search

aodn / content

Tracks AODN Portal content and configuration issues
0 stars 0 forks source link

NRS BGC and SOOP AUSCPR harvests failing with SSL errors #454

Closed mhidas closed 4 years ago

mhidas commented 4 years ago

The talend jobs anmn_nrs_bgc and soop_auscpr harvest data via WFS from a CSIRO Geoserver. Since the 3rd of March they have both been failing every day, with errors like this:

Exception in component sWfsInput_1_GI (pci_harvest)
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
        at org.geotools.data.wfs.protocol.http.SimpleHttpProtocol$SimpleHttpResponse.getResponseStream(SimpleHttpProtocol.java:70)
        at org.geotools.data.wfs.WFSDataStoreFactory.loadCapabilities(WFSDataStoreFactory.java:779)
        at org.geotools.data.wfs.WFSDataStoreFactory.createDataStore(WFSDataStoreFactory.java:412)
        at soop_auscpr.pci_harvest_0_1.pci_harvest.sWfsInput_1_GIProcess(pci_harvest.java:3913)
        at soop_auscpr.pci_harvest_0_1.pci_harvest.iPostgresqlDbUpdate_1Process(pci_harvest.java:1291)
        at soop_auscpr.pci_harvest_0_1.pci_harvest.tPostgresqlConnection_1Process(pci_harvest.java:966)
        at soop_auscpr.pci_harvest_0_1.pci_harvest.iIncludeSdiLibraries_1Process(pci_harvest.java:731)
        at soop_auscpr.pci_harvest_0_1.pci_harvest.runJobInTOS(pci_harvest.java:5415)
        at soop_auscpr.pci_harvest_0_1.pci_harvest.runJob(pci_harvest.java:5179)
        at soop_auscpr.soop_auscpr_harvester_0_1.SOOP_AUSCPR_harvester.tRunJob_3Process(SOOP_AUSCPR_harvester.java:1777)
        at soop_auscpr.soop_auscpr_harvester_0_1.SOOP_AUSCPR_harvester.runJobInTOS(SOOP_AUSCPR_harvester.java:4847)
        at soop_auscpr.soop_auscpr_harvester_0_1.SOOP_AUSCPR_harvester.main(SOOP_AUSCPR_harvester.java:4528)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:380)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:273)
        at sun.security.validator.Validator.validate(Validator.java:262)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
        ... 24 more
Caused by: java.security.cert.CertPathValidatorException: validity check failed
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:375)
        ... 30 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Mar 03 10:59:59 AEDT 2020
        at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
        at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
        at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
        at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
        ... 35 more
mhidas commented 4 years ago

Way down in the stack trace, there's this: java.security.cert.CertificateExpiredException: NotAfter: Tue Mar 03 10:59:59 AEDT 2020

So I guess that's means CSIRO need to renew their certificate.

anguss00 commented 4 years ago

Yes @mhidas, I've seen this issue when I was working on the datatrawler integration this iteration. I've made them aware of it on their end

mhidas commented 4 years ago

Thanks @anguss00 I have also notified the people who manage the Geoserver.

mhidas commented 4 years ago

Looks like they have finally fixed this at CSIRO. Both harvesters have been running successfully for the past week.