Zookeeper quorum. PKIX path building failed. Unable to find valid certification path to requested target
Zookeeper acts as a server and configured with keystore, which has server certificate. Certificate chain in my keystore looks like below:
MyIntermediateCert (signed by MyRootCertificate)
MyZookeeperCertificate (signed by MyIntermediateCert)
Another parameter defined is truststore, in which I have only root CA MyRootCertificate.
While zk is starting I see in logs that external connection is configured with TLS everything is fine, however when nodes of zk trying to build quorum and try communicate with each other - i receive classic TLS exception while TLS handshake between client and server.
Exception caught
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
ssl.quorum.hostnameVerification is false, I don't need hostname verification between nodes.
My expectation was that client sends request to server (call from one node to another), it receives certificate chain which includes server cert and intermediate cert (sign by CA), and this chain is validated in front of my trust store that includes CA.
This CA by the way is self generated by the way.
What I am missing?
I think I found the issue.
Problem is that my Intermediate Certificate does not include key identifier value in it's AKI extension, which should point to the root CA. It should be something like this:
- Restricting access to static files in Django/Nginx
- Does RabbitMQ allow Audit Logging
- Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly
- Why are iframes considered dangerous and a security risk?
- Secure Google Cloud Functions http trigger with auth
- How do I get the currently loggedin Windows account from an ASP.NET page?
- Error Importing SSL certificate : Not an X.509 Certificate
- Full text search on encrypted data
- It is necessary to send the JWT token from the browser page to the server
- Is it possible to use double @ in an email address?
- How to replicate the RuntimeDefault seccompProfile in Kubernetes to run in Docker?
- Difference between processes running in kernel mode and running as root?
- Why is it okay to transmit authentication/session cookies over plaintext?
- How to handle .env.local in a next js typescript file?
- How does Maven 3 password encryption work?
- Do we need encrypt session id before saving it into database
- Any point in using a paid threat intelligence service over Google's Lookup API for detecting malicious URLs?
- How to securely update configuration for root password in yocto?
- how to secure and encrypt setting.xml paswords file in maven?
- How to convert a PKCS#8 encoded RSA key into PKCS#1 in Java?
- Vector securely erasing its memory
- How to safely run user-supplied Javascript code inside the browser?
- curl - Is data encrypted when using the --insecure option?
- ZAP Dynamic SSL certificate option is not available
- how to implement the Eurion constellation security measure
- How can I sanitize user input with PHP?
- Security threats when using bar() vs bar(void)
- Is exposing a session's CSRF-protection token safe?
- is electron's `safeStorage` for passwords and login credentials?
- Encrypting/decrypting some file types with Rijndael 256 (CakePHP Security library) garbles contents