Problem
When running any of the SeaLights agents, you may come across an error related to PKIx/SSL libraries. For example:
Code Block |
---|
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake … |
...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed … |
Cause
These errors could point to an issue with creating a secure connection to our server due to a misconfigured or missing certificate. The missing certificate is often the Selaights Security certificate, sometimes your Corporate certificate. The following guide will explain
The instructions below detail the steps required to add the SeaLights certificate to your local Java keystoreKeystore.
...
Solution
Retrieve the SeaLights certificate from your dashboard:
While logged in, click on the “Lock” icon to the left of your address bar.
...
On Windows: In the Details tab, click on Copy to File and ensure the exported certificate is in .cer/.der format
On Mac: Dragging the certificate icon to your desktop will export it
Panel |
---|
panelIconId | atlassian-warning |
---|
panelIcon | :warning: |
---|
bgColor | #FFF0B3 |
---|
|
Make sure the certificate you’re downloading is issued by Amazon Web services. In some organizations, the firewall modifies/replaces the certificate and leds to continue facing the connectivity issue because the certificate will be marked as invalid. In this case, please contact Sealights Support to get a copy via email for example. |
...
2. Add the certificate to the Java keystoreKeystore:
...
importcert -alias your-alias -keystore cacerts.jks -file certificate. |
...
(Optional) Convert the .cer certificate file to .pem format:
In some cases, it may be necessary to convert the exported certificate to PEM format , so that it could to be loaded into the JKS (Java Key Store). To do so, use the following command:
Code Block |
---|
openssl x509 -inform der -in certificate.cer -out certificate.pem |
Info |
---|
The SeaLights certificate should be added to any Java keystore that communicates with SeaLights. |
3. Validate the certificate was imported into the keystore file being used by the JVM with the following command:
Workaround
You can disable the cert check (not a long-term solution):
Code Block |
---|
sl.ignoreCertificateErrors=true |
Helpers
Table of Contents |
---|
minLevel | 3 |
---|
maxLevel | 6 |
---|
outline | false |
---|
type | list |
---|
separator | brackets |
---|
printable | true |
---|
|
Note |
---|
Disclaimer: The scripts provided below are for reference purposes only. They are offered "as-is" without any guarantees or support from Sealights. Please ensure you understand and test their functionality before deploying them in any environment. |
Check the certificates' expiration date
Here are Bash and PowerShell scripts that check the expiration dates of certificates in a Java keystore and notify you about certificates that are either expired or will expire in less than 30 days:
Bash | PowerShell |
---|
Code Block |
---|
| #!/bin/bash
# Path to your Java keystore
KEYSTORE_PATH="/path/to/your/keystore.jks"
# Keystore password
KEYSTORE_PASSWORD="your_keystore_password"
# Number of days for expiration threshold
EXPIRATION_THRESHOLD=30
# Get current date in epoch format
CURRENT_DATE=$(date +%s)
# Loop through each entry in the keystore
while IFS=' ' read -r alias; do
# Get certificate expiration date
expiration_date=$(keytool -list -v -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASSWORD" -alias "$alias" | grep Valid | awk -F ',' '{print $2}' | sed 's/^[ \t]*//')
# Convert expiration date to epoch format
expiration_epoch=$(date -d "$expiration_date" +%s)
# Calculate days until expiration
days_until_expiration=$(( (expiration_epoch - CURRENT_DATE) / 86400 ))
if (( days_until_expiration <= 0 )); then
echo "Certificate '$alias' has already expired!"
elif (( days_until_expiration <= EXPIRATION_THRESHOLD )); then
echo "Certificate '$alias' will expire in $days_until_expiration days."
fi
done < <(keytool -list -keystore "$KEYSTORE_PATH" -storepass "$KEYSTORE_PASSWORD" | grep "Alias name:" | awk -F ': ' '{print $2}')
exit 0 |
| Code Block |
---|
| # Path to your Java keystore
$KeyStorePath = "C:\path\to\your\keystore.jks"
# Keystore password
$KeyStorePassword = "your_keystore_password"
# Number of days for expiration threshold
$ExpirationThreshold = 30
# Get the current date
$CurrentDate = Get-Date
# Load the keystore
$Keystore = [Security.Cryptography.X509Certificates.X509Certificate2Collection]::new()
$Keystore.Import($KeyStorePath, $KeyStorePassword, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
# Loop through each certificate in the keystore
foreach ($cert in $Keystore) {
$expirationDate = $cert.NotAfter
# Calculate days until expiration
$daysUntilExpiration = ($expirationDate - $CurrentDate).Days
if ($expirationDate -lt $CurrentDate) {
Write-Host "Certificate '$($cert.Subject)' has already expired!"
}
elseif ($daysUntilExpiration -le $ExpirationThreshold) {
Write-Host "Certificate '$($cert.Subject)' will expire in $daysUntilExpiration days."
}
}
$Keystore.Dispose() |
|
Replace /path/to/your/keystore.jks
with the actual path to your Java keystore file and your_keystore_password
with your keystore password. Set appropriate permissions on the script file and execute it in a proper environment.
Please note that this script assumes that the keytool
command is available in your environment (usually comes with Java installations). Also, ensure that you have the necessary permissions to access the keystore file.
Script saving an SSL certificate from a URL to a local file
These scripts should help you download SSL certificates and save them in the specified format.
Bash | PowerShell |
---|
Code Block |
---|
| #!/bin/bash
# Function to download SSL certificate
download_ssl_certificate() {
local url=$1
local port=${2:-443}
local output_file=${3:-certificate.pem}
# Extract the hostname from the URL
local hostname=$(echo $url | awk -F[/:] '{print $4}')
# Use openssl to get the certificate and save it to a file
echo | openssl s_client -connect ${hostname}:${port} -servername ${hostname} 2>/dev/null | openssl x509 > ${output_file}
echo "Certificate downloaded and saved as ${output_file}"
}
# Example usage
download_ssl_certificate "https://mycompany.sealights.co"
|
| Code Block |
---|
| # Function to download SSL certificate
function Download-SSLCertificate {
param (
[string]$url,
[int]$port = 443,
[string]$outputFile = "certificate.cer"
)
$hostname = ([System.Uri]$url).Host
$tcpClient = New-Object Net.Sockets.TcpClient
$tcpClient.Connect($hostname, $port)
$sslStream = New-Object Net.Security.SslStream($tcpClient.GetStream(), $false, ({$true}))
$sslStream.AuthenticateAsClient($hostname)
$cert = $sslStream.RemoteCertificate
$bytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes($outputFile, $bytes)
$sslStream.Close()
$tcpClient.Close()
Write-Output "Certificate downloaded and saved as $outputFile"
}
# Example usage
Download-SSLCertificate -url "https://mycompany.sealights.co"
|
|
Related articles
Filter by label (Content by label) |
---|
showLabels | false |
---|
max | 5 |
---|
spaces | com.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@1422e |
---|
showSpace | false |
---|
sort | modified |
---|
type | page |
---|
reverse | true |
---|
labels | certificate ssl tls pkix |
---|
cql | label in ( "pkix" , "certificate" , "tls" , "ssl" ) and type = "page" and space = "SUP" |
---|
|