Caused by: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates

[droslean]

The certificates that I generated include the issuer. However, I am still getting this error in orchestra pod. Is there any documentation that I can follow to re-create the certifications?

[mlbiam]

what's generating this exception? Can you please provide the entire stack trace?

[droslean]

Caused by: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates
    at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:658) ~[?:?]
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169) ~[?:?]
    at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1842) ~[?:?]
    at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:194) ~[?:?]
    at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105) ~[?:?]
    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1316) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?]
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[?:?]
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1417) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427) ~[?:?]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.13.jar:4.5.13]
    at com.tremolosecurity.proxy.postProcess.UriRequestProcess.postProcess(UriRequestProcess.java:127) ~[unison-server-core-1.0.34.jar:?]
    at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:92) ~[unison-server-core-1.0.34.jar:?]
    at com.tremolosecurity.proxy.filters.K8sInjectImpersonation.doFilter(K8sInjectImpersonation.java:92) ~[unison-applications-k8s-1.0.34.jar:?]
    at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:86) ~[unison-server-core-1.0.34.jar:?]
    at com.tremolosecurity.proxy.filters.AzFilter.doFilter(AzFilter.java:95) ~[unison-server-core-1.0.34.jar:?]
    at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:86) ~[unison-server-core-1.0.34.jar:?]
    at com.tremolosecurity.proxy.filters.SetNoCacheHeaders.doFilter(SetNoCacheHeaders.java:25) ~[unison-server-core-1.0.34.jar:?]
    at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:86) ~[unison-server-core-1.0.34.jar:?]
    at com.tremolosecurity.proxy.ProxySys.doURI(ProxySys.java:97) ~[unison-server-core-1.0.34.jar:?]
    ... 45 more

[mlbiam]

is this when trying to access the openunisn login portal or the kubernetes dashboard?

[droslean]

The kubernetes dashboard.

[mlbiam]

hmm, seems like the new cert was generated by the dashboard didn't get deleted to use the new cert. Try deleting the kubernetes-dashboard pod, once it re-launches, did that fix the issue?

If it doesn't, delete the kubernetes-dashboard-certs Secret in the kubernetes-dashboard namespace and "touch" the openunison orchestra object again to force a re-generation of the certificate.

[droslean]

The issue was fixed after https://github.com/OpenUnison/openunison-k8s/issues/73#issuecomment-1496275444

[droslean]

@mlbiam That error was in the orchestal pod, not in the kubernetes dashboard. Whan I was accessing the dashboard it would redirect me to a Openunison Internal Server error.

[mlbiam]

right. The openunison-orchestra Pod is a reverse proxy between you and the dashboard. The dashboard ships with an empty Secret for TLS and generates a random certificate that Java doesn't like. The operator generates a self0signed certificate that works much better. You received that error because the dashboard was using it's randomly generated cert (did you recently update the dashboard?). Forcing the operator to run corrected the issue because it deployed a new certificate and trusted it in OpenUnison.