KBEC-00428 - Establish connection with no trusted keystore on agent

For your local agents, if you are encountering the following errors:

The Job Status contains the error “Trust anchor for certification path not found.”.
The Resource status contains the error

"The agent machine reset the network connection. The resource definition and agent may have a protocol (http vs https) mismatch: Trust anchor for certification path not found

Please run the following Sequence of certificate related calls when doing a full install (Windows)

```
eccert –debug initCA
```

1. Generating CA keys and certifacte
    5.

        ```
         Openssl req –x509 –new config “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\openssl” –out
         “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca.pem” –keyout
         C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca_pk.pem" ­days 3650 ­nodes ­subj 
         "/CN=commander5.electric­cloud.com/O=Electric Commander CA" 2>&1) 
        ```

    6.

        ```
        Generating a 2048 bit RSA private key
        ```
```
writing new private key to ' C:\ProgramData\Electric
    Cloud\ElectricCommander\conf\security \ca_pk.pem' 
```
  1. Updating CA revocation list

    ```
     Openssl ca gencrl config
     "C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ openssl.cnf" ­out 
     " C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ crl.pem" 2>&1) 
    ```
    
```
Eccert –debug initServer
```

1. Generating Keys
    5.

        ```
        “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool” –genkeypair -keystore
         " C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore" ­alias jetty ­dname 
         "CN=commander5.electric­cloud.com,O=server" 2>&1) 
        ```

2. Generating Certificate request
    5.

        ```
        C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java" ­cp "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar"  com.electriccloud.install.GetAlternateNames "commander5.electric­cloud.com" "" 2>&1) 
        ```

        1.

            ```
            Output:  “cname=commander5.electric­cloud.com 
                             san=”
            ```

    6.

        ```
        “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" ­certreq ­keystore
         "C:\ProgramData\Electric Cloud\ElectricCommander\conf\ keystore" ­alias jetty ­file 
         " C:\ProgramData\Electric Cloud\ElectricCommander\conf \server_csr.pem"  2>&1) 
        ```

3. Signing server certificate
    5.

        ```
        openssl ca ­passin stdin ­batch ­config
         “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\openssl” –out
         " C:\ProgramData\Electric Cloud\ElectricCommander\conf\ server_csr.pem” –out
         " C:\ProgramData\Electric Cloud\ElectricCommander\conf \server_crt.pem” –notext 2>&1)
        ```

        <br />

        ```
                    output='Using configuration from C:\ProgramData\Electric
                    Cloud\ElectricCommander\conf\security\openssl.cnf  Check that the request matches the signature 
                    Signature ok  The Subject's Distinguished Name is as follows 
                    organizationName      :PRINTABLE:'server' 
                    commonName            :PRINTABLE:'commander5.electric­cloud.com' 
                    Certificate is to be certified until Aug 17 17:14:20 2025 GMT (3650 days) 
                      Write out database with 1 new entries 
                    Data Base Updated  ' 
        ```

4. Importing 'CA:commander5.electriccloud.com' certificate
    5.

        ```
        “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" ­importcert –file
         “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca.pem” –keystore
         " C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore"  ­alias "CA:commander5.electric­cloud.com" ­noprompt  2>&1) 
        ```

    6. Certificate was added to keystore
5. Importing 'jetty' certificate
    1.

        ```
        “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" ­importcert ­file
         “C:\ProgramData\Electric Cloud\ElectricCommander\conf\server_crt.pem" ­keystore 
         “C:\ProgramData\Electric Cloud\ElectricCommander\conf \keystore" ­alias "jetty" ­noprompt 2>&1) 
        ```

    2.

        ```
        Certificate reply was installed in keystore
        ```

6.

    ```
    eccert ­­debug initAgent (not a trusted agent)
    ```

    1. Generating keys
        5.

            ```
            “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" ­genkeypair ­keystore
             “C:\ProgramData\Electric Cloud\ElectricCommander\conf \keystore" ­alias jetty ­dname
             "CN=commander5.electric­cloud.com,O=agent" 2>&1) 
            ```

        6. Generating certificate request
            1.

                ```
                "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ java" ­cp
                 "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar" com.electriccloud.install.GetAlternateNames
                 "commander5.electric­cloud.com" "" 2>&1)
                ```

                ```
                ○ output='san= 
                                    ○
                                    ○ ' 
                                    ○ cname=commander5.electric­cloud.com 
                                    ○ san=  2.
                ```

            2.

                ```
                "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" ­certreq ­keystore 
                 “C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore" ­alias jetty ­file 
                 C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\agent_csr.pem"  2>&1) 
                ```

Sequence of certificate related calls when doing a standalone trusted agent call

```
eccert ­­debug ­­server 192.168.32.16 ­­securePort 8443 initAgent ­remote 
```

1. Generating Keys
    51.

        ```
        "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" ­genkeypair ­keystore 

         “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" ­alias jetty ­dname 

         "CN=agent51.hsd1.ca.comcast.net,O=agent" 2>&1 
        ```

2. Generating certificate request
    51.

        ```
        " C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java”  ­cp "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar"  com.electriccloud.install.GetAlternateNames "agent51.hsd1.ca.comcast.net" "" 2>&1 
        ```

        ```
        ● output='san= 
        ```
  • cname=agent51.hsd1.ca.comcast.net

  • san=

```
"C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" ­certreq ­keystore 

 “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" ­alias jetty ­file 

 “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\agent_csr.pem"  2>&1 
```
  1. Making call to server

    ```
    Asking server '192.168.32.16' to sign certificate
    
            ● request =  {    
    
            "version": "2.2", 
    
             "timeout": 180,
    
               "sessionId": "FJRZCL506UE4IKAI",
    
                "requests": [      { 
                  
    
            "requestId": 1,      
    
             "operation": "getCertificates"      
    
            },      {       
    
             "parameters": {
    
                      "certificateData": "­­­­­BEGIN NEW CERTIFICATE 
            REQUEST­­­­­ MIICbDCCAikCAQAwNjEOMAwGA1UEChMFYWdlbnQxJDAiBgNVBAMTG2F
            nZW50………………..GakbmpVfMjhJLXCC84U0Z4tf ­­­­­END NEW CERTIFICATE 
            REQUEST­­­­­ "
    },        
     "requestId": 2,        
     "operation": "signCertificate"      
     }    
     ] 
     } 
     response (partial) = 
     { 
     "responses": [{ 
         "certificates": "­­­­­BEGIN  CERTIFICATE­­­­­ MIIDxzCCAq+gAwIBAgIJALWDPsB7Y+77MA0GCSqGSIb3DQEBBQUA MEsxKT…………………..PSa0OQ97nGYjxYZaNgvVYzmfSfwNHQGXpuwAkPLSTlIhJLHS p EA= ­­­­­END CERTIFICATE­­­­­ ",  "revocations": "­­­­­BEGIN X509  CRL­­­­­ MIIBkDB6MA0GCSqGSIb3DQEBBQUAMEsxKTAnBgNVBAMTIHNoYWRvdy1tYXN0 ZXIu Z…………………..FNvI2YfvbLis0Ep1r3oMK4= ­­­­­END X509 CRL­­­­­ ",  "requestId": "1"  },   {  "value": "­­­­­BEGIN  CERTIFICATE­­­­­ MIIDyzCCArOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMSkwJwYDVQQ DEyBz……………………………………………….9BAnCxOnIz wMPG8MvpVJxK2y+weUiz ­­­­END CERTIFICATE­­­­­ ­­­­­BEGIN  CERTIFICATE­­­­­ MIIDxzCCAq+gAwIBAgIJALWDPsB7Y+77MA0GCSqGSIb3DQEBBQUA MEsxKT………….r0AtoknmAK1nP5KyuTaxGJgpPo stH+0fPlVj…………….",  ………….  }]  }   
    ```
    
  1. openssl x509 noout subject 2>&1

    ```
    output='subject= /CN=shadow­master.electric­cloud.com/O=Electric Commander CA' 
    ```
    
  2. Importing ‘CA:shadowmaster.electriccloud.com’ certificate

    ```
    “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool”
            ­importcert ­file "/tmp/KYtxm_16Nv" ­keystore
    
            “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" ­alias "CA:shadow­master.electric­cloud.com" 
            ­noprompt 2>&1 
    ```
    
    1.
    
        ```
        output='Certificate was added to keystore' 
        ```
    
    1. Importing ‘jetty’ certificate

      ```
      “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool
                  ­importcert ­file "/tmp/Pm1Pa8aZwh" ­keystore
      
                  “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" ­alias "jetty" ­noprompt 2>&1
      
                  ● output='Certificate reply was installed in keystore’
      ```
      

Notes

```
­keysize    2048 (when using ­genkeypair and ­keyalg is "RSA")
     
```
```
The ​ keyalg​  value specifies the algorithm to be used to generate the key pair, and the ​
    keysize​  value specifies the size of each key to be generated. 
    The ​ sigalg​  value specifies the algorithm that should be used to sign the self­signed certificate. This algorithm must be compatible with the ​
    keyalg   value. 
```
```
If the underlying private key is of type RSA, then the ​
    ­sigalg​  option defaults to SHA256withRSA.  (from 
    https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html​
     )  
```
  • Read keystore
   vagrant@commander5: C:\ProgramData\Electric Cloud\ElectricCommander\conf conf
   “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool”­list ­v 
  ­keystore repository/keystore  
Enter keystore password:    
Keystore type: JKS 
 Keystore provider: SUN   
   Your keystore contains 1 entry   
Alias name: jetty 
Creation date: Mar 31, 2011 
Entry type: PrivateKeyEntry 
Certificate chain length: 1 
Certificate[1]: 
  Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown 
  Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown 

Serial number: 4d94cabd 
  Valid from: Thu Mar 31 11:41:01 PDT 2011 until: Sun Mar 25 11:41:01 PDT 2012 

Certificate fingerprints:   
  MD5:  54:5D:76:E3:DD:07:06:53:99:CB:18:8F:2F:A6:70:D3 

  SHA1: EA:EE:D0:87:0B:F7:09:90:27:79:E3:7A:E7:33:F4:59:20:81:98:CB 
   
  SHA256: 07:90:AC:0B:D9:58:6D:7B:9F:16:B8:AB:D4:4A:D8:3E:F8:18:8B:AE:E8:F3:78:12:EB:E5:45:56:AA:8D:A5:9C 

  Signature algorithm name: SHA1withRSA   

  Version: 3      ******************************************* 
  ******************************************

If this process works in resolving the ‘no trusted keystore on agent error’, please contact support@cloudbees.com if you have questions.

Have more questions?

0 Comments

Article is closed for comments.