Forum Discussion

davea's avatar
davea
Occasional Contributor
9 years ago

how to debug cert error in ccollab cli on win7

We just upgraded from 8.4 to 9.5.9501.  We have one user that is getting this error when trying ccollab login from a cmd box:

 

 

 

PKIX path building failed... unable to find valid certification path to requested target.

 

 

We have a custom CA cert for our project.  We have added our CA using the Java control panel, adding it under Secure Site CA. 

 

I know in the past we would get a message and it let us accept the collab server certificate, but this just errors out now on this one machine.

 

Is there anyway to get more runtime debugging or fix this?

 

  • OK, it turns out its a Java configuration problem.  The way I was trying to add the CA cert or server cert was either wrong or doesn't work anymore.  I did add our CA cert to the system certs in java's lib/security/cacerts file using keytool and now it works.

     

    In the past, with this error, it would prompt if we wanted to permanantly accept the servers cert.  That prompt no longer occurs.  I don't know if that is because it's a different Java version, or Java settings, or if that was something in the ccollab client code

     

     

  • davea's avatar
    davea
    Occasional Contributor

    OK, I just found the --debug option.  I also discovered that it was working for me because I still had client 8.4.8406 installed on my machine.  When I upgraded my client to 9.5.9501, I also get the certificate error. So two machines that have upgraded the client to 9.5 are getting this error.

     

    I am looking at the debug log now.  For security reasons, I am not able to transfer it off the project network. 

     

    • davea's avatar
      davea
      Occasional Contributor

      So I decided to try the GUI client on windows, and if I go into Preferences and try Test Connection, I get basically the same error. 

       

      Looking at the collab.log file, when starting the connection, there's some lines about header lines being added, then one with a command of SessionService.authenticate.  Then Closing the connection, then the exception:

       

      javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:   ... and so on.

       

       

      • davea's avatar
        davea
        Occasional Contributor

        OK, it turns out its a Java configuration problem.  The way I was trying to add the CA cert or server cert was either wrong or doesn't work anymore.  I did add our CA cert to the system certs in java's lib/security/cacerts file using keytool and now it works.

         

        In the past, with this error, it would prompt if we wanted to permanantly accept the servers cert.  That prompt no longer occurs.  I don't know if that is because it's a different Java version, or Java settings, or if that was something in the ccollab client code