"PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
mr_tps
Posts: 8
Joined: Tue Mar 19, 2019 5:46 am

"PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Post by mr_tps »

Setting Zimbra mail server with openidconsumer setup.
I am following instructions on this link :https://wiki.zimbra.com/wiki/Authentica ... IDConsumer

But while executing below link error created.

<zimbra_host_base_url>/service/extensio ... dentifier>

In the zmmailboxd.out in mail server it return this error :

Code: Select all

2019-03-23 08:42:40.526:WARN:oejs.ServletHandler:qtp1935637221-278:https:https://<zimbra_host_base_url>/service/extension/openid/consumer?openid_identifier=<user-supplied-identifier>:
javax.servlet.ServletException: 0x704: I/O transport error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.authRequest(OpenIDConsumerHandler.java:267)
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.doPost(OpenIDConsumerHandler.java:135)
        at com.zimbra.cs.security.openid.consumer.OpenIDConsumerHandler.doGet(OpenIDConsumerHandler.java:123)
        at com.zimbra.cs.extension.ExtensionDispatcherServlet.service(ExtensionDispatcherServlet.java:111)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
Top
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:
Contact DualBoot

Re: "PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Post by DualBoot »

maybe a problem related to self-signed certificate.
Top
mr_tps
Posts: 8
Joined: Tue Mar 19, 2019 5:46 am

Re: "PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Post by mr_tps »

That I know thanks, but how to prevent it in dev server ?
Top
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:
Contact DualBoot

Re: "PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Post by DualBoot »

You need to import the self-signed certificate on each keystore of Zimbra servers.
Top
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 898
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: "PKIX path building failed: Unable to find Certificate" Zimbra mail server OpenidConsumer

Post by JDunphy »

Perhaps this:

http://forums.zimbra.org/viewtopic.php? ... 4&start=10
Research keytool

Example of adding intermediate cert to java keystore with letsencrypt intermediate ... but link above shows how to add your own private CA.

Code: Select all

# su - zimbra
% wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -O lets.pem
% /opt/zimbra/common/bin/keytool -import -alias letsenc-ca -keystore /opt/zimbra/common/etc/java/cacerts -storepass changeit -file /root/lets.pem
% /opt/zimbra/bin/zmcertmgr verifycrt comm private.key your.crt intermediate.crt
Generally, it is easier to chain these and have zmcertmgr attempt to do the right thing so I don't add an intermediate this way myself with keytool... except with self-signed that requires you follow some arcane set of steps with zmcertmgr which I always forget which is why people try keytool directly as the first link does. :-)
Top
Post Reply

Return to “Installation and Upgrade”