Hi,
I want to persist my openhab data to influxdb. But I need a ssl-connection. But openhab2 can’t connect because
database connection error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Here the full log snippet:
2019-08-23 06:52:20.573 [ERROR] [xtext.validation.CompositeEValidator] - Error executing EValidator
java.util.ConcurrentModificationException: null
at org.eclipse.emf.common.util.AbstractEList$EIterator.checkModCount(AbstractEList.java:758) ~[?:?]
at org.eclipse.emf.common.util.AbstractEList$EIterator.doNext(AbstractEList.java:712) ~[?:?]
at org.eclipse.emf.common.util.AbstractEList$EIterator.next(AbstractEList.java:692) ~[?:?]
at com.google.common.collect.Iterators$7.computeNext(Iterators.java:651) ~[22:com.google.guava:18.0.0]
at com.google.common.collect.AbstractIterator.tryToComputeNext(AbstractIterator.java:143) ~[22:com.google.guava:18.0.0]
at com.google.common.collect.AbstractIterator.hasNext(AbstractIterator.java:138) ~[22:com.google.guava:18.0.0]
at java.lang.Iterable.forEach(Iterable.java:74) ~[?:?]
at org.eclipse.xtext.xbase.validation.UniqueClassNameValidator.checkUniqueName(UniqueClassNameValidator.java:76) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:?]
at org.eclipse.xtext.validation.AbstractDeclarativeValidator$MethodWrapper.invoke(AbstractDeclarativeValidator.java:118) ~[154:org.eclipse.xtext:2.14.0.v20180522-1821]
at org.eclipse.xtext.validation.AbstractDeclarativeValidator.internalValidate(AbstractDeclarativeValidator.java:312) ~[154:org.eclipse.xtext:2.14.0.v20180522-1821]
at org.eclipse.xtext.validation.AbstractInjectableValidator.validate(AbstractInjectableValidator.java:71) ~[154:org.eclipse.xtext:2.14.0.v20180522-1821]
at org.eclipse.xtext.validation.CompositeEValidator.validate(CompositeEValidator.java:151) [154:org.eclipse.xtext:2.14.0.v20180522-1821]
at org.eclipse.emf.ecore.util.Diagnostician.doValidate(Diagnostician.java:171) [66:org.eclipse.emf.ecore:2.12.0.v20160420-0247]
at org.eclipse.emf.ecore.util.Diagnostician.validate(Diagnostician.java:158) [66:org.eclipse.emf.ecore:2.12.0.v20160420-0247]
at org.eclipse.emf.ecore.util.Diagnostician.validate(Diagnostician.java:137) [66:org.eclipse.emf.ecore:2.12.0.v20160420-0247]
at org.eclipse.emf.ecore.util.Diagnostician.validate(Diagnostician.java:108) [66:org.eclipse.emf.ecore:2.12.0.v20160420-0247]
at org.eclipse.smarthome.model.core.internal.ModelRepositoryImpl.validateModel(ModelRepositoryImpl.java:280) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
at org.eclipse.smarthome.model.core.internal.ModelRepositoryImpl.addOrRefreshModel(ModelRepositoryImpl.java:93) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
at org.eclipse.smarthome.model.core.internal.folder.FolderObserver.checkFile(FolderObserver.java:227) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
at org.eclipse.smarthome.model.core.internal.folder.FolderObserver.processIgnoredFiles(FolderObserver.java:137) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
at org.eclipse.smarthome.model.core.internal.folder.FolderObserver.addModelParser(FolderObserver.java:85) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:?]
at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:228) [39:org.apache.felix.scr:2.1.2]
at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41) [39:org.apache.felix.scr:2.1.2]
at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:664) [39:org.apache.felix.scr:2.1.2]
...skipping...
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[?:?]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:?]
at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:103) ~[?:?]
at com.squareup.okhttp.Connection.connect(Connection.java:143) ~[?:?]
at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:185) ~[?:?]
at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128) ~[?:?]
at com.squareup.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341) ~[?:?]
at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330) ~[?:?]
at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248) ~[?:?]
at com.squareup.okhttp.Call.getResponse(Call.java:273) ~[?:?]
at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:230) ~[?:?]
at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:201) ~[?:?]
at com.squareup.okhttp.Call.execute(Call.java:81) ~[?:?]
at retrofit.client.OkClient.execute(OkClient.java:53) ~[?:?]
at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:326) ~[?:?]
... 78 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:?]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:327) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[?:?]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:?]
at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:103) ~[?:?]
at com.squareup.okhttp.Connection.connect(Connection.java:143) ~[?:?]
at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:185) ~[?:?]
at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128) ~[?:?]
at com.squareup.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341) ~[?:?]
at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330) ~[?:?]
at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248) ~[?:?]
at com.squareup.okhttp.Call.getResponse(Call.java:273) ~[?:?]
at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:230) ~[?:?]
at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:201) ~[?:?]
at com.squareup.okhttp.Call.execute(Call.java:81) ~[?:?]
at retrofit.client.OkClient.execute(OkClient.java:53) ~[?:?]
at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:326) ~[?:?]
... 78 more
2019-08-31 13:34:14.448 [ERROR] [.internal.InfluxDBPersistenceService] - database connection error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2019-08-31 13:34:14.449 [ERROR] [.internal.InfluxDBPersistenceService] - database connection does not work for now, will retry to use the database.
The influxdb use a domain intern ssl certificate from my univention server, who is the CA. So I imported the ca- and the server-certificate to /var/lib/openhab2/etc/keystore and restarted openhab2.service after each import.
root@sv020:/var/lib/openhab2/etc# keytool -list -keystore keystore
Keystore-Kennwort eingeben:
Keystore-Typ: jks
Keystore-Provider: SUN
Keystore enthält 3 Einträge
ucs-root-ca, 31.08.2019, trustedCertEntry,
Zertifikat-Fingerprint (SHA1): B6:14:E9:52:B9:14:5F:34:13:64:B4:4B:A9:47:66:1A:2F:B1:4B:AB
graphing.mgmt.mydomain.com, 31.08.2019, trustedCertEntry,
Zertifikat-Fingerprint (SHA1): F8:1A:C1:01:D1:21:86:95:1A:EE:68:4A:66:D2:6E:B6:A3:87:97:00
mykey, 26.07.2019, PrivateKeyEntry,
Zertifikat-Fingerprint (SHA1): D3:AF:CE:8A:56:67:4C:D7:03:1C:2B:9A:9A:E2:FC:5D:33:7D:93:0D
Warning:
Der JKS-Keystore verwendet ein proprietäres Format. Es wird empfohlen, auf PKCS12 zu migrieren, das ein Industriestandardformat mit "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12" ist.
The certificate is OK:
root@sv020:~# openssl s_client -connect graphing.mgmt.mydomain.com:8086 -CAfile /usr/local/share/ca-certificates/ucs-root-ca.crt
CONNECTED(00000003)
depth=1 C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=ee4KkQBj), emailAddress = ssl@intra.mydomain.com
verify return:1
depth=0 C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = graphing.mgmt.mydomain.com, emailAddress = ssl@intra.mydomain.com
verify return:1
---
Certificate chain
0 s:C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = graphing.mgmt.mydomain.com, emailAddress = ssl@intra.mydomain.com
i:C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=ee4KkQBj), emailAddress = ssl@intra.mydomain.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF1DCCBLygAwIBAgIBJTANBgkqhkiG9w0BAQsFADCB4jELMAkGA1UEBhMCREUx
CzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEvMC0GA1UEChMmRURWLSB1bmQgTmV0
endlcmstQmV0cmV1dW5nIFVsZiBLb3NhY2sxJDAiBgNVBAsTG1VuaXZlbnRpb24g
Q29ycG9yYXRlIFNlcnZlcjE6MDgGA1UEAxMxVW5pdmVudGlvbiBDb3Jwb3JhdGUg
U2VydmVyIFJvb3QgQ0EgKElEPWVlNEtrUUJqKTEmMCQGCSqGSIb3DQEJARYXc3Ns
QGludHJhLmVkdm5ldC11ay5jb20wHhcNMTkwMjI4MDQ0NzUwWhcNMjQwMjI3MDQ0
NzUwWjCBzDELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEv
MC0GA1UEChMmRURWLSB1bmQgTmV0endlcmstQmV0cmV1dW5nIFVsZiBLb3NhY2sx
JDAiBgNVBAsTG1VuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlcjEkMCIGA1UEAxMb
Z3JhcGhpbmcubWdtdC5lZHZuZXQtdWsuY29tMSYwJAYJKoZIhvcNAQkBFhdzc2xA
aW50cmEuZWR2bmV0LXVrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAN4lm7BC4qLViqr/nfJEvRUpQ/fS+VoWHA/FBGuCw1h+Z/2XYL75Dkth9kpi
JDuSCth+eKK9mJnKKAdskkT9kIVCl9uTrEtpcZFlHFv0LivcyVcLFsLaLQVpxewy
fVtAI1q1g5Mh+6AenzN9Lb1z7CDJ88p4u6TGzsgPrphh0IPTPzY+q/S/48QhmbEF
EVZyc8E+XkvK+dDzqGC+T3KLMeKFBvfvK6MdnQ08OXy9ExTBcy2TvLQy+QCEIx+U
fj1anBW5dS5+#######################+1uhJJpgq05wRt5Zo8VdYRmPLpSee
m67UYM/270f+wlVTY0Yw1WilmuMCAwEAAaOCAacwggGjMAkGA1UdEwQCMAAwHQYD
VR0OBBYEFOkRcEtjiQnY1SXz24WAeirgTX1CMIIBGQYDVR0jBIIBEDCCAQyAFCrP
Qjir9w6nWrbPBuB4c2UoFO11oYHopIHlMIHiMQswCQYDVQQGEwJERTELMAkGA1UE
CBMCREUxCzAJBgNVBAcTAkRFMS8wLQYDVQQKEyZFRFYtIHVuZCBOZXR6d2Vyay1C
ZXRyZXV1bmcgVWxmIEtvc2FjazEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3Jh
dGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIg
Um9vdCBDQSAoSUQ9ZWU0S2tRQmopMSYwJAYJKoZIhvcNAQkBFhdzc2xAaW50cmEu
ZWR2bmV0LXVrLmNvbYIJAMvMHvDDkbM/ME0GA1UdEQRGMESCG2dyYXBoaW5nLm1n
bXQuZWR2bmV0LXVrLmNvbYIbZ3JhcGhpbmcubWdtdC5lZHZuZXQtdWsuY29tgghn
cmFwaGluZzALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQELBQADggEBAJmCMIL+mXsX
jgZZEBP3AeophAZH2Zu1rU0VOYahLUXIj2cMME5d1OhvMZbK9h/jmyRP6O1Gm2JX
5SLU610PaHmFtQM79rsmjT1xH74hoD6BWQdR4eMffOoq55akpr//2hhKAO2SiyNp
4hfWzjKfvdPPJ0fOpvk2FW1SmB7ZHXpMBrqhOD+hDrv42sh+b65Sh5BCBP5WD6k6
5yboysIaS+HRo/iImz92QrkgDvdgswl4mKZycKMZxJwH1I0a8wrIi/ISBSQrnXpV
qBhuwtCyaPtdAOBAQvYevjPAramr6VZiAp9uJpODvrTr+qYWp6vHZbZqjjBpa8dH
qCZIgbK/Kj0=
-----END CERTIFICATE-----
subject=C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = graphing.mgmt.mydomain.com, emailAddress = ssl@intra.mydomain.com
issuer=C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=ee4KkQBj), emailAddress = ssl@intra.mydomain.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2102 bytes and written 445 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FC2F5C452AAA916B697810A92B2D55A5265952D5100455CDE6066121FF22E4EE
Session-ID-ctx:
Master-Key: F4DB63CE90BFF4F1442371F6B649D6A810712A17E83D07B2F121721D985027B56E03921A6A150FA8B5D7F05660272D7C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 6d 36 a7 8d 7a 6e 18 b6-4a ec 48 27 84 8a ff 69 m6..zn..J.H'...i
0010 - 3d 70 1a 2a c8 72 fc 5a-7a 28 32 c6 73 d1 0b d3 =p.*.r.Zz(2.s...
0020 - 51 73 b7 07 a2 d5 03 1c-23 f8 c1 06 00 7e 4d eb Qs......#....~M.
0030 - e8 33 af 08 ac 67 3c 10-f8 3b e9 39 b7 e6 4f 62 .3...g<..;.9..Ob
0040 - d2 fb cb 45 8f 5f a0 2b-42 d7 a1 c7 34 98 6f 85 ...E._.+B...4.o.
0050 - 4b 77 a3 4c cd 80 29 39-59 ab de de 76 31 c3 14 Kw.L..)9Y...v1..
0060 - ee 63 2a d2 52 67 ff 6f-50 2e 32 68 a7 e6 1a 6d .c*.Rg.oP.2h...m
0070 - ce 17 fb e0 15 a6 b2 ed- ........
Start Time: 1567252054
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
HTTP/1.1 400 Bad Request
Content-Type: text/plain
Connection: close
400 Bad Requestclosed
root@sv020:~#
Where I have to import my ca-certificate, so openhab can check the pki path from the used server certificates?
root@sv020:~# openhab-cli info
Version: 2.4.0 (Build)
User: openhab (Active Process 13874)
User Groups: openhab
Directories: Folder Name | Path | User:Group
----------- | ---- | ----------
OPENHAB_HOME | /usr/share/openhab2 | openhab:openhab
OPENHAB_RUNTIME | /usr/share/openhab2/runtime | openhab:openhab
OPENHAB_USERDATA | /var/lib/openhab2 | openhab:openhab
OPENHAB_CONF | /etc/openhab2 | openhab:openhab
OPENHAB_LOGDIR | /var/log/openhab2 | openhab:openhab
OPENHAB_BACKUPS | /var/lib/openhab2/backups | root:root
URLs: http://192.168.1.10:8080
https://192.168.1.10:8443
Thanks
Ulf