Unable to run scheduled tasks over SSL sun.security.validator.ValidatorException even after adding

My server uses Lucee 4.x behind Apache on Amazon Linux 64bit with Java 1.8.

When my scheduled tasks run, the below exception is logged, and so
obviously nothing gets run. I’ve been to the server admin and pressed
‘install’ aftering entering my server’s address.
Nothing appears to happen that is different from pressing ‘list’ there, and
even after a restart my tasks break.

Is there anyway to check the certificates have been installed ?
It’s a Lets Encrypt certificate if it helps. Can I maybe add it’s
chain/root certificate by hand somewhere ?

“ERROR”,“Thread-124”,“04/13/2016”,“15:07:09”,"","schedule task:queue
tick;sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested
target;javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
lucee.commons.net.http.httpclient4.HTTPEngine4Impl.execute(HTTPEngine4Impl.java:423)
at
lucee.commons.net.http.httpclient4.HTTPEngine4Impl._invoke(HTTPEngine4Impl.java:253)
at
lucee.commons.net.http.httpclient4.HTTPEngine4Impl.get(HTTPEngine4Impl.java:113)
at lucee.commons.net.http.HTTPEngine.get(HTTPEngine.java:86)
at
lucee.runtime.schedule.ExecutionThread.execute(ExecutionThread.java:108)
at
lucee.runtime.schedule.ExecutionThread.run(ExecutionThread.java:58)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
… 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
… 31 more
"

The exception you are getting is different, but I wonder if it’s
related to this scheduler-specific issue?

https://luceeserver.atlassian.net/browse/LDEV-649On 13 April 2016 at 16:08, Tom Chiverton <@Tom_Chiverton> wrote:

My server uses Lucee 4.x behind Apache on Amazon Linux 64bit with Java 1.8.

When my scheduled tasks run, the below exception is logged, and so obviously
nothing gets run. I’ve been to the server admin and pressed ‘install’
aftering entering my server’s address.
Nothing appears to happen that is different from pressing ‘list’ there, and
even after a restart my tasks break.

Is there anyway to check the certificates have been installed ?
It’s a Lets Encrypt certificate if it helps. Can I maybe add it’s chain/root
certificate by hand somewhere ?

“ERROR”,“Thread-124”,“04/13/2016”,“15:07:09”,"","schedule task:queue
tick;sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested
target;javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

Can’t you use the domain of the app with the function you want to run?
You’re basically calling Tomcat directly over http and it has to know
which host goes with which app (as registered in server.xml).On 14 April 2016 at 09:06, Tom Chiverton <@Tom_Chiverton> wrote:

I can’t run using localhost:8888 because there are many applications on the
box with differing domains.

I entered the domain in the Lucee admin. The Apache config uses SNI. If I
had to guess the scheduler isn’t correctly doing this.
It does sound a lot like the same issue as
https://luceeserver.atlassian.net/browse/LDEV-649

I’ve added the Lets Encrypt cert and chain files to the cacerts file with
keytool, and even moved to the latest 1.8 JVM.
No change :-/

I can’t run using localhost:8888 because there are many applications on the
box with differing domains.

I guess I can fall back to wget in cron …

TomOn Wednesday, April 13, 2016 at 11:21:23 PM UTC+1, Nando Breiter wrote:

I’ve been to the server admin and pressed ‘install’ aftering entering my

server’s address.

Did you enter a domain or an IP address? Speculation on my part, but
perhaps you might be able to install the certs via the Lucee admin if
you enter the domain and the certs are installed on a web server in front
of Lucee, Apache in your case. If the certs aren’t already installed
somewhere, I don’t see how the Lucee admin could pick them up and install
them.

Nothing appears to happen that is different from pressing ‘list’ there,
and even after a restart my tasks break.

I run all scheduled tasks via localhost:8888 if possible to avoid the
hassle of installing and maintaining certs using the java keytool, which is
what I’ve done in the past. Every time the JVM is updated, the certs need
to be reinstalled.

Is there anyway to check the certificates have been installed ?
It’s a Lets Encrypt certificate if it helps. Can I maybe add it’s
chain/root certificate by hand somewhere ?

My experience in regards to installing certs for api’s, if you are able to
install the cert via the admin interface by entering the domain, it will
install the entire chain. If you install the certs using the java keytool,
you’ll need to install each cert in the entire chain individually.

We are also facing this issue, we opted for configuring all Scheduled tasks
to run on tomcat directly (port 8888) thus skipping IIS (in our case) and
all SSL Cert issues.
We are able to run it on http://DNS name:8888/path/to/scheduledtask script/

–DavidOn Thursday, April 14, 2016 at 11:54:23 AM UTC+2, Nando Breiter wrote:

I can’t run using localhost:8888 because there are many applications on
the box with differing domains.

Same here (many domains), but I append an app key to the scheduled task
urls and have code that sets which app the request applies to, which allows
me to run these requests via localhost.

I guess I can fall back to wget in cron …

Tom

On Wednesday, April 13, 2016 at 11:21:23 PM UTC+1, Nando Breiter wrote:

I’ve been to the server admin and pressed ‘install’ aftering entering my

server’s address.

Did you enter a domain or an IP address? Speculation on my part, but
perhaps you might be able to install the certs via the Lucee admin if
you enter the domain and the certs are installed on a web server in front
of Lucee, Apache in your case. If the certs aren’t already installed
somewhere, I don’t see how the Lucee admin could pick them up and install
them.

Nothing appears to happen that is different from pressing ‘list’ there,
and even after a restart my tasks break.

I run all scheduled tasks via localhost:8888 if possible to avoid the
hassle of installing and maintaining certs using the java keytool, which is
what I’ve done in the past. Every time the JVM is updated, the certs need
to be reinstalled.

Is there anyway to check the certificates have been installed ?
It’s a Lets Encrypt certificate if it helps. Can I maybe add it’s
chain/root certificate by hand somewhere ?

My experience in regards to installing certs for api’s, if you are able
to install the cert via the admin interface by entering the domain, it will
install the entire chain. If you install the certs using the java keytool,
you’ll need to install each cert in the entire chain individually.


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/4a9deece-6f9d-4c81-9fd2-70b6e2b73ff0%40googlegroups.com
https://groups.google.com/d/msgid/lucee/4a9deece-6f9d-4c81-9fd2-70b6e2b73ff0%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Ohh, the workaround from https://luceeserver.atlassian.net/browse/LDEV-649
does work - change the URL to be http:// and enter ‘8888’ as the port.

Tom

1 Like

I can’t run using localhost:8888 because there are many applications on the
box with differing domains.

Same here (many domains), but I append an app key to the scheduled task
urls and have code that sets which app the request applies to, which allows
me to run these requests via localhost.

I guess I can fall back to wget in cron …

TomOn Wednesday, April 13, 2016 at 11:21:23 PM UTC+1, Nando Breiter wrote:

I’ve been to the server admin and pressed ‘install’ aftering entering my

server’s address.

Did you enter a domain or an IP address? Speculation on my part, but
perhaps you might be able to install the certs via the Lucee admin if
you enter the domain and the certs are installed on a web server in front
of Lucee, Apache in your case. If the certs aren’t already installed
somewhere, I don’t see how the Lucee admin could pick them up and install
them.

Nothing appears to happen that is different from pressing ‘list’ there,
and even after a restart my tasks break.

I run all scheduled tasks via localhost:8888 if possible to avoid the
hassle of installing and maintaining certs using the java keytool, which is
what I’ve done in the past. Every time the JVM is updated, the certs need
to be reinstalled.

Is there anyway to check the certificates have been installed ?
It’s a Lets Encrypt certificate if it helps. Can I maybe add it’s
chain/root certificate by hand somewhere ?

My experience in regards to installing certs for api’s, if you are able to
install the cert via the admin interface by entering the domain, it will
install the entire chain. If you install the certs using the java keytool,
you’ll need to install each cert in the entire chain individually.


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/4a9deece-6f9d-4c81-9fd2-70b6e2b73ff0%40googlegroups.com
https://groups.google.com/d/msgid/lucee/4a9deece-6f9d-4c81-9fd2-70b6e2b73ff0%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.