Question

5
Replies
2750
Views
KrishnaR2370 Member since 2017 9 posts
Citigroup Inc
Posted: 2 years ago
Last activity: 2 years 4 months ago
Closed
Solved

Certificate invalid path error

Problem Summary –

  • As part of CICD implementation using prpcserviceutils command line tool, we are not able to establish operator connectivity using secure http.

For e.g. – we have used serviceConnection.properties file with contents like below –

  • cat serviceConnection.properties

Image removed.DefaultSystem1.pega.rest.server.url=https://hostname:port/prweb/PRRestService  Must to use secure http URl for UAT and PROD env

  1. The error which we receive while performing product export –
  • Using command - sh prpcServiceUtils.sh export --connPropFile serviceConnection.properties
  • With above command the build fais with error as –

[java] java.security.cert.CertPathValidatorException: The certificate issued by CN=Citi Root CA G2 UAT, O=Citigroup Inc., C=US is not trusted; internal cause is: [java] java.security.cert.CertPathValidatorException: Certificate chaining error

[java] Error Messages : REQUEST_EXECUTION_ERROR com.pega.pegarules.serviceclient.exception.PRPCServiceException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Steps to reproduce the error –

  • Very much possible – the CICD setup is available on DEV servers and problem can be reproduced when required

Troubleshooting steps performed so far –

  • Ordered JKS certificate and imported on server successfully. No issues here
  • Added following JVMs at WebSphere application server to establish imported JKS connectivity with Pega application and UI (https URL)
  • -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.keyStore=/CPR/app2app/cert/keystore.jks -Djavax.net.ssl.keyStorePassword=xxxxx -Djavax.net.ssl.trustStore=/CPR/app2app/cert/truststore.jks -Djavax.net.ssl.trustStorePassword=xxxxx
  • After updating above JVMs we have restarted the application instance on websphere server. During node startup we get following error –

Present status -

  • CICD pipeline works well with http however it is failing for certificate errors for HTTPS operator connectivity as highlighted above.

Also, the Pega SR – C10592 has been updated with details and awaiting a response.

DevOps SR Exists
Moderation Team has archived post
Share this page LinkedIn