Network
Classification:	JBoss
Component:	Agent
Sub Component:
Version:	JON 3.1.2
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	ER01
Target Release:	JON 3.2.0
Assignee:	John Mazzitelli
QA Contact:	Mike Foley
Docs Contact:
URL:
Whiteboard:
Depends On:	RHQ-2459
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-22 14:47 UTC by Larry O'Leary
Modified:	2018-12-03 18:44 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	RHQ-2459
Environment:	JON 2.3 server and 2.2 agent using sslservlet
Last Closed:	2014-01-02 20:35:50 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1302800	0	high	CLOSED	Remote agent auto upgrade failed when sslsocket encryption enabled	2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution)	19832	0	None	None	None	Never

Internal Links: 1302800

Description Larry O'Leary 2013-04-22 14:47:14 UTC

+++ This bug was initially created as a clone of Bug #535800 +++

Using the sslservlet transport ( with default keys ) for communication between JON agents and JON server.  No custom SSL certificates or keys etc.

After upgrade of JON Server to 2.3.0 the agent auto upgrade fails with following messages:

2009-10-06 13:04:15,110 FATAL [RHQ Agent Update Thread] (org.rhq.enterprise.agent.AgentUpdateThread)- {PromptCommand.update.download-failed}Failed to download the agent update binary. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2009-10-06 13:04:15,110 FATAL [RHQ Agent Update Thread] (org.rhq.enterprise.agent.AgentUpdateThread)- {AgentUpdateThread.exception}The agent update thread encountered an exception: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target

--- Additional comment from John Mazzitelli on 2009-10-27 15:44:20 EDT ---

This is because the agent downloads the upgrade binary jar using a normal JDK URLConnection object, as opposed to going through agent-server mechanism.

We need to fix this so it will at least use the SSL cert assigned to the agent if it has one (for the agent-server comm).

Alternative approach is to have the agent go through the normal agent-server RPC channel, but this would then prohibit the ability for someone to deploy the agent update binaries on a separate download server.

You can tell the agent to point to a different download URL when it needs to obtain the agent update binary (this is to allow, say, a Apache HTTP server to serve up the agent binaries, freeing the RHQ Server from having to serve that static content itself).

--- Additional comment from Red Hat Bugzilla on 2009-11-10 16:04:50 EST ---

This bug was previously known as http://jira.rhq-project.org/browse/RHQ-2459

--- Additional comment from John Mazzitelli on 2010-06-11 09:29:11 EDT ---

I wanted to just document the workaround in more detail. You'll see these two settings in agent-configuration.xml. If you set them to some external HTTP-accessible locations, and you copy the <server-install-dir>/jbossas/server/default/deploy/rhq.ear/rhq-downloads/rhq-agent/* files so they are HTTP-accessible (i.e. copy them to some git-repo with HTTP access or some Apache web server) then you can have the agent do the auto-upgrade and still have it go over https to the RHQ server.

Note that these settings can be changed in agent-configuration.xml if you are preconfiguring the agent or you can answer the setup questions from the console when you first setup the agent (these are advanced questions, so you need to pass to the agent the -a option).

               <!--
               _______________________________________________________________
               rhq.agent.agent-update.version-url

               If this is defined, it will be the URL the agent uses when it
               needs to retrieve information about the latest available
               agent update binary.  If this is not defined, the agent will
               ask its server for the agent update binary version information.
               -->
               <!--
               <entry key="rhq.agent.agent-update.version-url" value="http://127.0.0.1:7080/agentupdate/version" />
               -->

               <!--
               _______________________________________________________________
               rhq.agent.agent-update.download-url

               If this is defined, it will be the URL the agent uses when it
               needs to download the latest available agent update binary.
               If this is not defined, the agent will download the agent
               update binary from its server.
               -->
               <!--
               <entry key="rhq.agent.agent-update.download-url" value="http://127.0.0.1:7080/agentupdate/download" />
               -->

Comment 1 John Mazzitelli 2013-05-08 20:47:32 UTC

git commit to master: 2c6438cd554b64aa97f2b83d1d5fe7f005d9f68f

to test, configure the agent to talk to the server over a secure channel:

   https://docs.jboss.org/author/display/RHQ/Securing+Communications

then when the agent has started, just try this from the agent prompt:

> update -v

This should not give you any errors, it should tell you the version of the agent update binary as found on the server. Then if you try this:

> update -o

that should download the agent update binary. The agent should not print out any errors on the console and if you look at the .jar that was downloaded, it should be a complete agent update binary file.

Comment 2 John Mazzitelli 2013-05-09 02:26:37 UTC

tweek to new class - git commit 7c4577c895a469b5ddce6aa91eb6935eb5cf6cc9

Comment 4 Larry O'Leary 2013-09-06 14:32:25 UTC

As this is MODIFIED or ON_QA, setting milestone to ER1.

Comment 5 Armine Hovsepyan 2013-11-25 17:14:55 UTC

auto-upgrade enabled, binary is being downloaded -> http://d.pr/i/KqI1
no exceptions in agent.log -> http://d.pr/f/Icic

Note You need to log in before you can comment on or make changes to this bug.