Pivotal Knowledge Base

Follow

Installation of Healthwatch service failed with "unable to find valid certification path to requested target"

Environment

Pivotal Cloud Foundry (PCF) Healthwatch v1.1.4

Symptom

When installing PCF Healthwatch Service Tile version 1.1.4, the installation fails with error message “unable to find valid certification path to requested target”. This error is also thrown when certificate(s) are added into "Trusted Certificates" section in Bosh Director config in Operations Manager.

In version 1.1.3, This error does not occur.

Error Message:

===== 2018-02-20 10:08:29 UTC Running "/usr/local/bin/bosh --no-color --non-interactive --tty --environment=192.168.0.2 --deployment=p-healthwatch-433d1d8b12a5787b5e01 run-errand p
ush-apps --instance healthwatch-forwarder/first"
Using environment '192.168.0.2' as client 'ops_manager' Using deployment 'p-healthwatch-433d1d8b12a5787b5e01' Task 858 Task 858 | 10:08:31 | Preparing deployment: Preparing deployment (00:00:02)
Task 858 | 10:08:33 | Running errand: healthwatch-forwarder/69364873-5b34-471c-97a6-c74c6d597160 (0) (00:05:12)
Task 858 | 10:13:45 | Fetching logs for healthwatch-forwarder/69364873-5b34-471c-97a6-c74c6d597160 (0): Finding and packing log files (00:00:01) Task 858 Started Tue Feb 20 10:08:31 UTC 2018
Task 858 Finished Tue Feb 20 10:13:46 UTC 2018
Task 858 Duration 00:05:15
Task 858 done Instance healthwatch-forwarder/69364873-5b34-471c-97a6-c74c6d597160
Exit Code 1
Stdout /var/vcap/data/push-apps-packaging /var/vcap/bosh
/var/vcap/bosh
/var/vcap/data/push-apps-packaging /var/vcap/bosh
/var/vcap/data/push-apps-packaging/cf-health-check /var/vcap/data/push-apps-packaging /var/vcap/bosh
/var/vcap/data/push-apps-packaging /var/vcap/bosh
/var/vcap/bosh
/var/vcap/data/push-apps-packaging /var/vcap/bosh
/var/vcap/data/push-apps-packaging/alerts /var/vcap/data/push-apps-packaging /var/vcap/bosh
/var/vcap/data/push-apps-packaging /var/vcap/bosh
/var/vcap/bosh
ESC[1m2018-02-20 10:08:43ESC[m ESC[32mINFOESC[m ESC[2mpushapps.PushAppsCliESC[m [main] Pushing applications to the platform
ESC[1m2018-02-20 10:08:43ESC[m ESC[32mINFOESC[m ESC[2mpushapps.DatabaseMigratorESC[m [main] Running migrations for the following schemas: platform_monitoring
ESC[1m2018-02-20 10:08:44ESC[m ESC[1;31mERRORESC[m ESC[2mchannel.ChannelOperationsESC[m [cloudfoundry-client-nio-1] [HttpClient] Error processing connection. Requesting close the channel
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
......
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause 

A new Java-based push-apps errand is introduced in v1.1.4. If a user has some self-signed certificates where the CA for these certificates is added to the Bosh Director "Trusted Certificates" via Operations Manager to facilitate SSL validation, then the problem will happen because those trusted certificates are not added to local Java trust store and the error messages which are shown above will appear.

Resolution

This issue is fixed in Healthwatch latest release v1.1.5. Users should avoid using v1.1.4. 

Additional Information

Refer to the Healthwatch release note for more information.

Comments

Powered by Zendesk