This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cve subscription certificat issue

Hi,

I have setup the proxy like in my previous thread and now the subscription go throught my proxy server, and now this is the eoor i get in the subscription log :

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I had a look at the documentation https://www.novell.com/documentation/zenworks-2020/zen_cm_subscriptions/data/buixqge.html

But for cve subscription i don't have the menu to import the certificate.

Did i miss something ?

 

Regards

 

Stephane

 

 

  • 0

    Hi Stephane,

     

    For the CVE subscription that should not be required, I presume you use the default URL for the feed> (https://nvd.nist.gov/feeds/)

     

    Do you have anything in between which does SSL inspection perhaps? Or does the proxy do something to the certificate getting returned?

    It would help seeing the full exception if possible from the loader-messages.log

     

    Regards,
    Johan

  • 0 in reply to 

    Yes i have ssl content inspection. So should i do an exception for that ?

    Here is the loader messages :

    [TRACE] [04/29/2020 16:49:08.880] [1410] [ZENLoader] [246] [] [Loader.Subscription Replication Handler] [] [com.novell.zenworks.datamodel.exceptions.InternalDataModelException: Replication failed for: CVE Abonnementjavax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

     

     

  • 0 in reply to 

    Exception is probably easiest, since it breaks the certificate chain as seen in the log: "unable to find valid certification path to requested target"

     

    Below some extra info regarding SSL inspection in combination with ZENworks, as this can also cause problems with external agents communicating with the server behind SSL inspection firewall

     

    In 2017 Update 4 we added the option to add an extra external CA to the zentruststore for such configurations like SSL inspection.

    ======================================
    novell-zenworks-configure -c AddExternalCAToTrustStore
    Make sure you have the external CA certificate available before initiating the configure action. Follow the options and provide valid data. Below lines indicate that external CA is successfully added to zone’s trusted store.
    Below some info from the bug report on this.

    ==================================
    Run the configure action command from the primary server system prompt
    novell-zenworks-configure -c AddExternalCAToTrustStore
    Make sure you have the external CA certificate available before initiating the configure action.
    Follow the options and provide valid data. Below lines indicate that external CA is successfully added to zone’s trusted store.

    /////////////console log/////////////////
    ******************************************************************************
    ShowImportExternalCertificateWarningConfigureAction complete!
    [2018.09.25-14:55:04] FINE: FirstServerConfigureAction complete!

    ******************************************************************************
    FirstServerConfigureAction complete!
    [2018.09.25-14:55:04] FINE: ZoneAuthConfigureAction complete!

    ******************************************************************************
    ZoneAuthConfigureAction complete!
    [2018.09.25-14:55:04] FINER: Importing external CA to trust store starting...
    [2018.09.25-14:55:04] INFO: AddExternalCAToTrustStore complete!

    ******************************************************************************
    AddExternalCAToTrustStore complete!
    /////////////console log/////////////////


    This can be verified using keytool command. On server console, run the below command
    /opt/novell/zenworks/share/jdk/bin/keytool -list -v -keystore /etc/opt/novell/zenworks/security/zenCaCertStore > output.txt

    It will ask for password, just hit enter as we just want to view the keystore entries

    In output.txt you can see that the certificate with the given alias is added . (search for the alias you gave when the configure action novell-zenworks-configure -c AddExternalCAToTrustStore was run)

  • 0 in reply to 

    Well i 'am still having the issue. I add my external CA as documented.

    But still i got the same issue. I will investigate with my security guy.

    Thanks for the help

    Stéphane