Download of calendar failed. - PKIX path building failed

I try to connect my calendar on my Synology drive to OH3 (3.1.0.M4) with the icalendar binding.
The URL is something like https://192.168.x.y/calendar/sharing/vapABV9HL

2021-05-15 14:19:24.658 [WARN ] [g.icalendar.internal.handler.PullJob] - Download of calendar failed.
2021-05-15 14:19:24.658 [DEBUG] [g.icalendar.internal.handler.PullJob] - ExecutionException message is: PKIX path building failed: unable to find valid certification path to requested target

For me it seems that the https protocol causes the problems.
How can I solve that connection issue?

This happens (using every http-client) when the certificate signer is not known or trusted. Your NAS matches this issue. I’m not aware about the calendar software integrated or available for Synologys. A way to solve this would be to use http if you trust the network. If not, your openHAB system needs to trust the CA used for creating the Synology certificate (more complex). The latter solution depends on the OS openHAB is installed on, so you need to find out how to trust certificates in that OS.

Thanks for that hint!

Unfortunately HTTP is not working, so I have to find out how to trust the certificate.
It is installed on openhabian.

I had to import the certificate to the java trust store (not from linux) and restart OH.

Now I get another error

2021-05-16 10:46:49.681 [WARN ] [g.icalendar.internal.handler.PullJob] - Download of calendar failed.
2021-05-16 10:46:49.682 [DEBUG] [g.icalendar.internal.handler.PullJob] - ExecutionException message is: No subject alternative names matching IP address 192.168.x.y found

This seems to be similar to

Is there a possibility to deactivate this strict check?

The message is saying the certificate is not matching the server at all. You should replace or regenerate it. Is the synology able to create CSRs?

How does your certificate look like / what is the content of it ? Does it contain the servers IP address and the IP address of your server changed ? Or does it contain the servers FQDN ?

Sorry, I’m not really understanding what to do.

I downloaded the certificate from the web browser and have imported it to the java trust store. As I understand the dns name is synology. I don’t know if it is changeble somehow. I’m addressing it with a static IP address I gave him.

I found a button called CSR .
Does you mean, I should create a new certificate and it will not work with the current certificate?

The workflow would be the same after the creation; download the certificate and install it in the java trust store?

Bildschirmfoto von 2021-05-16 18-36-41

Depending which options you have when configuring the certificate. Checkout the Button “Konfigurieren” and look for “Common Name”/CN/“Zertifikatsname” and for “(Subject) Alternative Name”/SAN/“Alternativnamen”. One of those names must be the name or ip you access from openhab. Then i’d expect to get a fresh self signed certificate and the import process is the same. Else we need to create an own CA, but let’s try out that first.

Thanks Michael for your assistance and moving me to the right direction.
With “Konfigurieren”, I just can say which certificate (if there are more) to use for which service. So I tried to generate a new certificate and it worked!

The thing is online and the messages are:

2021-05-16 19:58:10.814 [DEBUG] [ar.internal.handler.ICalendarHandler] - The calendar is currently offline as no local copy exists. It will go online as soon as a valid valid calendar is retrieved.
2021-05-16 19:58:13.764 [DEBUG] [ar.internal.handler.ICalendarHandler] - Scheduled update in 360107 seconds
1 Like

Hi @usambara ,

i am currently also struggeling with getting iCalendar binding running with my Synology. I am on DSM 7.0.1 and running OH 3.1.0. I can’t see any ‘CSR’ Button in DSM Certificate Management.

Currently my log on OH says:

2021-11-04 21:20:52.308 [WARN ] [g.icalendar.internal.handler.PullJob] - Download of calendar failed.

Can you tell me, which steps to reproduce so that i get the iCalendar working? Where do i have to download which Certificate, etc? That would be fantastic.

Thanks in advance

Edit: In the meantime i have raised log level to ‘TRACE’ and now it is giving a reason:

2021-11-05 00:48:42.505 [DEBUG] [g.icalendar.internal.handler.PullJob] - ExecutionException message is: Max requests queued per destination 1024 exceeded for HttpDestination[]@1fdecff,queue=1024,pool=DuplexConnectionPool@1921420[c=0/2/2,a=2,i=0,q=1024]

I do have 4 calendars which i am watching with 4 additional filters, so in total 8 items. Each had a pull time of 5min. In a first step i have raised this now to 15min/360min. But i dont know why this error shows up. Is there any clue on this?

Hi usambara,
can you tell me how you have imported the certificate in you’re keystore.
I’m running openhab and synology in the same.local network. But I can get the cal to work.
I have still the errors with the certificate.

  • ExecutionException message is: PKIX path building failed:

When I remember right, I created a new certificate on my NAS:
(sorry, it is in German localized)
Systemsteuerung / Zertifikat / Hinzufügen / Hinzufügen

This was exported and imported on my openhab server.

I found in my history the following command:
sudo keytool -import -alias myssl -file /usr/local/share/ca-certificates/extra/nas.crt -keystore /opt/jdk/zulu11.48.21-ca-jdk11.0.11-linux_aarch64/lib/security/cacerts

I’m quite confident that this did the trick.
nas.crt is the certificate exported from the NAS-drive

1 Like

Thanks for you’re answer. I will try it during the weekend.
Br Thorsten

Hi Ulrich,
how did you create a certificate?
Under the path you mentioned Systemsteuerung… The only way to create a certificate is with
the help of let’s encrypt.

If I export this i get a zip file containing 6 Files . 3 starting with RCA and 3 with ECC.
But in you’re other message you write to import a crt file.

So I’m confused.

Between Systemsteuerung and Zertifikat was a “Sicherheit” missing, but I’m sure that wasn’t the point. If you follow the path mentioned above, you can select “Neues Zertifikat hinzufügen”. In the next step you have the option “Selbst unterzeichnetes Zertifikat erstellen”. That is what you need to do here.

I have DSM 6.2.4, maybe that’s an issue here.

yes, in dsm 7 that is not available anymore

I would say that’s even better than a selfsigned certificate as you do not need to define exceptions during using them.

maybe, but the only reason to need a certificate, is the openhab I cal binding.
My synology (needed for synology calendar) and my openhab, are not reachable from the inet.
Synolgy only offers a https link to the synology calendar. And if i enter this in the openhab raises the certificate error.
So from my point of view a self signed is enough.