Graylog to nucool integration issue (Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

Nitin · April 14, 2022, 11:59am

# keytool -importcert -keystore /usr/local/openjdk-8/lib/security/cacerts.jks -storepass changeit -alias graylog-self-signed -file /etc/ssl/certs/onsrbh-serv-netcoole-DU09.tlabs.ca.pem
Owner: CN=onsrbh-serv-netcoole-DU09.tlabs.ca, OU=World Class Assurance Team, O=TELUS, L=Toronto, ST=Ontario, C=CA
Issuer: CN=TCSO-issuing-CA, DC=corp, DC=ads
Serial number: 2d00013c40af2bedbaa63d9342000000013c40
Valid from: Thu Apr 07 14:55:59 UTC 2022 until: Fri Apr 05 09:00:00 UTC 2024
Certificate fingerprints:
         SHA1: 96:A8:48:B6:E5:9E:31:E1:04:30:63:F6:A6:9D:46:E5:A4:8F:AF:66
         SHA256: D1:48:0B:B9:C3:29:A3:7B:39:7B:A8:A1:28:B9:BF:71:83:83:FA:0F:1D:6F:53:3D:62:C1:10:45:8F:C5:6E:53
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 18 30 0A 06 08 2B 06   01 05 05 07 03 02 30 0A  0.0...+.......0.
0010: 06 08 2B 06 01 05 05 07   03 01                    ..+.......


#2: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30 2D 06 25 2B 06 01 04   01 82 37 15 08 81 B4 BB  0-.%+.....7.....
0010: 4F 81 D6 DF 7D 87 CD 87   35 81 8A FC 52 85 C2 FA  O.......5...R...
0020: 2B 22 9E FA 3C 86 F2 8D   13 02 01 64 02 01 19     +"..<......d...


#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: ldap:///CN=TCSO-issuing-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=corp,DC=ads?cACertificate?base?objectClass=certificationAuthority
,
   accessMethod: caIssuers
   accessLocation: URIName: http://btwp013980/cdp/btwp013979.corp.ads_TCSO-issuing-CA.crt
,
   accessMethod: caIssuers
   accessLocation: URIName: http://btwp013983/cdp/btwp013979.corp.ads_TCSO-issuing-CA.crt
,
   accessMethod: caIssuers
   accessLocation: URIName: http://wp81174/cdp/btwp013979.corp.ads_TCSO-issuing-CA.crt
,
   accessMethod: caIssuers
   accessLocation: URIName: http://wp81175/cdp/btwp013979.corp.ads_TCSO-issuing-CA.crt
,
   accessMethod: caIssuers
   accessLocation: URIName: http://tcsocdp.tsl.telus.com/CertEnroll/btwp013979.corp.ads_TCSO-issuing-CA.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://tcsocdp.tsl.telus.com/ocsp
]
]

#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AB 49 AF B3 5D A1 42 D3   4A E4 7D 7D B4 93 D9 7B  .I..].B.J.......
0010: C3 2B ED EF                                        .+..
]
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: ldap:///CN=TCSO-issuing-CA,CN=btwp013979,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=corp,DC=ads?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://tcsocdp.tsl.telus.com/CertEnroll/TCSO-issuing-CA.crl, URIName: http://btwp013980/cdp/TCSO-issuing-CA.crl, URIName: http://btwp013983/cdp/TCSO-issuing-CA.crl, URIName: http://wp81174/cdp/TCSO-issuing-CA.crl, URIName: http://wp81175/cdp/TCSO-issuing-CA.crl]
]]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]

#7: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: onsrbh-serv-netcoole-DU09.tlabs.ca
  DNSName: onsrbh-serv-netcoole-DU09
  IPAddress: 172.18.102.20
  IPAddress: 172.18.72.210
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD B5 8A 68 08 78 DC 8B   AF 13 F3 05 CE 60 18 83  ...h.x.......`..
0010: 68 68 33 C8                                        hh3.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
# keytool -keystore /usr/local/openjdk-8/lib/security/cacerts.jks -storepass changeit -list | grep graylog-self-signed -A1
graylog-self-signed, Apr 14, 2022, trustedCertEntry,
**Certificate fingerprint (SHA-256): D1:48:0B:B9:C3:29:A3:7B:39:7B:A8:A1:28:B9:BF:71:83:83:FA:0F:1D:6F:53:3D:62:C1:10:45:8F:C5:6E:53**
#

when i import the self singed certiticate i can see both SHA1 and sha256 certificate fingerprint … while listing i can see certifiacte fingerprint match with sha256 and as per graylog document it should match with SHA1 …is it expected behavior or i have to change the certifiacte format

Topic		Replies	Views
PKIX path building failed unable to find valid certifcate pathto requested target in a Graylog running on POD Graylog Central (peer support)	6	4144	October 1, 2021
Cert Path error when testing HTTP notification Graylog Central (peer support)	4	464	May 5, 2021
Graylog-server v4.0.7-1 - sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Graylog Central (peer support)	5	4519	June 8, 2021
PKIX path building failed Graylog Central (peer support)	2	2527	March 3, 2018
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Graylog Central (peer support)	5	2308	June 7, 2023

Graylog to nucool integration issue (Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

Related Topics