Greetings!
I have a new installation of a 8.1.16 Gateway running on RHEL 8.5 latest.
We are using Lets Encrypt certificates pulled via Hashicorp Vault Agent, that basically triggers the script referenced in this wonderful blog post.
The Gateway works/starts and is using the certificate desired. However after peeking at the logs a bit I’m noticing the following:
INFO | jvm 1 | 2022/05/02 16:17:27 | java.lang.Exception: PKIX certificate path validation failed
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.ssl.CertificateValidationUtil.verifyTrustChain(CertificateValidationUtil.java:292)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.ssl.CertificateValidationUtil.verifyTrustChain(CertificateValidationUtil.java:109)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.ssl.SslManager.validateKeyStore(SslManager.java:261)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.ssl.SslManager$AbstractStateReader.readState(SslManager.java:301)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.ssl.SslManager.refreshInternal(SslManager.java:423)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.ssl.SslManager.refresh(SslManager.java:403)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.ssl.SslManager.refresh(SslManager.java:414)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.GcuInterface.reloadSslKeyStore(GcuInterface.java:444)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.GcuInterface.requestReceieved(GcuInterface.java:493)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.catapult.GcuRequestServer.handleRequest(GcuRequestServer.java:60)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.catapult.GcuRequestServer$RequestFileMonitor$2.run(GcuRequestServer.java:118)
INFO | jvm 1 | 2022/05/02 16:17:27 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
INFO | jvm 1 | 2022/05/02 16:17:27 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
INFO | jvm 1 | 2022/05/02 16:17:27 | at java.base/java.lang.Thread.run(Unknown Source)
INFO | jvm 1 | 2022/05/02 16:17:27 | Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
INFO | jvm 1 | 2022/05/02 16:17:27 | at java.base/java.security.cert.PKIXParameters.setTrustAnchors(Unknown Source)
INFO | jvm 1 | 2022/05/02 16:17:27 | at java.base/java.security.cert.PKIXParameters.<init>(Unknown Source)
INFO | jvm 1 | 2022/05/02 16:17:27 | at java.base/java.security.cert.PKIXBuilderParameters.<init>(Unknown Source)
INFO | jvm 1 | 2022/05/02 16:17:27 | at com.inductiveautomation.ignition.gateway.ssl.CertificateValidationUtil.verifyTrustChain(CertificateValidationUtil.java:230)
INFO | jvm 1 | 2022/05/02 16:17:27 | ... 13 common frames omitted
INFO | jvm 1 | 2022/05/02 16:17:27 | I [g.SslManager ] [21:17:27]: State refreshed state=CA_SIGNED_CERTIFICATE
INFO | jvm 1 | 2022/05/02 16:17:27 | I [o.e.j.u.s.SslContextFactory ] [21:17:27]: x509=X509@4ddf6087(ignition,h=[mydomain.com.com],a=[],w=[mydomain.com, linux.mydomain.com]) for Server@37c72a14[provider=null,keyStore=null,trustStore=null]
Browsing a bit online, it seem to reference an incorrect/missing/wrong certificate chain. I believe I have all the certificates in the chain…
0: subject=CN = *.mydomain.com
issuer=C = US, O = Let's Encrypt, CN = R3
1: subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
2: subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
As stated, everything appears to be functional I’m just a bit perplex why I’m seeing the following in the logs. Anyone seen anything similar?
Thanks!
~Jordan