Hi,
I am building a Java RESTful Client to connect & access Puppet Master
services. While attempting this, I am unable to get SSLHandshake through.
Can you pls let me know where I am going wrong:
Puppet Master: puppetmaster.domain.com
Java Client: javaclient.domain.com
Obtained required signed certificates from puppetmaster.domain.com using:
a. Run command "*puppet cert --generate javaclient.domain.com*"
b. Obtained
Signed Certificate from {ssldir}/certs/javaclient.domain.com.pem & renamed
it to javaclient.domain.com-cert.pem
Private key from {ssldir}/private_keys/javaclient.domain.com.pem & renamed
it to javaclient.domain.com-key.pem
c. Created PKCS12 keystore using "*openssl pkcs12 -export -name
myservercert
-in javaclient.domain.com-cert.pem -inkey javaclient.domain.com-key.pem -out
javaclient.domain.com.p12*
"
d. Convert PKCS12 keystore into a JKS keystore using "*keytool
-importkeystore
-destkeystore javaclient.domain.com.jks -srckeystore javaclient.domain.com.p12
-srcstoretype
pkcs12 -alias myservercert*"
Now the keystore *javaclient.domain.com.jks* is used in the java
application using the snippet
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream({javaclient.domain.com.jks
path}), "{Password}".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(trustStore);
ctx = SSLContext.getInstance("SSL");
ctx.init(null, tmf.getTrustManagers(), null);
ClientConfig config = new DefaultClientConfig(); // Jersey API
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new
HTTPSProperties(hostnameVerifier, ctx));
The Java client fails to run with exception "No trusted certficate
found"
com.sun.jersey.api.client.ClientHandlerException:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:151)
at com.sun.jersey.api.client.Client.handle(Client.java:648)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:680)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
at test.JerseyRestAPI.executeRestAPI(JerseyRestAPI.java:105)
at test.JerseyRestAPI.main(JerseyRestAPI.java:37)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:249)
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
Can you suggest where I am going wrong - in creating Signed certificate on
Puppet Master (or) creation of Keystore from the obtained certificate &
private-key?
Thanks,
Naveen.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d1579151-ca08-43fb-9f31-d780b5b2d904%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Felix Frank
2013-Nov-28 10:01 UTC
Re: [Puppet Users] Java REST Client to access Puppet API
Hi,
good thinking, but you do want to add the CA certificate of your master
to your keystore. On the agent node, it can be found in
{ssldir}/certs/ca.pem.
There should be a keytool -importcert or similar option.
HTH,
Felix
On 11/27/2013 01:47 PM, Naveen Desu wrote:> b. Obtained
> Signed Certificate from {ssldir}/certs/javaclient.domain.com.pem &
> renamed it to javaclient.domain.com-cert.pem
> Private key from {ssldir}/private_keys/javaclient.domain.com.pem &
> renamed it to javaclient.domain.com-key.pem
>
> c. Created PKCS12 keystore using "*/openssl pkcs12 -export -name
> myservercert
> -in javaclient.domain.com-cert.pem -inkey javaclient.domain.com-key.pem
-out javaclient.domain.com.p12/*"
>
> d. Convert PKCS12 keystore into a JKS keystore using "*/keytool
> -importkeystore
> -destkeystore javaclient.domain.com.jks -srckeystore
javaclient.domain.com.p12 -srcstoretype
> pkcs12 -alias myservercert/*"
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5297147F.4020600%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/groups/opt_out.