Using Corporate CA or Self Signed SSL Certificate - EMCECS/ecs-sync GitHub Wiki

When running a migration, you may see an SSL error similar to the following:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

The most common cause of this error is the use of self-signed or corporate CA-signed SSL certificates on the storage system.

If your storage systems require a secure SSL connection and they are using corporate CA-signed or self-signed certificates, you will need to make sure these certificates are trusted on the ecs-sync VM. Unfortunately, Java tracks its own keystore for root certificates (separate from the OS keystore). Therefore, you must install the appropriate certificate in Java's keystore.

To do this, you must first obtain the self-signed certificate or intermediate/root CA certificate from the storage server. Then you must use the Java keytool command to add the certificate to the trust store. This can be done with the following procedure:

  1. Run the following command on the ecs-sync VM:
    echo Q | openssl s_client -showcerts -connect <storage-server-ip>:<port> | sed -ne '/BEGIN/,/END/{p}' > storage.cer
    • Be sure to replace <storage-server-ip>:<port> with your storage service's endpoint
  2. Edit the storage.cer file so that only the last certificate remains (the last BEGIN/END block)
    • In the case of a self-signed certificate, you can skip this step as there is only one certificate in the chain
  3. Run the following command to find the correct location of the Java CA keystore (only works on Linux):
    echo "$(readlink -f /usr/bin/java | sed "s:bin/java::;s:jre/::")jre/lib/security/cacerts"
  4. Run the following command to add the certificate to the Java CA keystore:
    sudo keytool -keystore <cacerts-location> -storepass changeit -importcert -alias <certificate-name> -file storage.cer
    • Be sure to replace <cacerts-location> with the correct location of the Java CA keystore, and <certificate-name> with a meaningful name for the certificate; i.e. acme-corp-ca or ecs-self-signed-cert
Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️