VMware GemFire error: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Article ID: 294435
Updated On:
Products
VMware Tanzu Gemfire
Issue/Introduction
When you are using multiple certificates in one keystore but don't import all certificate into your truststore, you will see the following exception when you are starting the locator with
jmx-manager=true as default.
[pivhdsne:gemfire97ssl]$ ./startlocator.sh ....... Locator in /home/gpadmin/apps/gemfire97ssl/locator on pivhdsne[23456] as locator is currently online.Process ID: 93192Uptime: 9 secondsGeode Version: 9.7.3Java Version: 1.8.0_60Log File: /home/gpadmin/apps/gemfire97ssl/locator/locator.logJVM Arguments: -DgemfirePropertyFile=/home/gpadmin/apps/gemfire97ssl/config/gemfire-locator.properties -DgemfireSecurityPropertyFile=/home/gpadmin/apps/gemfire97ssl/config/gemfire-security.properties -Dgemfire.enable-cluster-configuration=true -Dgemfire.load-cluster-configuration-from-dir=false -Djavax.net.debug=ssl:all:verbose -Dgemfire.jmx-manager=true -Dgemfire.launcher.registerSignalHandlers=true -Djava.awt.headless=true -Dsun.rmi.dgc.server.gcInterval=9223372036854775806 -Dgemfire.OSProcess.DISABLE_REDIRECTION_CONFIGURATION=trueClass-Path: /home/gpadmin/apps/pivotal-gemfire-9.7.3/lib/geode-core-9.7.3.jar:/home/gpadmin/apps/pivotal-gemfire-9.7.3/lib/geode-dependencies.jar:/home/gpadmin/apps/pivotal-gemfire-9.7.3/extensions/gemfire-greenplum-3.4.0.jar SSL configuration required to connect to the Manager. Failed to connect; unknown cause: Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown]
gfsecurity.properties example:
ssl-default-alias=gemfire-client-key
ssl-require-authentication=true
ssl-enabled-components=all
ssl-keystore=/example/ssl/certs.jks
ssl-keystore-password=gemfire
ssl-truststore=/example/ssl/truststore.jks
ssl-truststore-password=gemfireEnvironment
Product Version: Other
Resolution
This is a known issue in the
The quick workaround to this issue is to add all certificates from the desired keystore into your truststore.
ssl-default-alias properties support for JMX Connections such as the JMX Manager component in GemFire. Please refer to the following Geode Jira: https://issues.apache.org/jira/browse/GEODE-7022
Workaround
The quick workaround to this issue is to add all certificates from the desired keystore into your truststore.Feedback
Yes
No
Powered by
