SSL connection to server fails

abiz · February 27, 2018, 4:39pm

Hi everyone,

I have set up the latest server version 4.6.1. The installation was successful and if accessing the server with the browser (webportal over http or https) everything works fine. I have a signed certificate from Let's Encrypt.

If I try to connect form KNIME Analytics Platform I get the following error:

Connecting to server "https://<server>:<port>/tomee/ejb" failed.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

KNIME log says:

2018-02-27 16:07:06,827 : WARN : ModalContext : KnimeRemoteFileSystem : : : Connecting to server "https://<server>:<port>/tomee/ejb" failed.
2018-02-27 16:07:06,829 : DEBUG : ModalContext : KnimeRemoteFileSystem : : : Connecting to server "https://<server>:<port>/tomee/ejb" failed.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
   at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
   at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
   at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
   at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
   at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
   at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
   at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
   at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
   at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
   at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
   at com.knime.enterprise.client.openejb.ServerContext.checkConnection(ServerContext.java:757)
   at com.knime.enterprise.client.openejb.ServerContext.login(ServerContext.java:437)
   at com.knime.enterprise.client.filesystem.KnimeRemoteFileSystem$3.run(KnimeRemoteFileSystem.java:384)
   at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
   at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
   at sun.security.validator.Validator.validate(Validator.java:260)
   at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
   at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
   at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105)
   at com.knime.enterprise.client.openejb.DelegatingX509TrustManager.checkServerTrusted(DelegatingX509TrustManager.java:80)
   at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985)
   at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
   ... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
   at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
   at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
   ... 22 more

I added the certificate to the java keystore of KNIME which should not be necessary since Let's Encrypt should already be trusted. However, it did not help. Without SSL KNIME is able to log in and connect to the server.

KNIME Analytics Platform: v3.5.2

KNIME Server: v4.6.1

Apache TomEE: v7.0.4

Any suggestions are welcome!

Daniel

thor · February 27, 2018, 5:19pm

This is exactly the message you get when the CA certificate is unknown. Can you double-check that you are using the latest KNIME Analytics Platform version and that the server's certificate is indeed signed by Let's Encrypt?

abiz · February 28, 2018, 9:09am

The certificate is stored in the keystore of my apache tomee and it is the correct one. I can connect over https to my webserver and the certificate is shown as valid.

Do I have to store the certificate anywhere else? (e.g. KNIME Server executer?) My certificate has 4096 bits, is this a problem? Has Java a limitation?

thor · February 28, 2018, 11:02am

I just tried using a Let's Encrypt certificate myself for a KNIME Server and it is accepted by KNIME Analytics Platform 3.5 without any further actions. Earlier versions don't know about Let's Encrypt (due to an older Java version) and therefore you have to add the CA certificate to the client's JRE as described in the Server Admin Manual (Encrypted communication -> Client configuration). In short you have to download

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

and then execute

keytool -import -trustcacerts -alias letsencrypt -file lets-encrypt-x3-cross-signed.pem.txt -keystore jre/lib/security/cacerts

The password for the keystore is changeit.

After a restart you can connect to the server with the Let's Encrypt certificate.

ipazin · March 10, 2020, 11:29am

2 posts were split to a new topic: Twitter Search node error