cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco 5.0a community & certificate

gerbenkwakkel
Champ in-the-making
Champ in-the-making
In my environment running an Alfresco Community 5.0a on Ubuntu 12.04 LTS.

Now I have a certificate from GeoTrust added in my own keystore and added in server.xml:


<Connector port="8443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="/home/administrator/certificaat.dbiom.nl/certificaat.dbiom.nl.key" keystorePass="PASSWORD" keystoreType="JKS"
secure="true" connectionTimeout="240000" clientAuth="want" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" allowUnsafeLegacyRenegotiation="true" maxHttpHeaderSize="32768" />


This certificate will work too. In Alfresco I come only many errors against, such as searching that no longer works, tags can not be retrieved.


javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506)
        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
        at org.alfresco.httpclient.AbstractHttpClient.executeMethod(AbstractHttpClient.java:135)
        at org.alfresco.httpclient.AbstractHttpClient.sendRemoteRequest(AbstractHttpClient.java:111)
        at org.alfresco.httpclient.HttpClientFactory$HttpsClient.sendRequest(HttpClientFactory.java:371)
        at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1056)
        at org.alfresco.solr.tracker.CoreTracker.trackModelsImpl(CoreTracker.java:1950)
        at org.alfresco.solr.tracker.CoreTracker.trackModels(CoreTracker.java:4745)
        at org.alfresco.solr.tracker.CoreTracker.trackRepository(CoreTracker.java:1275)
        at org.alfresco.solr.tracker.CoreTracker.updateIndex(CoreTracker.java:561)
        at org.alfresco.solr.tracker.CoreTrackerJob.execute(CoreTrackerJob.java:45)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
        … 27 more


Error in Adminconsole -> Categorymanager


JavaException: org.alfresco.repo.search.impl.lucene.LuceneQueryParserException: 09300090 Request failed 401 /solr/alfresco/alfresco?wt=json&fl=DBID%2Cscore&rows=1000&df=TEXT&start=0&locale=nl_NL&alternativeDic=DEFAULT_DICTIONARY&fq=%7B%21afts%7DAUTHORITY_FILTER_FROM_JSON&fq=%7B%21afts%7DTENANT_FILTER_FROM_JSON


I added the certificate to the cacerts file, and nothing works.

Forgot or something?
5 REPLIES 5

angelborroy
Community Manager Community Manager
Community Manager
Look at alf_data/solr folder. There is a file with some instructions about configuring a new certificate. The problem, basically is that SOLR is targetting 8443 port and using client authentication. As you have changed the issuer CA, SOLR can't be authenticated any more.
Hyland Developer Evangelist

gerbenkwakkel
Champ in-the-making
Champ in-the-making
Is this step also possible with a existing certificate + keystore?

angelborroy
Community Manager Community Manager
Community Manager
It's possible, but you must change SOLR client certificate.
Hyland Developer Evangelist

gerbenkwakkel
Champ in-the-making
Champ in-the-making
So, can i replace the SOLR client certificate with the GeoTrust certificates or should it be in a different way?

angelborroy
Community Manager Community Manager
Community Manager
You should read information on README.txt file provided by alfresco in alf_data/solr

There different ways: include a certificate from GeoTrust, change SSL protocolo negotiation…
Hyland Developer Evangelist