fabric8 icon indicating copy to clipboard operation
fabric8 copied to clipboard

Published 20 hours ago verified publisher icon fabric8io

Can't find valid certification path

Open rajdavies opened this issue 9 years ago • 7 comments

javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://172.30.0.2:443/api/v1/namespaces/default/pods: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:557) at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:539) at org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:676) at org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:224) at com.sun.proxy.$Proxy52.getPods(Unknown Source) at io.fabric8.kubernetes.api.KubernetesClient.getPods(KubernetesClient.java:200) at io.fabric8.kubernetes.api.KubernetesHelper.getFilteredPodMap(KubernetesHelper.java:578) at io.fabric8.kubernetes.api.KubernetesHelper.getSelectedPodMap(KubernetesHelper.java:570)

rajdavies avatar Jun 20 '15 11:06 rajdavies

See how this is done in Jenkins app. Either set env var KUBERNETES_TRUST_CERT=true or set KUBERNETES_CA_CERTIFICATE_FILE iirc to correct path to secret (something like /etc/secret-volume/root-cert). You'll also need to ensure you run with the fabric8 service account. Jenkins app is a good example I think.

jimmidyson avatar Jun 20 '15 11:06 jimmidyson

Agreed. Copy paste this in your Pom.xml to get the service account & certs https://github.com/fabric8io/quickstarts/blob/master/apps/jenkins/pom.xml#L78-L81

Then the env vars get defined here: https://github.com/fabric8io/quickstarts/blob/master/apps/jenkins/src/main/fabric8/env.properties#L2-L3

jstrachan avatar Jun 20 '15 11:06 jstrachan

Somehow K8S api works for one user, but fails with this exception for another (shell-less username on Ubuntu).

Maybe anyone could briefly explain why this doesn't work out-of-box? I tend to think something is broken on system/jdk level.

ibalashov avatar Aug 14 '16 10:08 ibalashov

Setting KUBERNETES_TRUST_CERT=true as system property solved it.

ibalashov avatar Aug 15 '16 06:08 ibalashov

I visited this issue too,while running on the latest release (v0.4.121). Fyi, the links above are broken.

Could you please provide some information how this issue can be handled? If the environment variable is the proper workaround, where should I specify it?

sermojohn avatar Apr 19 '17 09:04 sermojohn

Having this same error on a Windows environment, setting the variable didn't solve the problem

hodrigohamalho avatar Dec 20 '17 13:12 hodrigohamalho

Same problem on Mac when running within telepresence.io

cesartl avatar Apr 04 '18 11:04 cesartl