Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Facing errror while initialising ca schema #299

Closed
sanjiths opened this issue Oct 5, 2023 · 5 comments
Closed

Facing errror while initialising ca schema #299

sanjiths opened this issue Oct 5, 2023 · 5 comments

Comments

@sanjiths
Copy link

sanjiths commented Oct 5, 2023

mysql backend is enabled with TLS:1.3

Facing below errror while initialising ca schema:
karaf@root()> ca:sql --db-conf /opt/tomcat/xipki/etc/ca/database/ca-db.properties /home/causer/xipki-mgmt-cli-6.3.0/xipki/sql/ca-init.sql
[ WARN] (pipe-ca:sql --db-conf /opt/tomcat/xipki/etc/ca/database/ca-db.properties /home/causer/xipki-mgmt-cli-6.3.0/xipki/sql/ca-init.sql) useSsl option is deprecated, replaced by option sslMode
[ WARN] (pipe-ca:sql --db-conf /opt/tomcat/xipki/etc/ca/database/ca-db.properties /home/causer/xipki-mgmt-cli-6.3.0/xipki/sql/ca-init.sql) disableSslHostnameVerification option is deprecated, replaced by setting option sslMode=verify-ca
[ WARN] (pipe-ca:sql --db-conf /opt/tomcat/xipki/etc/ca/database/ca-db.properties /home/causer/xipki-mgmt-cli-6.3.0/xipki/sql/ca-init.sql) useSsl option is deprecated, replaced by option sslMode
[ WARN] (pipe-ca:sql --db-conf /opt/tomcat/xipki/etc/ca/database/ca-db.properties /home/causer/xipki-mgmt-cli-6.3.0/xipki/sql/ca-init.sql) disableSslHostnameVerification option is deprecated, replaced by setting option sslMode=verify-ca

In ca-db.properties, I have configured the datasource URL with tls options.
dataSource.url = jdbc:mariadb://zts-cmdb:3306/ca?user=ca&password=azUA5XIutZCscO1w&useSSL=true&trustStore=/home/causer/keystore&trustStorePassword=RWxPZ1B0Rm5iaVBDV3dGdw==&keyStore=/home/causer/keystore&keyStorePassword=RWxPZ1B0Rm5iaVBDV3dGdw==&enabledSslProtocolSuites=TLSv1.3&disableSslHostnameVerification=true

This was working with xipki-5.3.0v

Based on error seen, i tried using "sslMode=verify-ca" but doesnt work:
dataSource.url = jdbc:mariadb://zts-cmdb:3308/ca?user=ca&password=azUA5XIutZCscO1w&trustStore=/home/causer/keystore&trustStorePassword=RWxPZ1B0Rm5iaVBDV3dGdw==&keyStore=/home/causer/keystore&keyStorePassword=RWxPZ1B0Rm5iaVBDV3dGdw==&enabledSslProtocolSuites=TLSv1.3&sslMode=verify-ca

Could you pls share a working configuration?
@sanjiths
Copy link
Author

sanjiths commented Oct 5, 2023

With new configuration shared in description, it fails with err:
karaf@root()> ca:sql --db-conf /opt/tomcat/xipki/etc/ca/database/ca-db.properties /home/causer/xipki-mgmt-cli-6.3.0/xipki/sql/ca-init.sql
Error executing command: Failed to initialize pool: (conn=82) Could not connect to zts-cmdb:3308 : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

@xipki
Copy link
Owner

xipki commented Oct 5, 2023

This is an issue related to the mariadb database. The different behaviors may be caused by different versions of mariadb-jdbc-client.

This link helps you understanding the cause: https://blog.packagecloud.io/solve-unable-to-find-valid-certification-path-to-requested-target/

@xipki
Copy link
Owner

xipki commented Nov 21, 2023

Any update?

@sanjiths
Copy link
Author

I am currently trying to install xipki 6.5.0 snapshot version with non-tls mode. Let me try with TLS once this is successful

@xipki
Copy link
Owner

xipki commented Dec 16, 2023

Close this issue since it is mysql problem.

@xipki xipki closed this as completed Dec 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xipki @sanjiths