Predix_Logo
  • Categories
    • Questions
    • Predix | Updates
      • Pricing
      • Product
    • Deloitte - Private
    • How-To
    • Accenture-Private
  • Explore
    • Topics
    • Questions
    • Articles
    • Feedback or Feature Requests
  • Sign in
  • Home /
  • Questions /
avatar image
  • Home /
  • Questions /

SSL certificate problem

  • Export to PDF
Tom Turner created · Aug 29, 2016 at 01:17 PM · edited · Aug 29, 2016 at 01:21 PM
4

Problem: Unable to curl/wget/fetch https URLs from the command line or a java process and see an error similar to one of the following

  • unable to find valid certification path to requested target

  • PKIX path building failed

  • unable to get local issuer certificate

Cause: The most likely cause is that you are behind the GE corporate proxy which resigns the certificates and requires the GE Root CA certificates installed on your machine to verify the certificate. Now the GE core loads do have the certificates installed but the different tools and processes don't always pick it up from the appropriate key store.

Solution:

On Mac: The certificates are installed in the OS X Keychain. You need to configure the JRE to use the keychain by default.

To change this configuration edit the jre/lib/security/java.security file in your JAVA_HOME and change the following line keystore.type=jks to keystore.type=keychainstore

Or use this command

sudo sed -i '' -e 's/^keystore.type=jks$/keystore.type=keychainstore/' /usr/libexec/java_home/jre/lib/security/java.security

On Windows: This error would typically occur in git-bash, because git-bash maintains a separate file containing the trusted certificates issuers. You need to add the CA certificates to the ca-bundle.crt file.

To add the certificates do the following steps:

Open Git Bash

Locate the ca-bundle.crt file.

Export the path to the ca-bundle.crt file using the command export CERT_FILE_PATH=

Run the commands below

Assuming Git is installed at "C:\Program Files\Git"

On 32-bit Windows the ca-bundle.crt file is located at : "C:\Program Files\Git\mingw32\ssl\certs\ca-bundle.crt"

On 64-bit Windows the ca-bundle.crt file is located at : "C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt"

   echo "GE External Root CA 1
  ===============================================================
  -----BEGIN CERTIFICATE-----
  MIIDbzCCAlegAwIBAgIQK72sqa1AjcthYqSjzNMFoDANBgkqhkiG9w0BAQUFADBQ
  MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBDb21wYW55
  MR4wHAYDVQQDExVHRSBFeHRlcm5hbCBSb290IENBIDEwHhcNMTQxMDA4MDAwMDAw
  WhcNMzQxMDA3MjM1OTU5WjBQMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJh
  bCBFbGVjdHJpYyBDb21wYW55MR4wHAYDVQQDExVHRSBFeHRlcm5hbCBSb290IENB
  IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDuA3ltk1sXnKTR4qdw
  Kdat0rddOiEDs+LFMC22PBb6XldfSVOY8Hcaxj5AMltwnkIq13NpBeXmDDQ/cEs3
  YZMIIm2rck+ZbNd6OJMpxH12ZBUhf1AuT4xMr4UVu80R8fU6VLpzfD2KBuMK4bZ5
  TcnJfHs3fXGDVz0WokGSxZ4Jte9cN2AY9tR6Hu3nMzyeT1d+weJNbnjDzC/RLS59
  d/uXDImaf8b9jLr9FKawHbCdhFtGAbbCgi8KwHnJWzCvBaGBXWdsDspkGJlhRzPz
  8NbBbH0F64Y83CByiPUcovgaq0D2knhfvGXsjp5WkhLWiW9kmsa5NlzXVpLtKF0Z
  TCy9AgMBAAGjRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQDAgEG
  MB0GA1UdDgQWBBQJ9Vs45/oIa9yIyW683IQsN15GeDANBgkqhkiG9w0BAQUFAAOC
  AQEArigtk/qBPujUaT2s8PHKL6hc6xTns7onTM9irDSGM/rvnXf2IsYBhVjeHfvZ
  rmkm/6oT6Em8N+xisWtlJxY8sy52bJp4Tb16158ugVzTirOvB22p5YlEdSGURFcd
  BCHYmzN3Bcrt+uqhCfZyNj5v8Y/jkuwsHHHmp8nBrVfVBrVm+huzAX3hWYa5+yAi
  40CJbUe8lDaQpZePXaw8+N+OFugq6SVhrCuTQPfp1H0zyONz9hIJOnzdT8F6bj33
  Mzkjc5CIQe8/AfvbNxC3oFjfMo6X0Z9bAt3RkC76fbSGAnpOuO4UzBE/eoh3T9eK
  TNlPZkO3hVkvQ9GuELZCCtDayA==
  -----END CERTIFICATE-----
  " >> $CERT_FILE_PATH
 

 echo "GE External Root CA 2.1
  ===============================================================
  -----BEGIN CERTIFICATE-----
  MIIDozCCAougAwIBAgIQeO8XlqAMLhxvtCap35yktzANBgkqhkiG9w0BAQsFADBS
  MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBDb21wYW55
  MSAwHgYDVQQDExdHRSBFeHRlcm5hbCBSb290IENBIDIuMTAeFw0xNTAzMDUwMDAw
  MDBaFw0zNTAzMDQyMzU5NTlaMFIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhHZW5l
  cmFsIEVsZWN0cmljIENvbXBhbnkxIDAeBgNVBAMTF0dFIEV4dGVybmFsIFJvb3Qg
  Q0EgMi4xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCzT4wNRZtr2
  XTzoTMjppjulZfG35/nOt44q2zg47sxwgZ8o4qjcrwzIhsntoFrRQssjXSF5qXdC
  zsm1G7f04qEBimuOH/X+CidWX+sudCS8VyRjXi9cyvUW4/mYKCLXv5M6HhEoIHCD
  Xdo6yUr5mSrf18qRR3yUFz0HYXopa2Ls3Q6lBvEUO2Xw04vqVvmg1h7S5jYuZovC
  oIbd2+4QGdoSZPgtSNpCxSR+NwtPpzYZpmqiUuDGfVpO3HU42APB0c60D91cJho6
  tZpXYHDsR/RxYGm02K/iMGefD5F4YMrtoKoHbskty6+u5FUOrUgGATJJGtxleg5X
  KotQYu8P1wIDAQABo3UwczASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQE
  AwIBBjAuBgNVHREEJzAlpCMwITEfMB0GA1UEAxMWR0UtUm9vdC1DT00tUlNBLTIw
  NDgtMTAdBgNVHQ4EFgQU3N2mUCJBCLYgtpZyxBeBMJwNZuowDQYJKoZIhvcNAQEL
  BQADggEBACF4Zsf2Nm0FpVNeADUH+sl8mFgwL7dfL7+6n7hOgH1ZXcv6pDkoNtVE
  0J/ZPdHJW6ntedKEZuizG5BCclUH3IyYK4/4GxNpFXugmWnKGy2feYwVae7Puyd7
  /iKOFEGCYx4C6E2kq3aFjJqiq1vbgSS/B0agt1D3rH3i/+dXVxx8ZjhyZMuN+cgS
  pZL4gnhnSXFAGissxJhKsNkYgvKdOETRNn5lEgfgVyP2iOVqEguHk2Gu0gHSouLu
  5ad/qyN+Zgbjx8vEWlywmhXb78Gaf/AwSGAwQPtmQ0310a4DulGxo/kcuS78vFH1
  mwJmHm9AIFoqBi8XpuhGmQ0nvymurEk=
  -----END CERTIFICATE-----
  " >> $CERT_FILE_PATH

On Devbox: Run the following commands

 sudo su
  
  echo "GE External Root CA 1
  ===============================================================
  -----BEGIN CERTIFICATE-----
  MIIDbzCCAlegAwIBAgIQK72sqa1AjcthYqSjzNMFoDANBgkqhkiG9w0BAQUFADBQ
  MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBDb21wYW55
  MR4wHAYDVQQDExVHRSBFeHRlcm5hbCBSb290IENBIDEwHhcNMTQxMDA4MDAwMDAw
  WhcNMzQxMDA3MjM1OTU5WjBQMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJh
  bCBFbGVjdHJpYyBDb21wYW55MR4wHAYDVQQDExVHRSBFeHRlcm5hbCBSb290IENB
  IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDuA3ltk1sXnKTR4qdw
  Kdat0rddOiEDs+LFMC22PBb6XldfSVOY8Hcaxj5AMltwnkIq13NpBeXmDDQ/cEs3
  YZMIIm2rck+ZbNd6OJMpxH12ZBUhf1AuT4xMr4UVu80R8fU6VLpzfD2KBuMK4bZ5
  TcnJfHs3fXGDVz0WokGSxZ4Jte9cN2AY9tR6Hu3nMzyeT1d+weJNbnjDzC/RLS59
  d/uXDImaf8b9jLr9FKawHbCdhFtGAbbCgi8KwHnJWzCvBaGBXWdsDspkGJlhRzPz
  8NbBbH0F64Y83CByiPUcovgaq0D2knhfvGXsjp5WkhLWiW9kmsa5NlzXVpLtKF0Z
  TCy9AgMBAAGjRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQIwDgYDVR0PAQH/BAQDAgEG
  MB0GA1UdDgQWBBQJ9Vs45/oIa9yIyW683IQsN15GeDANBgkqhkiG9w0BAQUFAAOC
  AQEArigtk/qBPujUaT2s8PHKL6hc6xTns7onTM9irDSGM/rvnXf2IsYBhVjeHfvZ
  rmkm/6oT6Em8N+xisWtlJxY8sy52bJp4Tb16158ugVzTirOvB22p5YlEdSGURFcd
  BCHYmzN3Bcrt+uqhCfZyNj5v8Y/jkuwsHHHmp8nBrVfVBrVm+huzAX3hWYa5+yAi
  40CJbUe8lDaQpZePXaw8+N+OFugq6SVhrCuTQPfp1H0zyONz9hIJOnzdT8F6bj33
  Mzkjc5CIQe8/AfvbNxC3oFjfMo6X0Z9bAt3RkC76fbSGAnpOuO4UzBE/eoh3T9eK
  TNlPZkO3hVkvQ9GuELZCCtDayA==
  -----END CERTIFICATE-----
  " >> /etc/pki/ca-trust/source/anchors/GE-External-Root-CA-1.pem
  
  echo "GE External Root CA 2.1
  ===============================================================
  -----BEGIN CERTIFICATE-----
  MIIDozCCAougAwIBAgIQeO8XlqAMLhxvtCap35yktzANBgkqhkiG9w0BAQsFADBS
  MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBDb21wYW55
  MSAwHgYDVQQDExdHRSBFeHRlcm5hbCBSb290IENBIDIuMTAeFw0xNTAzMDUwMDAw
  MDBaFw0zNTAzMDQyMzU5NTlaMFIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhHZW5l
  cmFsIEVsZWN0cmljIENvbXBhbnkxIDAeBgNVBAMTF0dFIEV4dGVybmFsIFJvb3Qg
  Q0EgMi4xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCzT4wNRZtr2
  XTzoTMjppjulZfG35/nOt44q2zg47sxwgZ8o4qjcrwzIhsntoFrRQssjXSF5qXdC
  zsm1G7f04qEBimuOH/X+CidWX+sudCS8VyRjXi9cyvUW4/mYKCLXv5M6HhEoIHCD
  Xdo6yUr5mSrf18qRR3yUFz0HYXopa2Ls3Q6lBvEUO2Xw04vqVvmg1h7S5jYuZovC
  oIbd2+4QGdoSZPgtSNpCxSR+NwtPpzYZpmqiUuDGfVpO3HU42APB0c60D91cJho6
  tZpXYHDsR/RxYGm02K/iMGefD5F4YMrtoKoHbskty6+u5FUOrUgGATJJGtxleg5X
  KotQYu8P1wIDAQABo3UwczASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQE
  AwIBBjAuBgNVHREEJzAlpCMwITEfMB0GA1UEAxMWR0UtUm9vdC1DT00tUlNBLTIw
  NDgtMTAdBgNVHQ4EFgQU3N2mUCJBCLYgtpZyxBeBMJwNZuowDQYJKoZIhvcNAQEL
  BQADggEBACF4Zsf2Nm0FpVNeADUH+sl8mFgwL7dfL7+6n7hOgH1ZXcv6pDkoNtVE
  0J/ZPdHJW6ntedKEZuizG5BCclUH3IyYK4/4GxNpFXugmWnKGy2feYwVae7Puyd7
  /iKOFEGCYx4C6E2kq3aFjJqiq1vbgSS/B0agt1D3rH3i/+dXVxx8ZjhyZMuN+cgS
  pZL4gnhnSXFAGissxJhKsNkYgvKdOETRNn5lEgfgVyP2iOVqEguHk2Gu0gHSouLu
  5ad/qyN+Zgbjx8vEWlywmhXb78Gaf/AwSGAwQPtmQ0310a4DulGxo/kcuS78vFH1
  mwJmHm9AIFoqBi8XpuhGmQ0nvymurEk=
  -----END CERTIFICATE-----
  " >> /etc/pki/ca-trust/source/anchors/GE-External-Root-CA-2.1.pem"
  
  update-ca-trust enable
  update-ca-trust extract
  exit
 This adds the certificates to the ca-trust store











thub.nodes.view.add-new-comment
javaproxysslcertificate
Add comment · Show 7
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image 212525538@mail.ad.ge.com · Mar 03, 2017 at 04:00 AM 0
Share

@Tom

Thanks for the lengthy post. I am having this problem with the winddata-timeseries-service. Indeed if you are connecting to the select endpoint:

 https:/xxx.run.aws-usw02-pr.ice.predix.io

The above certificates work. But if you are connecting to the basic endpoint:

 https://xxx.run.asv-pr.ice.predix.io


It will not work.

The error is below:

 SunCertPathBuilderException: unable to find valid certification path to requested target


Can you please also share the root CA for connecting to the basic endpoint (US-East) ?

avatar image Tom Turner ♦♦ 212525538@mail.ad.ge.com · Mar 03, 2017 at 09:11 AM 0
Share

you have Basic and Select backwards I thinkl.

aws-usw02 is US West (formerly Basic)

asv-pr is Ashburn Virginia US East (formerly Select).

Not sure if you are seeing this error in the log of winddata or somewhere else.

If so, it could be the certificate stored in the specific host/VM that the winddata is running on. You might need a support ticket.

But I would consider deleting the winddata and redeploying it. Even trying a slightly different name in the hope you get a different server/vm

avatar image dettmar.holger@gmail.com · Mar 22, 2017 at 05:46 AM 0
Share

It seems I am having similar problems running any command/tool in devbox through a company network behind a firewall/proxy accesing any https resources.

eg. running git clone ... gives: fatal: unable to access 'https://github.com/spring-guides/gs-spring-boot.git/': Peer's certificate issuer has been marked as not trusted by the user.

Can you please elaborate how I can proceed here? Thanks!

avatar image Shuhei Kudomi · Apr 06, 2017 at 10:22 PM 0
Share

@Tom Turner We've been having this issue with Predix machine deployed at our customer site. It's running on Centos7 and connecting to https://brilliant-awatch-httpdata.run.aws-jp01-pr.ice.predix.io. It had been working fine before but started having this issue since the sever certificate of **.run.aws-jp01-pr.ice.predix.io* was updated last month.

I manually imported updated server certificate into OS store as well as JVM keystore by following the instructions below but we’re still getting the same error. https://docs.oracle.com/javase/tutorial/security/toolfilex/rstep1.html

Any suggestion would be very much appreciated.

avatar image Hiro Tanaka Shuhei Kudomi · May 08, 2017 at 12:34 AM 0
Share

Did you solve the problem already, @Shuhei Kudomi ? I added certificate to PREDIX_MACHINE_ROOT/security/machine_client_truststore.jks to test http client with self-signed local server, and it worked.

avatar image Shuhei Kudomi Hiro Tanaka · May 10, 2017 at 12:37 PM 0
Share

@Hiro Tanaka , thank you for the information!

I could add an updated certificate into PREDIX_MACHINE_ROOT/security/machine_client_truststore.jks with reference to the keystore password defined in com.ge.dspmicro.securityadmin.cfg.

Now my PredixMachine is working without certificate error!

avatar image Mudita.Kabra@ge.com · Jun 21, 2019 at 05:45 AM 0
Share

Hello @Tom Turner , Thanks for the article. I was in GE network when I first built the Predix image 16.2.4. Since that has expired, I am trying to build a new predix Image 17.2.5 I am not getting internet connectivity in the virtual box for some reason. So I connected to a non - GE network and I get the connectivity. After this I started making the new image 17.2.5.. I commented the proxy settings in the maven .m2/settings.xml file and also made none proxy in the the dev box Network setting. GE My Apps Anywhere is also disabled. I am getting the same SSL error as mentioned above when I tried adding sample httpclient bundle. I run your commands but nothing changes.

Article

Contributors

avatar image
Unfollow

Follow this article

46 People are following this .

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Navigation

SSL certificate problem

Related Articles

GE Monogram
  • Legal
  • Cookies
  • Forum Terms
  • Contact Us
  • Copyright © 2017 General Electric Company. All rights reserved.


Enterprise
Social Q&A

  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Submit your feedback or feature request
  • Categories
  • Questions
  • Predix | Updates
    • Pricing
    • Product
  • Deloitte - Private
  • How-To
  • Accenture-Private
  • Explore
  • Topics
  • Questions
  • Articles
  • Feedback or Feature Requests