Set Java Certs localhost:636 SSLHandshakeException
Overview
Sometimes an OS update (i.e. yum update
) will clear out the LDAP SSL certificates stored in the JVM.
You can use a command on the server set-java-certs
to re-import this SSL certificate.
Error message
One error you may encounter on the web admin interface or CLI that contains the string SSLHandshakeException
.
This is the full error:
simple bind failed:
localhost:636; nested exception is javax.naming.CommunicationException:
simple bind failed:
localhost:636 [
Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
]
This is error comes from our sftpgw-admin-api
backend, which is Java based.
By default, SFTP Gateway imports the LDAP SSL certificate into the JVM.
This allows the JVM to communicate with LDAP, even though the certificate is self-signed.
After an OS update, these imported SSL certs can sometimes get cleared out.
This results in the SSLHandshakeException
error.
Re-importing the Java certs
To fix this issue, run the following command:
sudo /usr/local/bin/set-java-certs
This command extracts the LDAP SSL certificate and re-imports it into the JVM.
After running this command, you should no longer see this error.