During replication and other tasks that need to connect to a remote server, you might see the following error message:
This indicates that Artifactory was unable to establish a trusted SSL connection over SSL. This issue might arise if you are using a self-signed certificate or a certificate that’s been issued by an internal certificate authority, or if your clients (e.g., browser, Java) are outdated.
Trust is handled by having the root and intermediate certificates of your SSL certificate on a trusted keystore. With that said, this may not be required if you're using the default JVM security setting.
Resolution:
First, get your root certificate. Then, perform the following steps (being mindful that if you're working in an HA environment, you'll need to apply these steps to all of your nodes):
This indicates that the issuer (i:) is the same as the subject (s:).
Therefore, this is the root certificate. Save the hash of the certificate, being sure to include:
If there are multiple certificates, save each one as an individual file. Load the certificate files into the JVM keystore one by one, combining certificates into one text file doesn't work.
For a new certificate to be trusted, you'll need to add it to your application's keystore or to the keys directory of every service that needs to trust it. To establish a certificate's trust for the JFrog Platform with Artifactory 7.x or Mission Control 4.x, follow the instructions detailed HERE . For Artifactory 6.x or Mission Control 3.x, use these instructions:
Verify your changes at Admin => Repositories => your remote repository => Test =>.
If you are still encountering a connection failure, you may need to restart Artifactory for your changes to take effect.
[ERROR] (o.a.a.r.c.BaseReplicationProducer:97) – Error occurred while performing folder replication for 'XXXX': sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: sun.security.validator.ValidatorException:
This indicates that Artifactory was unable to establish a trusted SSL connection over SSL. This issue might arise if you are using a self-signed certificate or a certificate that’s been issued by an internal certificate authority, or if your clients (e.g., browser, Java) are outdated.
Trust is handled by having the root and intermediate certificates of your SSL certificate on a trusted keystore. With that said, this may not be required if you're using the default JVM security setting.
Resolution:
First, get your root certificate. Then, perform the following steps (being mindful that if you're working in an HA environment, you'll need to apply these steps to all of your nodes):
- Get the remote site’s root and intermediate certificates by running openssl s_client -showcerts -connect <REMOTE_URL>:<REMOTE_PORT>. Note: This may not be required if you are using the default JVM security setting.
openssl s_client -showcerts -connect google.com:443
- Save each certificate as a file. For example:
s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
This indicates that the issuer (i:) is the same as the subject (s:).
Therefore, this is the root certificate. Save the hash of the certificate, being sure to include:
—–BEGIN CERTIFICATE—– and the —–END CERTIFICATE—–
as the root.crt.If there are multiple certificates, save each one as an individual file. Load the certificate files into the JVM keystore one by one, combining certificates into one text file doesn't work.
For a new certificate to be trusted, you'll need to add it to your application's keystore or to the keys directory of every service that needs to trust it. To establish a certificate's trust for the JFrog Platform with Artifactory 7.x or Mission Control 4.x, follow the instructions detailed HERE . For Artifactory 6.x or Mission Control 3.x, use these instructions:
- Identify which JVM platform Artifactory is running on.
- Import the root and intermediate certificates to the trusted root certificate of the Java platform you've identified in Step #1 above (usually called cacerts) by using the keytool import command. More information is available HERE.
sudo keytool -importcert -keystore /usr/local/java/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit -file ~/Downloads/RHEL-cert/root.crt -alias "rhel-root"
Verify your changes at Admin => Repositories => your remote repository => Test =>.
If you are still encountering a connection failure, you may need to restart Artifactory for your changes to take effect.