TSSA/BSA: Error from TSSA Redhat Patch Catalog Updates beginning in March 2019 -  PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.

Version 11
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BladeLogic Server Automation Suite


    COMPONENT:

    BladeLogic Patch Management


    APPLIES TO:

    All versions of BSA/TSSA



    PROBLEM:

    Beginning on or around March 4th 2019, TSSA/BSA Redhat Patch Catalog Jobs began failing with the following error in the job run log:
     

    Info 5-Mar-2019 2:21:42 PM Download of Package failed Rpm download failed: java-1.8.0-openjdk-devel-1.8.0.201.b09-2.el7_6.x86_64.rpm,Error occurred while downloading the patch, retries completed. (Caused By: Error occurred while connecting to url: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/Packages/j/java-1.8.0-openjdk-devel-1.8.0.201.b09-2.el7_6.x86_64.rpm. Please verify Internet connectivity and if you have provided Proxy then verify your Proxy settings (Caused By: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path. (Caused By: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path. (Caused By: Could not build a validated path.))))
      
    Also it might show below error in the job run log:  
    Run at 18/03/2019 5:25:27 PM,Info,18/03/2019 9:48:37 PM,StdOut : Mon Mar 18 11:18:37 UTC 2019 : Reposync executed successfully for repo rhel-7-server-rpms. Run at 18/03/2019 5:25:27 PM,Info,18/03/2019 9:48:37 PM,StdOut : Mon Mar 18 11:18:37 UTC 2019 : No rpms found after reposync Run at 18/03/2019 5:25:27 PM,Info,18/03/2019 9:48:37 PM,"StdOut : Mon Mar 18 11:18:37 UTC 2019 : No rpms found after reposync for repo rhel-7-server-rpms, Command Exit Code - 1" Run at 18/03/2019 5:25:27 PM,Error,18/03/2019 9:48:38 PM,Validation Error :- BLPAT1227 - No RPM's found after reposync. Possible remediation steps :- The selected channel does not have any RPM's. Please remove it and try again. The channel name is 'rhel-7-server-rpms'.
      
    'yum_metadata_generator.log' might show as below:  
    Tue Mar 19 04:33:53 UTC 2019 : Reposync executed successfully for repo rhel-7-server-rpms. Tue Mar 19 04:33:54 UTC 2019 : No rpms found after reposync Tue Mar 19 04:33:54 UTC 2019 : No rpms found after reposync for repo rhel-7-server-rpms, Command Exit Code - 1
      
    Important notes to differentiate this issue from other occurences of the same error:  
       
    1. Redhat Catalog Updates previously (prior to March 4th 2019) worked correctly in the same environment.
    2.  
    3. The RPM mentioned in the error message varies and the issue is not specific to any specific RPM or to any version of RHEL.
    4.  
    5. Importantly, the reposync_patch_summary.log and yum_metadata_generator.log log files do not contain any errors which suggests that reposync and yum did not encounter an issue
    6.  
    7. The TSSA Appserver Log contains the following detailed stack trace.
      
    [04 Mar 2019 17:59:43,987] [PSU-Thread-10] [ERROR] [User@Role:] [Patch-Metadata-Updator] Rpm download failed: java-1.8.0-openjdk-devel-1.8.0.201.b09-2.el7_6.x86_64.rpm,Error occurred while downloading the patch, retries completed. (Caused By: Error occurred while connecting to url: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/Packages/j/java-1.8.0-openjdk-devel-1.8.0.201.b09-2.el7_6.x86_64.rpm. Please verify Internet connectivity and if you have provided Proxy then verify your Proxy settings (Caused By: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path. (Caused By: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path. (Caused By: Could not build a validated path.)))) com.bmc.sa.patchfeed.PatchDownloadFeedException: Error occurred while downloading the patch, retries completed.     at com.bmc.sa.patchfeed.redhat.util.RhnWebService.downloadPayload(Unknown Source)     at com.bmc.sa.patchfeed.redhat.util.RhnDownloadTask.call(Unknown Source)     at com.bmc.sa.patchfeed.redhat.util.RhnDownloadTask.call(Unknown Source)     at java.util.concurrent.FutureTask.run(FutureTask.java:266)     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)     at java.util.concurrent.FutureTask.run(FutureTask.java:266)     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)     at java.lang.Thread.run(Thread.java:748)     at com.bladelogic.om.patch.app.psu.PSUThreadFactory$PSUThread.run(PSUThreadFactory.java:81) Caused by: com.bmc.sa.patchfeed.FeedException: Error occurred while connecting to url: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/Packages/j/java-1.8.0-openjdk-devel-1.8.0.201.b09-2.el7_6.x86_64.rpm. Please verify Internet connectivity and if you have provided Proxy then verify your Proxy settings     at com.bmc.sa.patchfeed.util.net.HttpClient.execute(Unknown Source)     at com.bmc.sa.patchfeed.redhat.util.RhnWebServiceManager.getHtmlPageContent(Unknown Source)     at com.bmc.sa.patchfeed.redhat.util.RhnWebService.getPackageDownloadUrl(Unknown Source)     ... 10 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)     at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)     at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)     at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)     at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)     at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)     at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)     at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)     at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)     at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)     at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)     at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)     at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)     at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)     at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)     at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)     at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)     at com.bmc.sa.patchfeed.util.net.client.ApacheConnectionClientImpl.executeMethod(Unknown Source)     ... 13 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)     at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)     at sun.security.validator.Validator.validate(Validator.java:260)     at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)     at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)     ... 32 more Caused by: java.security.cert.CertPathBuilderException: Could not build a validated path.     at com.rsa.cryptoj.o.qc.engineBuild(Unknown Source)     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)     ... 38 more
      
      

     


    CAUSE:

    Change made to the directory structure used on Redhat's cdn.redhat.com site on or around March 4th 2019


    SOLUTION:

     

    1) Details on Root Cause:

    The root cause of the problem is a change in the directory structure used to store rpms on cdn.redhat.com to include a subdirectory under Packages corresponding to the first letter of the rpm filename e.g.

      

    Old: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/Packages/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.i6…

      

    New: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/Packages/j/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.…

      


    This change was made on or around March 4th 2019.

      

    The downloading of the rpms to the repository continues to work correctly (hence no errors in aforementioned logs) but this change in the directory structure broke the logic used by the TSSA  yum_metadata_generator.sh script to process the downloaded rpms.
    This, in turn, resulted in a code path being followed which led to the above java.security.cert.CertPathBuilderException errors being displayed in the TSSA appserver log file. The root cause of this problem is not Certificate related.


    2) Details on TSSA Hotfix:

    TSSA defect DRBLG-118231 was created to enhance the yum_metadata_generator.sh script in order to handle the updated directory structure.

    yum_metadata_generator.sh is shipped in the support-files-1.0-SNAPSHOT.jar so an updated jar file is required


    3) To obtain the Hotifx:

      

    As of March 12 2019, BMC has begun rolling out hotfixed jar files to customers who have created a support case. If you have encountered this issue and not yet created a support case, please do so and provide the following details for each TSSA/BSA environment:

      

    a) Exact BSA/TSSA version and build number

      

    b) OS of your Appserver and/or Redhat Downloader Server(Offline)

      

    c) Whether you are using online or offline patch catalogs

      

    d) Attach the support-files-1.0-SNAPSHOT.jar file from the following location to the case.

      

    Online Patch Catalogs: NSH/br/stdlib/support-files-1.0-SNAPSHOT.jar file from one of your BSA/TSSA appservers -
    Offline Patch Catalogs: <offlineDownloaderDir>/libs/support-files-1.0-SNAPSHOT.jar

      

    e) This issue is already fixed in TSSA 8.9.04 RU1 and can be obtained as described below
     https://docs.bmc.com/docs/tssa89/rolling-update-1-for-version-8-9-04-865262606.html
    Defect was also fixed in  8.9.04.001

     


    Article Number:

    000165641


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles