1

I have created a Docker image using Open Liberty and with my custom application to be hosted in Azure as Web App Service. Everything is working fine except when I try to access another controller hosted on Azure (https://mycontrollerurl.azurewebsites.net/....) I do see an error from logs:-

[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.azurewebsites.net was sent from the target host. The signer might need to be added to local trust store /opt/ol/wlp/output/defaultServer/resources/security/key.p12, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 2019-04-27T15:44:49.047295297Z java.security.cert.CertPathValidatorException: The certificate issued by CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE is not trusted; internal cause is:

Can someone help me how I can create my SERVER.xml file to include the cert and any other steps I need to perform? I am just 2 days old Novice on Liberty and trying to fix the issue for my dev team. Can you please let me know how I can get this CERT issue fixed?

UPDATE : ISSUE RESOLVED (Thanks to Bruce for pointing me out):- 1. I had to download azurewebsite Certificate (very easy just do from browser)you can get all steps from article here 2. Save that Azurewebsites Certficate file to same directory as my DOCKERFILE is. 3. Modify my DOCKERFILE to look like:- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ FROM open-liberty:webProfile8 COPY --chown=1001:0 server.xml /config/ COPY --chown=1001:0 ancConnector-Liberty.war /config/dropins/ # Add the Azure Certificate to enable HTTPS connection. COPY --chown=1001:0 azurewebsites.cer opt/ol/wlp/output/defaultServer/resources/security/ WORKDIR /opt/ol/wlp/output/defaultServer/resources/security/ RUN keytool -noprompt -importcert -file azurewebsites.cer -alias azurewebsites -keystore key.jks -storepass Liberty -storetype jks` ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thats all, BUILD the image and we are good to go! Everything is working now! Hope it helps someone in future.

user42012
  • 722
  • 12
  • 33

1 Answers1

1

You need to add the signer cert from azure to the truststore file of Liberty so it will "trust" that site. The process is here:

https://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_add_trust_cert.html

Bruce T.
  • 992
  • 4
  • 5
  • ty Bruce this looks promising. I have cert downloaded bt since I am creating docker image of open liberty I m nt sure hw I import this to the keystore as mentioned in the error ( Error A signer with SubjectDN CN=*.azurewebsites.net was sent from the target host. The signer might need to be added to local trust store /opt/ol/wlp/output/defaultServer/resources/security/key.p12, located in SSL configuration alias defaultSSLConfig.). I think docker file needs to be modified bt I m not sure hw it will look. Any help? – user42012 Apr 27 '19 at 19:40
  • you are correct the dockerfile needs to be modified to include the updated p12 file. you can try it first with a liberty install on your pc, if you have it right and the cert error goes away, then you can update your docker image build to include that p12 file. – Bruce T. Apr 27 '19 at 20:43
  • Thank you Bruce, my issue is resolved. All I had to do is download the azurewebsites (certificate) and then change my DOCKERFILE whcih now looks like as follows:- – user42012 Apr 27 '19 at 22:02
  • MYDOCKERFILE :---> FROM open-liberty:webProfile8 COPY --chown=1001:0 server.xml /config/ COPY --chown=1001:0 ancConnector-Liberty.war /config/dropins/ # Add the Azure Certificate to enable HTTPS connection. COPY --chown=1001:0 azurewebsites.cer /opt/ol/wlp/output/defaultServer/resources/security/ WORKDIR /opt/ol/wlp/output/defaultServer/resources/security/ RUN keytool -noprompt -importcert -file azurewebsites.cer -alias azurewebsites -keystore key.jks -storepass Liberty -storetype jks – user42012 Apr 27 '19 at 22:02