Problem: Unable to curl/wget/fetch https URLs from the command line or a java process and see an error similar to one of the following
unable to find valid certification path to requested target
PKIX path building failed
unable to get local issuer certificate
Cause: The most likely cause is that you are behind the GE corporate proxy which resigns the certificates and requires the GE Root CA certificates installed on your machine to verify the certificate. Now the GE core loads do have the certificates installed but the different tools and processes don't always pick it up from the appropriate key store.
Solution:
On Mac: The certificates are installed in the OS X Keychain. You need to configure the JRE to use the keychain by default.
To change this configuration edit the jre/lib/security/java.security file in your JAVA_HOME and change the following line keystore.type=jks to keystore.type=keychainstore
Or use this command
sudo sed -i '' -e 's/^keystore.type=jks$/keystore.type=keychainstore/' /usr/libexec/java_home
/jre/lib/security/java.security
On Windows: This error would typically occur in git-bash, because git-bash maintains a separate file containing the trusted certificates issuers. You need to add the CA certificates to the ca-bundle.crt file.
To add the certificates do the following steps:
Open Git Bash
Locate the ca-bundle.crt file.
Export the path to the ca-bundle.crt file using the command export CERT_FILE_PATH=
Run the commands below
Assuming Git is installed at "C:\Program Files\Git"
On 32-bit Windows the ca-bundle.crt file is located at : "C:\Program Files\Git\mingw32\ssl\certs\ca-bundle.crt"
On 64-bit Windows the ca-bundle.crt file is located at : "C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt"
echo "GE External Root CA 1
===============================================================
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQK72sqa1AjcthYqSjzNMFoDANBgkqhkiG9w0BAQUFADBQ
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBDb21wYW55
MR4wHAYDVQQDExVHRSBFeHRlcm5hbCBSb290IENBIDEwHhcNMTQxMDA4MDAwMDAw
WhcNMzQxMDA3MjM1OTU5WjBQMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJh
bCBFbGVjdHJpYyBDb21wYW55MR4wHAYDVQQDExVHRSBFeHRlcm5hbCBSb290IENB
IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDuA3ltk1sXnKTR4qdw
Kdat0rddOiEDs+LFMC22PBb6XldfSVOY8Hcaxj5AMltwnkIq13NpBeXmDDQ/cEs3
YZMIIm2rck+ZbNd6OJMpxH12ZBUhf1AuT4xMr4UVu80R8fU6VLpzfD2KBuMK4bZ5
TcnJfHs3fXGDVz0WokGSxZ4Jte9cN2AY9tR6Hu3nMzyeT1d+weJNbnjDzC/RLS59
d/uXDImaf8b9jLr9FKawHbCdhFtGAbbCgi8KwHnJWzCvBaGBXWdsDspkGJlhRzPz
8NbBbH0F64Y83CByiPUcovgaq0D2knhfvGXsjp5WkhLWiW9kmsa5NlzXVpLtKF0Z
TCy9AgMBAAGjRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQDAgEG
MB0GA1UdDgQWBBQJ9Vs45/oIa9yIyW683IQsN15GeDANBgkqhkiG9w0BAQUFAAOC
AQEArigtk/qBPujUaT2s8PHKL6hc6xTns7onTM9irDSGM/rvnXf2IsYBhVjeHfvZ
rmkm/6oT6Em8N+xisWtlJxY8sy52bJp4Tb16158ugVzTirOvB22p5YlEdSGURFcd
BCHYmzN3Bcrt+uqhCfZyNj5v8Y/jkuwsHHHmp8nBrVfVBrVm+huzAX3hWYa5+yAi
40CJbUe8lDaQpZePXaw8+N+OFugq6SVhrCuTQPfp1H0zyONz9hIJOnzdT8F6bj33
Mzkjc5CIQe8/AfvbNxC3oFjfMo6X0Z9bAt3RkC76fbSGAnpOuO4UzBE/eoh3T9eK
TNlPZkO3hVkvQ9GuELZCCtDayA==
-----END CERTIFICATE-----
" >> $CERT_FILE_PATH
echo "GE External Root CA 2.1
===============================================================
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIQeO8XlqAMLhxvtCap35yktzANBgkqhkiG9w0BAQsFADBS
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBDb21wYW55
MSAwHgYDVQQDExdHRSBFeHRlcm5hbCBSb290IENBIDIuMTAeFw0xNTAzMDUwMDAw
MDBaFw0zNTAzMDQyMzU5NTlaMFIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhHZW5l
cmFsIEVsZWN0cmljIENvbXBhbnkxIDAeBgNVBAMTF0dFIEV4dGVybmFsIFJvb3Qg
Q0EgMi4xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCzT4wNRZtr2
XTzoTMjppjulZfG35/nOt44q2zg47sxwgZ8o4qjcrwzIhsntoFrRQssjXSF5qXdC
zsm1G7f04qEBimuOH/X+CidWX+sudCS8VyRjXi9cyvUW4/mYKCLXv5M6HhEoIHCD
Xdo6yUr5mSrf18qRR3yUFz0HYXopa2Ls3Q6lBvEUO2Xw04vqVvmg1h7S5jYuZovC
oIbd2+4QGdoSZPgtSNpCxSR+NwtPpzYZpmqiUuDGfVpO3HU42APB0c60D91cJho6
tZpXYHDsR/RxYGm02K/iMGefD5F4YMrtoKoHbskty6+u5FUOrUgGATJJGtxleg5X
KotQYu8P1wIDAQABo3UwczASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQE
AwIBBjAuBgNVHREEJzAlpCMwITEfMB0GA1UEAxMWR0UtUm9vdC1DT00tUlNBLTIw
NDgtMTAdBgNVHQ4EFgQU3N2mUCJBCLYgtpZyxBeBMJwNZuowDQYJKoZIhvcNAQEL
BQADggEBACF4Zsf2Nm0FpVNeADUH+sl8mFgwL7dfL7+6n7hOgH1ZXcv6pDkoNtVE
0J/ZPdHJW6ntedKEZuizG5BCclUH3IyYK4/4GxNpFXugmWnKGy2feYwVae7Puyd7
/iKOFEGCYx4C6E2kq3aFjJqiq1vbgSS/B0agt1D3rH3i/+dXVxx8ZjhyZMuN+cgS
pZL4gnhnSXFAGissxJhKsNkYgvKdOETRNn5lEgfgVyP2iOVqEguHk2Gu0gHSouLu
5ad/qyN+Zgbjx8vEWlywmhXb78Gaf/AwSGAwQPtmQ0310a4DulGxo/kcuS78vFH1
mwJmHm9AIFoqBi8XpuhGmQ0nvymurEk=
-----END CERTIFICATE-----
" >> $CERT_FILE_PATH
On Devbox: Run the following commands
sudo su
echo "GE External Root CA 1
===============================================================
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQK72sqa1AjcthYqSjzNMFoDANBgkqhkiG9w0BAQUFADBQ
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBDb21wYW55
MR4wHAYDVQQDExVHRSBFeHRlcm5hbCBSb290IENBIDEwHhcNMTQxMDA4MDAwMDAw
WhcNMzQxMDA3MjM1OTU5WjBQMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJh
bCBFbGVjdHJpYyBDb21wYW55MR4wHAYDVQQDExVHRSBFeHRlcm5hbCBSb290IENB
IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDuA3ltk1sXnKTR4qdw
Kdat0rddOiEDs+LFMC22PBb6XldfSVOY8Hcaxj5AMltwnkIq13NpBeXmDDQ/cEs3
YZMIIm2rck+ZbNd6OJMpxH12ZBUhf1AuT4xMr4UVu80R8fU6VLpzfD2KBuMK4bZ5
TcnJfHs3fXGDVz0WokGSxZ4Jte9cN2AY9tR6Hu3nMzyeT1d+weJNbnjDzC/RLS59
d/uXDImaf8b9jLr9FKawHbCdhFtGAbbCgi8KwHnJWzCvBaGBXWdsDspkGJlhRzPz
8NbBbH0F64Y83CByiPUcovgaq0D2knhfvGXsjp5WkhLWiW9kmsa5NlzXVpLtKF0Z
TCy9AgMBAAGjRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQDAgEG
MB0GA1UdDgQWBBQJ9Vs45/oIa9yIyW683IQsN15GeDANBgkqhkiG9w0BAQUFAAOC
AQEArigtk/qBPujUaT2s8PHKL6hc6xTns7onTM9irDSGM/rvnXf2IsYBhVjeHfvZ
rmkm/6oT6Em8N+xisWtlJxY8sy52bJp4Tb16158ugVzTirOvB22p5YlEdSGURFcd
BCHYmzN3Bcrt+uqhCfZyNj5v8Y/jkuwsHHHmp8nBrVfVBrVm+huzAX3hWYa5+yAi
40CJbUe8lDaQpZePXaw8+N+OFugq6SVhrCuTQPfp1H0zyONz9hIJOnzdT8F6bj33
Mzkjc5CIQe8/AfvbNxC3oFjfMo6X0Z9bAt3RkC76fbSGAnpOuO4UzBE/eoh3T9eK
TNlPZkO3hVkvQ9GuELZCCtDayA==
-----END CERTIFICATE-----
" >> /etc/pki/ca-trust/source/anchors/GE-External-Root-CA-1.pem
echo "GE External Root CA 2.1
===============================================================
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIQeO8XlqAMLhxvtCap35yktzANBgkqhkiG9w0BAQsFADBS
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBDb21wYW55
MSAwHgYDVQQDExdHRSBFeHRlcm5hbCBSb290IENBIDIuMTAeFw0xNTAzMDUwMDAw
MDBaFw0zNTAzMDQyMzU5NTlaMFIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhHZW5l
cmFsIEVsZWN0cmljIENvbXBhbnkxIDAeBgNVBAMTF0dFIEV4dGVybmFsIFJvb3Qg
Q0EgMi4xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCzT4wNRZtr2
XTzoTMjppjulZfG35/nOt44q2zg47sxwgZ8o4qjcrwzIhsntoFrRQssjXSF5qXdC
zsm1G7f04qEBimuOH/X+CidWX+sudCS8VyRjXi9cyvUW4/mYKCLXv5M6HhEoIHCD
Xdo6yUr5mSrf18qRR3yUFz0HYXopa2Ls3Q6lBvEUO2Xw04vqVvmg1h7S5jYuZovC
oIbd2+4QGdoSZPgtSNpCxSR+NwtPpzYZpmqiUuDGfVpO3HU42APB0c60D91cJho6
tZpXYHDsR/RxYGm02K/iMGefD5F4YMrtoKoHbskty6+u5FUOrUgGATJJGtxleg5X
KotQYu8P1wIDAQABo3UwczASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQE
AwIBBjAuBgNVHREEJzAlpCMwITEfMB0GA1UEAxMWR0UtUm9vdC1DT00tUlNBLTIw
NDgtMTAdBgNVHQ4EFgQU3N2mUCJBCLYgtpZyxBeBMJwNZuowDQYJKoZIhvcNAQEL
BQADggEBACF4Zsf2Nm0FpVNeADUH+sl8mFgwL7dfL7+6n7hOgH1ZXcv6pDkoNtVE
0J/ZPdHJW6ntedKEZuizG5BCclUH3IyYK4/4GxNpFXugmWnKGy2feYwVae7Puyd7
/iKOFEGCYx4C6E2kq3aFjJqiq1vbgSS/B0agt1D3rH3i/+dXVxx8ZjhyZMuN+cgS
pZL4gnhnSXFAGissxJhKsNkYgvKdOETRNn5lEgfgVyP2iOVqEguHk2Gu0gHSouLu
5ad/qyN+Zgbjx8vEWlywmhXb78Gaf/AwSGAwQPtmQ0310a4DulGxo/kcuS78vFH1
mwJmHm9AIFoqBi8XpuhGmQ0nvymurEk=
-----END CERTIFICATE-----
" >> /etc/pki/ca-trust/source/anchors/GE-External-Root-CA-2.1.pem"
update-ca-trust enable
update-ca-trust extract
exit
This adds the certificates to the ca-trust store
Thanks for the lengthy post. I am having this problem with the winddata-timeseries-service. Indeed if you are connecting to the select endpoint:
https:/xxx.run.aws-usw02-pr.ice.predix.io
The above certificates work. But if you are connecting to the basic endpoint:
https://xxx.run.asv-pr.ice.predix.io
It will not work.
The error is below:
SunCertPathBuilderException: unable to find valid certification path to requested target
Can you please also share the root CA for connecting to the basic endpoint (US-East) ?
you have Basic and Select backwards I thinkl.
aws-usw02 is US West (formerly Basic)
asv-pr is Ashburn Virginia US East (formerly Select).
Not sure if you are seeing this error in the log of winddata or somewhere else.
If so, it could be the certificate stored in the specific host/VM that the winddata is running on. You might need a support ticket.
But I would consider deleting the winddata and redeploying it. Even trying a slightly different name in the hope you get a different server/vm
It seems I am having similar problems running any command/tool in devbox through a company network behind a firewall/proxy accesing any https resources.
eg. running git clone ... gives: fatal: unable to access 'https://github.com/spring-guides/gs-spring-boot.git/': Peer's certificate issuer has been marked as not trusted by the user.
Can you please elaborate how I can proceed here? Thanks!
@Tom Turner We've been having this issue with Predix machine deployed at our customer site. It's running on Centos7 and connecting to https://brilliant-awatch-httpdata.run.aws-jp01-pr.ice.predix.io. It had been working fine before but started having this issue since the sever certificate of **.run.aws-jp01-pr.ice.predix.io* was updated last month.
I manually imported updated server certificate into OS store as well as JVM keystore by following the instructions below but we’re still getting the same error. https://docs.oracle.com/javase/tutorial/security/toolfilex/rstep1.html
Any suggestion would be very much appreciated.
Did you solve the problem already, @Shuhei Kudomi ?
I added certificate to PREDIX_MACHINE_ROOT/security/machine_client_truststore.jks
to test http client with self-signed local server, and it worked.
@Hiro Tanaka , thank you for the information!
I could add an updated certificate into PREDIX_MACHINE_ROOT/security/machine_client_truststore.jks
with reference to the keystore password defined in com.ge.dspmicro.securityadmin.cfg
.
Now my PredixMachine is working without certificate error!
Hello @Tom Turner , Thanks for the article. I was in GE network when I first built the Predix image 16.2.4. Since that has expired, I am trying to build a new predix Image 17.2.5 I am not getting internet connectivity in the virtual box for some reason. So I connected to a non - GE network and I get the connectivity. After this I started making the new image 17.2.5.. I commented the proxy settings in the maven .m2/settings.xml file and also made none proxy in the the dev box Network setting. GE My Apps Anywhere is also disabled. I am getting the same SSL error as mentioned above when I tried adding sample httpclient bundle. I run your commands but nothing changes.