KBEC-00428 - Establish connection with no trusted keystore on agent

For your local agents, if you are encountering the following errors:

The Job Status contains the error "Trust anchor for certification path not found.".
The Resource status contains the error

"The agent machine reset the network connection. The resource definition and agent may have a protocol (http vs https) mismatch: Trust anchor for certification path not found

Please run the following Sequence of certificate related calls when doing a full install (Windows)

  1. eccert –debug initCA
    1. Generating CA keys and certifacte
      1.  Openssl req –x509 –new config “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\openssl” –out

        “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca.pem” –keyout

        C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca_pk.pem" ­days 3650 ­nodes ­subj 

        "/CN=commander5.electric­cloud.com/O=Electric Commander CA" 2>&1) 
      2. Generating a 2048 bit RSA private key
  • writing new private key to ' C:\ProgramData\Electric Cloud\ElectricCommander\conf\security \ca_pk.pem' 
  1. Updating CA revocation list
    1.  Openssl ca gencrl config

      "C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ openssl.cnf" ­out 

      " C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ crl.pem" 2>&1) 
  2. Eccert –debug initServer
    1. Generating Keys
      1. “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool” –genkeypair -keystore

        " C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore" ­alias jetty ­dname 

        "CN=commander5.electric­cloud.com,O=server" 2>&1) 
    2. Generating Certifcate request
      1. C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java" ­cp "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar"  com.electriccloud.install.GetAlternateNames "commander5.electric­cloud.com" "" 2>&1) 
        1. Output:  “cname=commander5.electric­cloud.com \n san=”
      2. “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" ­certreq ­keystore

        "C:\ProgramData\Electric Cloud\ElectricCommander\conf\ keystore" ­alias jetty ­file 

        " C:\ProgramData\Electric Cloud\ElectricCommander\conf \server_csr.pem"  2>&1) 
    3. Signing server certificate
      1. openssl ca ­passin stdin ­batch ­config

        “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\openssl” –out

        " C:\ProgramData\Electric Cloud\ElectricCommander\conf\ server_csr.pem” –out

        " C:\ProgramData\Electric Cloud\ElectricCommander\conf \server_crt.pem” –notext 2>&1)

        output='Using configuration from C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\openssl.cnf  Check that the request matches the signature  Signature ok  The Subject's Distinguished Name is as follows  organizationName      :PRINTABLE:'server'  commonName            :PRINTABLE:'commander5.electric­cloud.com'  Certificate is to be certified until Aug 17 17:14:20 2025 GMT (3650 days)    Write out database with 1 new entries  Data Base Updated  ' 
    4. Importing  'CA:commander5.electric­cloud.com' certificate
      1. “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" ­importcert –file

        “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca.pem” –keystore

        " C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore"  ­alias "CA:commander5.electric­cloud.com" ­noprompt  2>&1) 
      2. Certificate was added to keystore
    5. Importing ‘jetty’ certificate
      1. “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" ­importcert ­file

        “C:\ProgramData\Electric Cloud\ElectricCommander\conf\server_crt.pem" ­keystore 

        “C:\ProgramData\Electric Cloud\ElectricCommander\conf \keystore" ­alias "jetty" ­noprompt 2>&1) 
      2. Certificate reply was installed in keystore
    6. eccert ­­debug initAgent (not a trusted agent)
      1. Generating keys 
        1. “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" ­genkeypair ­keystore

          “C:\ProgramData\Electric Cloud\ElectricCommander\conf \keystore" ­alias jetty ­dname

          "CN=commander5.electric­cloud.com,O=agent" 2>&1) 
        2. Generating certificate request
          1. "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ java" ­cp

            "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar" com.electriccloud.install.GetAlternateNames

            "commander5.electric­cloud.com" "" 2>&1)
            ○ output='san= 

            ○ ' 
            ○ cname=commander5.electric­cloud.com 
            ○ san=  2.
          2. "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" ­certreq ­keystore 

            “C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore" ­alias jetty ­file 

            C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\agent_csr.pem"  2>&1) 

 

Sequence of certificate related calls when doing a standalone trusted agent call

  1. eccert ­­debug ­­server 192.168.32.16 ­­securePort 8443 initAgent ­remote 
    1. Generating Keys
      1. "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" ­genkeypair ­keystore 

        “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" ­alias jetty ­dname 

        "CN=agent51.hsd1.ca.comcast.net,O=agent" 2>&1 
    2. Generating certificate request
      1. " C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java”  ­cp "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar"  com.electriccloud.install.GetAlternateNames "agent51.hsd1.ca.comcast.net" "" 2>&1 
        ● output='san= 
  •         cname=agent51.hsd1.ca.comcast.net 
  •         san=
  1. "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" ­certreq ­keystore 

    “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" ­alias jetty ­file 

    “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\agent_csr.pem"  2>&1 
  1. Making call to server
    1. Asking server '192.168.32.16' to sign certificate
      ● request =  {    
      "version": "2.2", 
       "timeout": 180,
         "sessionId": "FJRZCL506UE4IKAI",
          "requests": [      {        
      "requestId": 1,      
       "operation": "getCertificates"      
      },      {       
       "parameters": {
                "certificateData": "­­­­­BEGIN NEW CERTIFICATE  REQUEST­­­­­\nMIICbDCCAikCAQAwNjEOMAwGA1UEChMFYWdlbnQxJDAiBgNVBAMTG2F nZW50………………..GakbmpVfMjhJLXCC84U0Z4tf\n­­­­­END NEW CERTIFICATE  REQUEST­­­­­\n" 

      },        
"requestId": 2,        
"operation": "signCertificate"      
}    


response (partial) = 

"responses": [{ 
    "certificates": "­­­­­BEGIN  CERTIFICATE­­­­­\r\nMIIDxzCCAq+gAwIBAgIJALWDPsB7Y+77MA0GCSqGSIb3DQEBBQUA MEsxKT…………………..PSa0OQ97nGYjxYZaNgvVYzmfSfwNHQGXpuwAkPLSTlIhJLHS\r\np EA=\r\n­­­­­END CERTIFICATE­­­­­\r\n",  "revocations": "­­­­­BEGIN X509  CRL­­­­­\nMIIBkDB6MA0GCSqGSIb3DQEBBQUAMEsxKTAnBgNVBAMTIHNoYWRvdy1tYXN0 ZXIu\nZ…………………..FNvI2YfvbLis0Ep1r3oMK4=\n­­­­­END X509 CRL­­­­­\n",  "requestId": "1"  },   {  "value": "­­­­­BEGIN  CERTIFICATE­­­­­\nMIIDyzCCArOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMSkwJwYDVQQ DEyBz……………………………………………….9BAnCxOnIz\nwMPG8MvpVJxK2y+weUiz\n­­­­END CERTIFICATE­­­­­\n­­­­­BEGIN  CERTIFICATE­­­­­\r\nMIIDxzCCAq+gAwIBAgIJALWDPsB7Y+77MA0GCSqGSIb3DQEBBQUA MEsxKT………….r0AtoknmAK1nP5KyuTaxGJgpPo\r\nstH+0fPlVj…………….",  ………….  }]  }  

  1. openssl x509 ­noout ­subject 2>&1 
    1. output='subject= /CN=shadow­master.electric­cloud.com/O=Electric Commander CA' 
  2. Importing 'CA:shadow­master.electric­cloud.com' certificate
    1. “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool” ­importcert ­file "/tmp/KYtxm_16Nv" ­keystore
      “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" ­alias "CA:shadow­master.electric­cloud.com"  ­noprompt 2>&1 
      1. output='Certificate was added to keystore' 
    2. Importing 'jetty' certificate
      1. “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool ­importcert ­file "/tmp/Pm1Pa8aZwh" ­keystore
        “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" ­alias "jetty" ­noprompt 2>&1
        ● output='Certificate reply was installed in keystore’

Notes

  • ­keysize    2048 (when using ­genkeypair and ­keyalg is "RSA")  
  • The ​ keyalg​  value specifies the algorithm to be used to generate the key pair, and the ​ keysize​  value specifies the size of each key to be generated.  The ​ sigalg​  value specifies the algorithm that should be used to sign the self­signed certificate. This algorithm must be compatible with the ​ keyalg   value. 
  • If the underlying private key is of type RSA, then the ​ ­sigalg​  option defaults to SHA256withRSA.  (from  https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html​  )  

  ­­­  Read keystore   

vagrant@commander5: C:\ProgramData\Electric Cloud\ElectricCommander\conf conf

 “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool”­list ­v  ­keystore repository/keystore  

Enter keystore password:    

Keystore type: JKS 

 Keystore provider: SUN   

 Your keystore contains 1 entry   

Alias name: jetty 

Creation date: Mar 31, 2011 

Entry type: PrivateKeyEntry 

Certificate chain length: 1 

Certificate[1]: 

Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown  Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown 

Serial number: 4d94cabd 

Valid from: Thu Mar 31 11:41:01 PDT 2011 until: Sun Mar 25 11:41:01 PDT 2012 

Certificate fingerprints:   

MD5:  54:5D:76:E3:DD:07:06:53:99:CB:18:8F:2F:A6:70:D3 

SHA1: EA:EE:D0:87:0B:F7:09:90:27:79:E3:7A:E7:33:F4:59:20:81:98:CB   

SHA256: 07:90:AC:0B:D9:58:6D:7B:9F:16:B8:AB:D4:4A:D8:3E:F8:18:8B:AE:E8:F3:78:12:EB:E5:45:56:AA:8D:A5:9C   

Signature algorithm name: SHA1withRSA   

Version: 3      *******************************************  ******************************************

 

If this process works in resolving the 'no trusted keystore on agent error', please contact support@electric-cloud.com if you have questions.

 

 

Have more questions?

0 Comments

Article is closed for comments.