PKIX path validation failed: java.security.cert.CertPathValidatorException when trying to log into RHV-M UI/Webadmin after recreating all 1024 bit certificates
Environment
- Red Hat Virtualization (RHV-M) 4.5.3
Issue
- Recreated certificates using the KCS How to recreate all certificates in the RHV PKI if the private key is too weak.
- Unable to log into RHV-M UI/Webadmin and following message is display
PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Resolution
- Correct the /etc/pki/ovirt-engine/.truststore
SSH to RHV-M manager:
- Take a backup of engine database.
$ engine-backup --mode=backup --scope=all --file="/var/lib/ovirt-engine/backups/engine-backup-$(date +%Y%m%d%H%M%S).tar.bz2" --log=/var/log/ovirt-engine-backups.log
- Backup the current /etc/pki directory
$ tar cJpf /root/pki-"`date +"%d-%b-%Y"`".tar.xz /etc/pki
- Capture the current information using mypass password
$ keytool -list -storetype jks -keystore /etc/pki/ovirt-engine/.truststore
$ keytool -v -list -storetype jks -keystore /etc/pki/ovirt-engine/.truststore
- Delete the cacert alias from the truststore file using mypass password
$ keytool -delete -alias cacert -keystore /etc/pki/ovirt-engine/.truststore
- Now import the using the command below using mypass password
$ keytool -importcert -file /etc/pki/ovirt-engine/ca.pem -keystore /etc/pki/ovirt-engine/.truststore -alias cacert
- Enter yes for "Trust this certificate?"
- Verify the fingerprint.
$ keytool -list -storetype jks -keystore /etc/pki/ovirt-engine/.truststore
- The sha256 from /etc/pki/ovirt-engine/ca.pem should match to above keytool command.
$ openssl x509 -in /etc/pki/ovirt-engine/ca.pem -fingerprint -noout -sha256
- Restart ovirt-engine service.
$ systemctl restart ovirt-engine
- Log into RHV-M UI/Webadmin
Root Cause
- It appears the /etc/pki/ovirt-engine/.truststore shows incorrect fingerprint for the cacert.
Diagnostic Steps
- It appears the /etc/pki/ovirt-engine/.truststore shows incorrect fingerprint for the cacert.
$ keytool -list -storetype jks -keystore /etc/pki/ovirt-engine/.truststore
Enter keystore password: mypass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
cacert, Mar 15, 2017, trustedCertEntry,
Certificate fingerprint (SHA-256): C3:AB:8F:F1:37:20:E8:AD:90:47:DD:39:46:6B:3C:89:74:E5:92:C2:FA:38:3D:4A:39:60:71:4C:AE:F0:C4:F2
qemu-cacert, Mar 9, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): C0:85:2D:BC:8D:53:27:C8:B3:FE:08:DE:F8:02:CF:0D:A8:CB:8A:63:A3:05:73:1D:A6:CD:91:BD:74:A5:8B:F0
Warning:
<cacert> uses a 1024-bit RSA key which is considered a security risk and is disabled.
- Checking the current /etc/pki/ovirt-engine/ca.pem file, the sha256 fingerprint doesn't match to the one in .truststore.
$ openssl x509 -in etc/pki/ovirt-engine/ca.pem -fingerprint -noout -sha256
sha256 sha256 Fingerprint=59:B7:0A:F6:6B:7B:61:0A:17:D1:2E:E5:49:F4:72:4F:97:2E:E5:FA:03:A4:80:FC:70:E1:99:80:76:C8:1E:6A
- It seems to match to older one, /etc/pki/ovirt-engine/ca.pem.20240328135644.
$ openssl x509 -in etc/pki/ovirt-engine/ca.pem.20240328135644 -fingerprint -noout -sha256
sha256 Fingerprint=C3:AB:8F:F1:37:20:E8:AD:90:47:DD:39:46:6B:3C:89:74:E5:92:C2:FA:38:3D:4A:39:60:71:4C:AE:F0:C4:F2
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments