"Failed to find trusted path to signing certificate" error for scheduled workflow runs after replacing the vRealize Orchestrator certificate.
search cancel

"Failed to find trusted path to signing certificate" error for scheduled workflow runs after replacing the vRealize Orchestrator certificate.

book

Article ID: 345139

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • Scheduled workflow runs begin to fail after replacing the vRealize Orchestrator certificate
  • The /var/log/service-logs/prelude/vco-app/file-logs/vco-server-app.log contains errors similar to:

2023-02-01T12:04:00.894Z INFO vco [host='vco-app-989xxxxxx-xxxxx' thread='CustomThreadPool's Thread-1' user='' org='' trace=''] {} com.vmware.identity.token.impl.X509TrustChainKeySelector - Failed to find trusted path to signing certificate <OU=VMware Engineering,O=VMware,L=Palo Alto,ST=California,C=US,CN=CA>
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]

2023-02-01T12:04:00.897Z ERROR vco [host='vco-app-989xxxxxx-xxxxx' thread='CustomThreadPool's Thread-1' user='' org='' trace=''] {} com.vmware.identity.token.impl.SamlTokenImpl - Signature validation failed
javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:559) ~[java.xml.crypto:?]

2023-02-01T12:04:00.929Z ERROR vco [host='vco-app-989xxxxxx-xxxxx' thread='CustomThreadPool's Thread-1' user='' org='' trace=''] {} com.vmware.o11n.security.session.ManagedTokenRegistryImpl - Unable to convert token with id 8a74xxxx7c2axxxx017fxxxxxxxx15af
com.vmware.vcac.authentication.http.SamlAuthenticationException: Signature validation failed
at com.vmware.o11n.authentication.http.SamlTokenExtractor.extractToken(SamlTokenExtractor.java:164) ~[o11n-cafe-sdk-sso-8.9.1.jar:?]


Environment

VMware vRealize Orchestrator 8.x

Cause

The certificate validation that is failing is performed using the signing certificate used for the registration of the Orchestrator Service as a solution user in vCenter.

The issue occurs as the token stored for the scheduled task references the previous signing certificate.

Resolution

A resolution for this issue is planned for a future vRealize Orchestrator release.

Workaround:

To workaround the issue update the token stored for the scheduled task.

1. Login to the vRealize Orchestrator client with a user other than the current executing user. If you login with the same user the token will not be updated.

2. Navigate to the scheduled workflow and select Edit -> Use Current User option to update the certificate stored against the token.

3. (Optional) perform steps 1 & 2 again if you wish to have the scheduled run executed again as the desired original user.


Powered by Wolken Software