Issue:
I see the below error in the sdc.log when trying to upload a Support Bundle.
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Versions affected: n/a
Solution:
(use 'Workaround:' instead if applicable)
This is primarily caused by missing certificates or improperly configured certificate stores.
You could begin by checking if there was any change to the truststore path on the JVM level. You can verify this by checking if you have set the below in your JAVA_OPTS property :
-Djavax.net.ssl.trustStoreIf so, are all your root certificates included there? Ensure that they are. If updating in Cloudera Manager, you would add an entry like below and restart SDC.
export SDC_JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/java/default/jre/lib/security/jssecacerts -Djavax.net.ssl.trustStorePassword=<password> -Xmx8g -Xms2g -server"If you are making use of custom truststore, you'll need to import certificate issued by DigiCert (which is what AWS S3 which we use for Support Bundle upload as of this writing),
# openssl s_client -connect customer-support-bundles.s3-us-west-2.amazonaws.com:443 -showcerts
Server certificate
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3-us-west-2.amazonaws.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2In to your custom truststore file. And the same can be verified using (example),
# keytool -list -v -keystore /usr/java/default/jre/lib/security/jssecacerts | grep DigiCert
Owner: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
