[Bug] unable to find valid certification path to requested target

[tunbb]

Search before asking

• I had searched in the issues and found no similar issues.

Apache SkyWalking Component

Helm Chart (apache/skywalking-kubernetes)

What happened

I've using es storage with https, but I am stuck in certification although .jks have already insert in the es-init pod and the oap pod. How can I solve the problem?

error:
length-B,duratio-0ns,totalDurat0n=249ms (249630923ns), cause=com.linecorp.armeriaclient,UnprocessedRequestException: javax.netSSLHandshakeException: General OpenSslEngineproblem. headers=l:status=071com.linecorp.armeria.client.UnprocessedRequestException: javax.net.ssl.SSLHandshakeExceptioieneral OpenSslEngine problerjar:?]at com,linecorp.armeria.client.UnprocessedRequestException.of(UnprocessedRequestExcetlon java:o) larmerla-1.1o..at com,linecorp.armeria.client.HttpChannelpool .notifyConnect(HttpChannelpool.java:550) [armeria-1.16.8.jar:?)at com,linecorp.armeria.client.HttpChannelpool.lambdasconnect$4(HttpChannelPooljava:378) armeria-1.16.0.jar:?)at io.netty.util.concurrent.DefaultPromise.notifylistener DefaultPromise,java:578) netty-common-4.1.77.Final, jar:4.1.77.Finat io.nettyutil.concurentDefaultPromisenotifylistenersNow(DefaultPromise.java:552) Inetty-comon-4.1.77.Final,jar:4.1.77al]eners(Defaultromise.java:491) [netty-common-4.1.77.Finaliar:4.1.77.Finat io.netty.util.concurrent.DefaultPromise.setValue0(DefaultPromise.java:616) Inetty-common-4.1.77.Final,jar:4.1.77.Finalat io.netty,utilconcurrentDefaultPromise. setFailuree(DefaultPromise ava:609) netty-Common-4.1.77.Final.jar:4.1.77.Finalat ionetty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:117) [netty-common-4.1.77.Final.jar:4.1.77.Final)at com.linecoro.armeriaclient,HttoSessionHandler.channelnactive(HttosessionHandler java:426) /armeria-1.16.0.jar.?at ionetty.channel.AbstractChannelHandlerContext.invokeChanelinactive(AbstractchannelHandlerContext java:262) Inetty-transoat io.netty,chamnel,AbstractChamnelHandlerontext invokechannelinactive(AbstractChannelHandlerontext. java:248) netty-transoi
at io.netty.util.concurrent .Defaultpromise-4.1.77.Final.jar:4.1.77.Final]
notfws+
-4.1.77.Final.jar:4.1.77.Final]

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathbuilderExcept
ion: unable to find valid certification path to requested targetat sun.security.validator.PKIXValidator.doBuild(Unknown Source) ~[?:?]at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) ~[?:?]at sun.security.validator.Validator.validate(Unknown Source) ~[?:?]at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) ~[?:?]oat sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[?:?]at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[?:?]at io.netty.handler. ssl.Referencelounted0penss1ClientContext$ExtendedtrustManagerVerifycallbackverify(Reference(ountedopenSsllientContext.java:234) [netty-handler-4.1.77.Final.jar:4.1.77.Final]at ionetty.handler.ssl.ReferenceountedopenSslContext$AbstractCertificateVerifier.verify(Referencelounted0penSslContext.java:773) ~[netty-handler-4.1.77.Final.jar:4.1.77.Final]at ionetty.intemnal.tcnativeCertificateverifierTaskruntask(CertificateverifierTask.java:3) netty-tcnative-clases-2.0.52.inal.jar:2.0.52.Final]

What you expected to happen

es-int job is successully completed and oap pod is running

How to reproduce

elasticsearch:
enabled: false
config: # For users of an existing elasticsearch cluster,takes effect when elasticsearch.enabled is false
host: xx-es.xx.svc
port:
http: 9200
user: "xx" # [optional]
password: "xx"

    volumeMounts:
      {{- if eq .Values.oap.env.SW_STORAGE_ES_HTTP_PROTOCOL "https" }}    
        - name: skywalking-es-ca
          mountPath: /skywalking/es/config/truststore.jks
          subPath: truststore.jks
      {{- end }}

oap:
env:
SW_STORAGE_ES_HTTP_PROTOCOL: https
# more env, please refer to https://hub.docker.com/r/apache/skywalking-oap-server
# or https://github.com/apache/skywalking-docker/blob/master/6/6.4/oap/README.md#sw_telemetry
SW_SW_STORAGE_ES_SSL_JKS_PATH: "/skywalking/es/config/truststore.jks"
SW_SW_STORAGE_ES_SSL_JKS_PASS: "xxx"

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[wu-sheng]

This seems SSL side issue, rather than what SkyWalking could do. Maybe your cert file is not correct.

[tunbb]

certificate is correct.
en, If /skywalking/es/config/truststore.jks exists both on es-init and oap pod , is that means cert file is on the right folder which env set to : SW_SW_STORAGE_ES_SSL_JKS_PATH=/skywalking/es/config/truststore.jks
can you show the correct way to mount a cert in pod using skywalking chart?
thx!