By: Sakit Atakishiyev user 30 Dec 2022 at 4:02 p.m. CST

4 Responses
Sakit Atakishiyev gravatar
Hello, I followed this https://gluu.org/docs/gluu-server/4.4/installation-guide/cluster/ documentation and installed two gluu instance and replicated. everything work normal after replication configured. After executing the below step I restart my second gluu instance and then oxuath and identity module could not connect to ldap even ldap work normal and replication still working. There reason is when oxauth or identity module try to establish connection they failed because of bad certificate. please check error also. ``` cd /opt/opendj/config tar -cf opendj_crts.tar keystore keystore.pin truststore ``` which certificate should oxtrust and identity server should send to ldap for establishing the connection? ``` 2022-12-30 21:42:25,774 ERROR [main] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:95) - Failed to create connection pool with properties: {binaryAttributes=objectGUID, bindPassword=REDACTED, connection-pool.health-check.max-response-time-millis=20000, servers=localhost:1636, maxconnections=10, connection.max-age-time-millis=1800000, connection.max-wait-time-millis=20000, certificateAttributes=userCertificate, connection-pool.health-check.on-checkout.enabled=false, useSSL=true, ssl.trustStoreFormat=pkcs12, bindDN=cn=directory manager, connection-pool.health-check.interval-millis=180000, ssl.trustStoreFile=/etc/certs/opendj.pkcs12, ssl.trustStorePin=REDACTED} com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server localhost:1636: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server localhost/127.0.0.1:1636: SSLHandshakeException(PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed), ldapSDKVersion=6.0.6, revision=b8c6c463def55758ed8ec0d914c84268c944251c')) at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:943) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:829) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:767) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:587) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:329) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:688) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1297) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1269) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1209) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1063) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:988) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:919) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:815) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.createConnectionPoolImpl(LdapConnectionProvider.java:278) ~[gluu-orm-ldap-4.4.2.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.createConnectionPoolWithWaitImpl(LdapConnectionProvider.java:248) ~[gluu-orm-ldap-4.4.2.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.init(LdapConnectionProvider.java:165) ~[gluu-orm-ldap-4.4.2.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.create(LdapConnectionProvider.java:82) ~[gluu-orm-ldap-4.4.2.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:61) ~[gluu-orm-ldap-4.4.2.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory.createEntryManager(LdapEntryManagerFactory.java:31) ~[gluu-orm-ldap-4.4.2.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManagerFactory$Proxy$_$$_WeldClientProxy.createEntryManager(Unknown Source) ~[gluu-orm-ldap-4.4.2.Final.jar:?] at org.gluu.oxauth.service.AppInitializer.createPersistenceEntryManager(AppInitializer.java:375) ~[classes/:?] at org.gluu.oxauth.service.AppInitializer$Proxy$_$$_WeldSubclass.createPersistenceEntryManager(Unknown Source) ~[classes/:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.jboss.weld.injection.StaticMethodInjectionPoint.invoke(StaticMethodInjectionPoint.java:95) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.injection.StaticMethodInjectionPoint.invoke(StaticMethodInjectionPoint.java:85) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.injection.producer.ProducerMethodProducer.produce(ProducerMethodProducer.java:103) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.injection.producer.AbstractMemberProducer.produce(AbstractMemberProducer.java:161) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.bean.AbstractProducerBean.create(AbstractProducerBean.java:180) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.contexts.AbstractContext.get(AbstractContext.java:96) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.bean.ContextualInstanceStrategy$DefaultContextualInstanceStrategy.get(ContextualInstanceStrategy.java:100) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.bean.ContextualInstanceStrategy$ApplicationScopedContextualInstanceStrategy.get(ContextualInstanceStrategy.java:140) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.bean.ContextualInstance.get(ContextualInstance.java:50) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.bean.proxy.ContextBeanInstance.getInstance(ContextBeanInstance.java:102) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:105) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.gluu.persist.PersistenceEntryManager$EntityManager$1948487569$Proxy$_$$_WeldClientProxy.find(Unknown Source) ~[gluu-orm-core-4.4.2.Final.jar:?] at org.gluu.oxauth.model.config.ConfigurationFactory.loadConfigurationFromLdap(ConfigurationFactory.java:435) ~[classes/:?] at org.gluu.oxauth.model.config.ConfigurationFactory.createFromLdap(ConfigurationFactory.java:382) ~[classes/:?] at org.gluu.oxauth.model.config.ConfigurationFactory.create(ConfigurationFactory.java:181) ~[classes/:?] at org.gluu.oxauth.model.config.ConfigurationFactory$Proxy$_$$_WeldSubclass.create(Unknown Source) ~[classes/:?] at org.gluu.oxauth.model.config.ConfigurationFactory$Proxy$_$$_WeldClientProxy.create(Unknown Source) ~[classes/:?] at org.gluu.oxauth.service.AppInitializer.applicationInitialized(AppInitializer.java:196) ~[classes/:?] at org.gluu.oxauth.service.AppInitializer$Proxy$_$$_WeldSubclass.applicationInitialized(Unknown Source) ~[classes/:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.jboss.weld.injection.StaticMethodInjectionPoint.invoke(StaticMethodInjectionPoint.java:95) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.injection.StaticMethodInjectionPoint.invoke(StaticMethodInjectionPoint.java:85) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.injection.MethodInvocationStrategy$SimpleMethodInvocationStrategy.invoke(MethodInvocationStrategy.java:168) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:330) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:308) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.event.ObserverMethodImpl.notify(ObserverMethodImpl.java:286) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at javax.enterprise.inject.spi.ObserverMethod.notify(ObserverMethod.java:124) ~[jakarta.enterprise.cdi-api-2.0.2.jar:?] at org.jboss.weld.util.Observers.notify(Observers.java:166) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.event.ObserverNotifier.notifySyncObservers(ObserverNotifier.java:285) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.event.ObserverNotifier.notify(ObserverNotifier.java:273) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.event.ObserverNotifier.fireEvent(ObserverNotifier.java:177) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.bootstrap.BeanDeploymentModule.fireEvent(BeanDeploymentModule.java:93) ~[weld-core-impl-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.module.web.servlet.HttpContextLifecycle.fireEventForApplicationScope(HttpContextLifecycle.java:161) ~[weld-web-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.module.web.servlet.HttpContextLifecycle.contextInitialized(HttpContextLifecycle.java:147) ~[weld-web-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.module.web.servlet.WeldInitialListener.contextInitialized(WeldInitialListener.java:99) ~[weld-web-3.1.9.Final.jar:3.1.9.Final] at org.jboss.weld.servlet.api.helpers.ForwardingServletListener.contextInitialized(ForwardingServletListener.java:34) ~[weld-spi-3.1.SP4.jar:3.1.0.SP4] at org.jboss.weld.environment.servlet.EnhancedListener.onStartup(EnhancedListener.java:66) ~[weld-servlet-core-3.1.9.Final.jar:3.1.9.Final] at org.eclipse.jetty.servlet.ServletContainerInitializerHolder.doStart(ServletContainerInitializerHolder.java:148) ~[?:?] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) ~[?:?] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) ~[?:?] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) ~[?:?] at org.eclipse.jetty.servlet.ServletContextHandler$ServletContainerInitializerStarter.doStart(ServletContextHandler.java:1660) ~[?:?] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) ~[?:?] at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:369) ~[?:?] at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1304) ~[?:?] at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:895) ~[?:?] at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:306) ~[?:?] at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:532) ~[?:?] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) ~[?:?] at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:40) ~[?:?] at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:183) ~[?:?] at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:516) ~[?:?] at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:151) ~[?:?] at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:186) ~[?:?] at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:462) ~[?:?] at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:58) ~[?:?] at org.eclipse.jetty.util.Scanner$DiscreteListener.pathAdded(Scanner.java:282) ~[?:?] at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:836) ~[?:?] at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:802) ~[?:?] at org.eclipse.jetty.util.Scanner.scan(Scanner.java:709) ~[?:?] at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:597) ~[?:?] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) ~[?:?] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) ~[?:?] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) ~[?:?] at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:158) ~[?:?] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) ~[?:?] at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:605) ~[?:?] at org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:246) ~[?:?] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) ~[?:?] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) ~[?:?] at org.eclipse.jetty.server.Server.start(Server.java:469) ~[?:?] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) ~[?:?] at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89) ~[?:?] at org.eclipse.jetty.server.Server.doStart(Server.java:414) ~[?:?] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) ~[?:?] at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$4(XmlConfiguration.java:1872) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:?] at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1810) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.eclipse.jetty.start.Main.invokeMain(Main.java:228) ~[?:?] at org.eclipse.jetty.start.Main.start(Main.java:517) ~[?:?] at org.eclipse.jetty.start.Main.main(Main.java:75) ~[?:?] Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server localhost/127.0.0.1:1636: SSLHandshakeException(PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed), ldapSDKVersion=6.0.6, revision=b8c6c463def55758ed8ec0d914c84268c944251c') at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:204) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:932) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] ... 113 more Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server localhost/127.0.0.1:1636: SSLHandshakeException(PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed), ldapSDKVersion=6.0.6, revision=b8c6c463def55758ed8ec0d914c84268c944251c at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:287) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:932) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] ... 113 more Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:352) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:295) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:290) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?] at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:?] at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?] at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1501) ~[?:?] at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1411) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:451) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:422) ~[?:?] at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369) ~[?:?] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:110) ~[?:?] at com.unboundid.util.ssl.TrustStoreTrustManager.checkServerTrusted(TrustStoreTrustManager.java:376) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1510) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?] at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:?] at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?] at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1501) ~[?:?] at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1411) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:451) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:422) ~[?:?] at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] Caused by: java.security.cert.CertPathValidatorException: signature check failed at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83) ~[?:?] at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?] at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364) ~[?:?] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:110) ~[?:?] at com.unboundid.util.ssl.TrustStoreTrustManager.checkServerTrusted(TrustStoreTrustManager.java:376) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1510) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?] at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:?] at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?] at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1501) ~[?:?] at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1411) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:451) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:422) ~[?:?] at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] Caused by: java.security.SignatureException: Signature does not match. at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:422) ~[?:?] at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166) ~[?:?] at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147) ~[?:?] at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144) ~[?:?] at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83) ~[?:?] at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?] at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364) ~[?:?] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:110) ~[?:?] at com.unboundid.util.ssl.TrustStoreTrustManager.checkServerTrusted(TrustStoreTrustManager.java:376) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1510) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?] at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:?] at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?] at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1501) ~[?:?] at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1411) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:451) ~[?:?] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:422) ~[?:?] at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[unboundid-ldapsdk-6.0.6.jar:6.0.6] ```

By Sakit Atakishiyev user 31 Dec 2022 at 4:39 a.m. CST

Sakit Atakishiyev gravatar
Thanks @Michael.Schwartz for you response. But I don't think this a specific question for clustering. Clustering works as expected. it seems there is miss/wrong information on the public documentation and this cause system does not work properly. because before replacing the keystore and keystore.pin file under /etc/opendj/config everything work normal even cluster works after replacing. Only problem oxauth and identity server could not connect to ldap server in secondary and other node because of bad certificate.

By Sakit Atakishiyev user 31 Dec 2022 at 10:51 a.m. CST

Sakit Atakishiyev gravatar
https://raw.githubusercontent.com/GluuFederation/cluster-mgr/master/manual_install/keystore_Config.py this path also not exists. Even you don't answer the clustering question at least public documentation should works as expected, does not it?

By Sakit Atakishiyev user 31 Dec 2022 at 12:25 p.m. CST

Sakit Atakishiyev gravatar
I solved the problem copying /opt/jre/lib/security/cacerts file from primary node to other nodes and restart them and then everything start to work. most probably I missed running keystore_config.py part but this file not accessible.

By Michael Schwartz Account Admin 11 Jan 2023 at 1:47 p.m. CST

Michael Schwartz gravatar
That makes sense. The LDAPS certificate of course is self-signed, so oxAuth needs to trust it.