Thank you! This worked like a charm!
I’m just getting started with the whole docker thing (and Linux in general) so I’m just starting to figure things out. I already figured that I would need to do that in the container somehow so I tried finding the java install path inside the container with this:
update-java-alternatives --list
This didn’t yield any results so I was poking around in the folders a bit and eventually ran out of creative ideas…
so cool 
thank you!
Hi! That does not work for me on a mac.
I can’t execute the csplit line …
any advice? I tried in the terminal and in the openhab console as well.
On given JVM version (above 8.1), I had to add
-J-Duser.language=en
to the keytools options in order to avoid error.
I installed zulu as suggested so I dont have java
thank you , that helped!
I have tried Patrik’s solution with no luck.
I have a windows machine so KeyStore Explorer looked the simplest for me.
I Imported both the Certs, rebooted the computer but still no luck getting this running.
If I reload Keystore Explorer it looks like both have imported ok!
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:?]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:?]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:?]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:?]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334) ~[?:?]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309) ~[?:?]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259) ~[?:?]
at org.openhab.binding.icloud.internal.Connection.postRequest(Connection.java:95) ~[?:?]
at org.openhab.binding.icloud.internal.Connection.requestDeviceStatusJSON(Connection.java:55) ~[?:?]
at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$0(ICloudAccountBridgeHandler.java:81) ~[?:?]
at org.eclipse.smarthome.core.cache.ExpiringCache.refreshValue(ExpiringCache.java:81) ~[?:?]
at org.eclipse.smarthome.core.cache.ExpiringCache.getValue(ExpiringCache.java:61) ~[?:?]
at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.refreshData(ICloudAccountBridgeHandler.java:132) ~[?:?]
at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$1(ICloudAccountBridgeHandler.java:123) ~[?:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:?]
at java.lang.Thread.run(Thread.java:748) [?:?]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:?]
... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:?]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:?]
... 26 more
2018-08-17 13:28:57.703 [INFO ]
Anybody know what I am doing wrong?
Many Thanks
Mick
I’m running the same setup as you (openHAB 2.3 on Synology), still no working iCloud binding… did you get it to work?
When executing
csplit -f cert /tmp/icloud2.crt '/^-----BEGIN CERTIFICATE-----/' {*}
I get “0” as a reply from console. Is that correct…?
Following through to
bin/keytool -importcert -file /tmp/cert01 -alias icloudfmi1 -trustcacerts -keystore ./jre/lib/security/cacerts -storepass changeit
I get: /tmp/cert01 (No such file or directory)
Any ideas where I’m going wrong? Thanks!
No, it is still not Working.
Followed the script of @The-Elk (see above) and the certificates got installed. Your error message indicates that the folder /temp/cert… has not been created by the first command.
I have the certificates installed and working in theSynology Java setup but this does not solve the binding problem.
Wow,
Finally got this sorted and can’t believe my school boy error!
I have got “JRE” and “JDK” on my machine and didn’t realise KeyStore Explorer was only updating “JRE”.
I finally forced KeyStore Explorer to open the other folder and it has worked.
Hopefully this method will work for others with ongoing problems.
Is there any user with a openhanded setup on a Synology who was able to solve this iCloud certificate issue?
The approach outlined here can be followed and executed with a successful installation of the certificates but the iCloud issue still prevails.
Anyone that could help here?
Many thanks
It is working for me on a Synology. I used the following approach:
sudo -i
echo -n | openssl s_client -servername fmipmobile.icloud.com -host fmipmobile.icloud.com -port 443 -prexit -showcerts 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/icloud2.crt
cd /tmp
csplit -f cert /tmp/icloud2.crt '/^-----BEGIN CERTIFICATE-----/' {*}
// back to java security dir on the Synology - /var/packages/Java8/target/j2sdk-image/jre/lib/security (using Synology's Java8 package)
keytool -importcert -file /tmp/cert01 -alias icloudfmi1 -trustcacerts -keystore cacerts -storepass changeit
keytool -importcert -file /tmp/cert02 -alias icloudfmi2 -trustcacerts -keystore cacerts -storepass changeit
strange. If I redo your steps, then it tells me "Certificate not imported, alias already exists. Same with the second one.
So, it is installed. What did you do afterwards? Restart iCloud binding, restart openhab?
P.S.: I did delete Java8 and reinstalled, the script ran as expected to install the certificates but still the same error
15:04:59.906 [WARN ] [ud.handler.ICloudAccountBridgeHandler] - Unable to refresh device data
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Thanks
I had the same issue last week, Openhab crashed and it lost all the things. When I reinstalled them the iCloud thing didn’t work.
I followed the steps above and got the same error “Certificate not imported, alias exists” but the error was my iCloud account details were wrong.
Once I corrected them (in my case the e-mail was wrong) it all worked perfectly.
I just created a (potential) fix, feel free to test it out, you can download it through https://github.com/openhab/openhab2-addons/issues/3762#issuecomment-420803031
Thanks, running Build #1374, so far so good…
however when test removing the things(many iphones, ipads, watches), it seems can not completely remove all things from the paper ui page, what should I do to clean this up? Thanks
I tried to work with snapshot from @martinvw:
232 │ Active │ 80 │ 2.4.0.201809191933 │ iCloud Binding
But unfortunately I did not get any data from iCloud, so I have 2 questions:
What I am doing wrong?
2018-10-12 22:26:18.597 [INFO ] [ttp.internal.SecureHttpClientFactory] - creating httpClient for endpoint https://fmipmobile.icloud.com
2018-10-12 22:26:18.603 [INFO ] [ttp.internal.SecureHttpClientFactory] - using custom trustmanagers (certificate pinning) for httpClient for endpoint https://fmipmobile.icloud.com
2018-10-12 22:26:19.365 [WARN ] [d.handler.ICloudAccountBridgeHandler] - Unable to refresh device data
java.io.IOException: Problem while calling the API
at org.openhab.binding.icloud.internal.ICloudConnection.callApi(ICloudConnection.java:115) ~[?:?]
at org.openhab.binding.icloud.internal.ICloudConnection.requestDeviceStatusJSON(ICloudConnection.java:91) ~[?:?]
at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$0(ICloudAccountBridgeHandler.java:87) ~[?:?]
at org.eclipse.smarthome.core.cache.ExpiringCache.refreshValue(ExpiringCache.java:81) ~[?:?]
at org.eclipse.smarthome.core.cache.ExpiringCache.getValue(ExpiringCache.java:61) ~[?:?]
at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.refreshData(ICloudAccountBridgeHandler.java:141) ~[?:?]
at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$1(ICloudAccountBridgeHandler.java:132) ~[?:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:?]
at java.lang.Thread.run(Thread.java:748) [?:?]
Caused by: org.eclipse.jetty.client.HttpResponseException: HTTP protocol violation: Authentication challenge without WWW-Authenticate header
at org.eclipse.jetty.client.AuthenticationProtocolHandler$AuthenticationListener.onComplete(AuthenticationProtocolHandler.java:114) ~[?:?]
at org.eclipse.jetty.client.ResponseNotifier.notifyComplete(ResponseNotifier.java:193) ~[?:?]
at org.eclipse.jetty.client.ResponseNotifier.notifyComplete(ResponseNotifier.java:185) ~[?:?]
at org.eclipse.jetty.client.HttpReceiver.terminateResponse(HttpReceiver.java:458) ~[?:?]
at org.eclipse.jetty.client.HttpReceiver.responseSuccess(HttpReceiver.java:405) ~[?:?]
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.messageComplete(HttpReceiverOverHTTP.java:277) ~[?:?]
at org.eclipse.jetty.http.HttpParser.handleContentMessage(HttpParser.java:599) ~[?:?]
at org.eclipse.jetty.http.HttpParser.parseContent(HttpParser.java:1526) ~[?:?]
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1350) ~[?:?]
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.parse(HttpReceiverOverHTTP.java:159) ~[?:?]
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:120) ~[?:?]
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:70) ~[?:?]
at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:90) ~[?:?]
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:115) ~[?:?]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[?:?]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[?:?]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251) ~[?:?]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[?:?]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[?:?]
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) ~[?:?]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) ~[?:?]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) ~[?:?]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) ~[?:?]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) ~[?:?]
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) ~[?:?]
... 1 more
Thank you very much for support in advance.
Had the same problem “Certificate not imported, alias already exists”, in that case on a Synology machine.
Having a look at post #53 procedure I realized my mistake.
I checked where my java is located and by doing a “which java”. I found it in
/volume1/@appstore/Java8/j2sdk-image/bin/java
So i used this to change the directory to.
WRONG! There is another java folder, the one which is relevant here:
/volume1/@appstore/Java8/j2sdk-image/jre/bin/java
So java exists two times 
Correct procedure on my Synology is:
echo -n | openssl s_client -servername fmipmobile.icloud.com -host fmipmobile.icloud.com -port 443 -prexit -showcerts 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/icloud2.crt
cd /tmp
csplit -f cert /tmp/icloud2.crt '/^-----BEGIN CERTIFICATE-----/' {*}
cd /var/packages/Java8/target/j2sdk-image
bin/keytool -importcert -file /tmp/cert01 -alias icloudfmi1 -trustcacerts -keystore ./jre/lib/security/cacerts -storepass changeit
bin/keytool -importcert -file /tmp/cert02 -alias icloudfmi2 -trustcacerts -keystore ./jre/lib/security/cacerts -storepass changeit
Several files are splitted, but the keytool should really run only twice.
I hint for checking imported certificates is to check the date+time of the certificates file
/var/packages/Java8/target/j2sdk-image/jre/lib/security/cacerts
iCloud Binding including .things and .items is running since today after update to latest snapshot
openHAB 2.4.0~20181106171044-1 (Build #1414).
Now I can start with Presence detection by iCloud. Thanks for again good job to @martinvw.
Please note that all workarounds above should not be needed anymore when using the snapshot version, because some changes in the framework and the binding were merged which resolve this.
My local environment is completely happy (without any workarounds) 