For your local agents, if you are encountering the following errors:
The Job Status contains the error "Trust anchor for certification path not found.".
The Resource status contains the error
"The agent machine reset the network connection. The resource definition and agent may have a protocol (http vs https) mismatch: Trust anchor for certification path not found
Please run the following Sequence of certificate related calls when doing a full install (Windows)
1.
``` eccert –debug initCA ``` 1. Generating CA keys and certifacte 5. ``` Openssl req –x509 –new config “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\openssl” –out “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca.pem” –keyout C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca_pk.pem" days 3650 nodes subj "/CN=commander5.electriccloud.com/O=Electric Commander CA" 2>&1) ``` 6. ``` Generating a 2048 bit RSA private key ```
*
``` writing new private key to ' C:\ProgramData\Electric Cloud\ElectricCommander\conf\security \ca_pk.pem' ```
-
Updating CA revocation list 1.
``` Openssl ca gencrl config "C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ openssl.cnf" out " C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ crl.pem" 2>&1) ```
2.
``` Eccert –debug initServer ``` 1. Generating Keys 5. ``` “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool” –genkeypair -keystore " C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore" alias jetty dname "CN=commander5.electriccloud.com,O=server" 2>&1) ``` 2. Generating Certificate request 5. ``` C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java" cp "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar" com.electriccloud.install.GetAlternateNames "commander5.electriccloud.com" "" 2>&1) ``` 1. ``` Output: “cname=commander5.electriccloud.com san=” ``` 6. ``` “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" certreq keystore "C:\ProgramData\Electric Cloud\ElectricCommander\conf\ keystore" alias jetty file " C:\ProgramData\Electric Cloud\ElectricCommander\conf \server_csr.pem" 2>&1) ``` 3. Signing server certificate 5. ``` openssl ca passin stdin batch config “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\openssl” –out " C:\ProgramData\Electric Cloud\ElectricCommander\conf\ server_csr.pem” –out " C:\ProgramData\Electric Cloud\ElectricCommander\conf \server_crt.pem” –notext 2>&1) ``` <br /> ``` output='Using configuration from C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'server' commonName :PRINTABLE:'commander5.electriccloud.com' Certificate is to be certified until Aug 17 17:14:20 2025 GMT (3650 days) Write out database with 1 new entries Data Base Updated ' ``` 4. Importing 'CA:commander5.electriccloud.com' certificate 5. ``` “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" importcert –file “C:\ProgramData\Electric Cloud\ElectricCommander\conf\security\ca.pem” –keystore " C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore" alias "CA:commander5.electriccloud.com" noprompt 2>&1) ``` 6. Certificate was added to keystore 5. Importing 'jetty' certificate 1. ``` “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" importcert file “C:\ProgramData\Electric Cloud\ElectricCommander\conf\server_crt.pem" keystore “C:\ProgramData\Electric Cloud\ElectricCommander\conf \keystore" alias "jetty" noprompt 2>&1) ``` 2. ``` Certificate reply was installed in keystore ``` 6. ``` eccert debug initAgent (not a trusted agent) ``` 1. Generating keys 5. ``` “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" genkeypair keystore “C:\ProgramData\Electric Cloud\ElectricCommander\conf \keystore" alias jetty dname "CN=commander5.electriccloud.com,O=agent" 2>&1) ``` 6. Generating certificate request 1. ``` "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ java" cp "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar" com.electriccloud.install.GetAlternateNames "commander5.electriccloud.com" "" 2>&1) ``` ``` ○ output='san= ○ ○ ' ○ cname=commander5.electriccloud.com ○ san= 2. ``` 2. ``` "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" certreq keystore “C:\ProgramData\Electric Cloud\ElectricCommander\conf\keystore" alias jetty file C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\agent_csr.pem" 2>&1) ```
Sequence of certificate related calls when doing a standalone trusted agent call
1.
``` eccert debug server 192.168.32.16 securePort 8443 initAgent remote ``` 1. Generating Keys 51. ``` "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" genkeypair keystore “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" alias jetty dname "CN=agent51.hsd1.ca.comcast.net,O=agent" 2>&1 ``` 2. Generating certificate request 51. ``` " C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java” cp "C:\Program Files\Electric Cloud\ElectricCommander\utils\Overlay.jar" com.electriccloud.install.GetAlternateNames "agent51.hsd1.ca.comcast.net" "" 2>&1 ``` ``` ● output='san= ```
-
cname=agent51.hsd1.ca.comcast.net
-
san=
1.
``` "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\ keytool" certreq keystore “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" alias jetty file “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\agent_csr.pem" 2>&1 ```
-
Making call to server 192.
``` Asking server '192.168.32.16' to sign certificate ● request = { "version": "2.2", "timeout": 180, "sessionId": "FJRZCL506UE4IKAI", "requests": [ { "requestId": 1, "operation": "getCertificates" }, { "parameters": { "certificateData": "BEGIN NEW CERTIFICATE REQUEST MIICbDCCAikCAQAwNjEOMAwGA1UEChMFYWdlbnQxJDAiBgNVBAMTG2F nZW50………………..GakbmpVfMjhJLXCC84U0Z4tf END NEW CERTIFICATE REQUEST " }, "requestId": 2, "operation": "signCertificate" } ] } response (partial) = { "responses": [{ "certificates": "BEGIN CERTIFICATE MIIDxzCCAq+gAwIBAgIJALWDPsB7Y+77MA0GCSqGSIb3DQEBBQUA MEsxKT…………………..PSa0OQ97nGYjxYZaNgvVYzmfSfwNHQGXpuwAkPLSTlIhJLHS p EA= END CERTIFICATE ", "revocations": "BEGIN X509 CRL MIIBkDB6MA0GCSqGSIb3DQEBBQUAMEsxKTAnBgNVBAMTIHNoYWRvdy1tYXN0 ZXIu Z…………………..FNvI2YfvbLis0Ep1r3oMK4= END X509 CRL ", "requestId": "1" }, { "value": "BEGIN CERTIFICATE MIIDyzCCArOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMSkwJwYDVQQ DEyBz……………………………………………….9BAnCxOnIz wMPG8MvpVJxK2y+weUiz END CERTIFICATE BEGIN CERTIFICATE MIIDxzCCAq+gAwIBAgIJALWDPsB7Y+77MA0GCSqGSIb3DQEBBQUA MEsxKT………….r0AtoknmAK1nP5KyuTaxGJgpPo stH+0fPlVj…………….", …………. }] } ```
-
openssl x509 noout subject 2>\&1 1.
``` output='subject= /CN=shadowmaster.electriccloud.com/O=Electric Commander CA' ```
-
Importing 'CA:shadowmaster.electriccloud.com' certificate 1.
``` “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool” importcert file "/tmp/KYtxm_16Nv" keystore “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" alias "CA:shadowmaster.electriccloud.com" noprompt 2>&1 ``` 1. ``` output='Certificate was added to keystore' ```
-
Importing 'jetty' certificate 1.
``` “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool importcert file "/tmp/Pm1Pa8aZwh" keystore “C:\ProgramData\Electric Cloud\ElectricCommander\conf\agent\keystore" alias "jetty" noprompt 2>&1 ● output='Certificate reply was installed in keystore’ ```
-
Notes
*
``` keysize 2048 (when using genkeypair and keyalg is "RSA")
```
*
``` The keyalg value specifies the algorithm to be used to generate the key pair, and the keysize value specifies the size of each key to be generated. The sigalg value specifies the algorithm that should be used to sign the selfsigned certificate. This algorithm must be compatible with the keyalg value. ```
*
``` If the underlying private key is of type RSA, then the sigalg option defaults to SHA256withRSA. (from https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html ) ```
-
Read keystore
vagrant@commander5: C:\ProgramData\Electric Cloud\ElectricCommander\conf conf “C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool”list v keystore repository/keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: jetty Creation date: Mar 31, 2011 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 4d94cabd Valid from: Thu Mar 31 11:41:01 PDT 2011 until: Sun Mar 25 11:41:01 PDT 2012 Certificate fingerprints: MD5: 54:5D:76:E3:DD:07:06:53:99:CB:18:8F:2F:A6:70:D3 SHA1: EA:EE:D0:87:0B:F7:09:90:27:79:E3:7A:E7:33:F4:59:20:81:98:CB SHA256: 07:90:AC:0B:D9:58:6D:7B:9F:16:B8:AB:D4:4A:D8:3E:F8:18:8B:AE:E8:F3:78:12:EB:E5:45:56:AA:8D:A5:9C Signature algorithm name: SHA1withRSA Version: 3 ******************************************* ******************************************
If this process works in resolving the 'no trusted keystore on agent error', please contact support@cloudbees.com if you have questions.