Closed neo-liang-sap closed 9 months ago
@neo-liang-sap Oops, the dashboard link that you have provided refers to a project that I could not find. You can invoke the cluster self-diagnosis yourself later with /diag
on a separate line in a comment to this issue.
@neo-liang-sap Label area/certification does not exist.
@neo-liang-sap The issue was assigned to you under author-action
. Please unassign yourself when you are done. Thank you.
@neo-liang-sap ⚠️ Issue has priority critical
, but the highest possible permitted priority for this landscape is normal
. Priority will be lowered.
Ticket was in state author-
/owner-action
with no further response since 21 days. Closing.
What happened?
We switched to Gardener-provided certificates for our Solace message brokers. Now, CPI tenants have a problem connecting to the brokers with JCSMP:
"com.solacesystems.jcsmp.JCSMPTransportException: CertificateException - java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors"
The Gardener-managed certificate has the following chain:
A quick research on the error message revealed that it is problematic having a longer validity in the intermediate than in the root certificate. This is the case in the chain provided by the Gardener cert-manager.
This already triggered a Very High ticket and is now on escalation mode on the CPI side, so please assist as fast as possible.
What you expected to happen?
The previous certificate chain we used looked like this:
How would we reproduce it (concisely and precisely)?
Compare the output of the following commands:
openssl s_client -showcerts -connect vmr-e0d37365-cda5-4552-b518-19d5b0f4e3fd.vmr.sandbox.psb-prod.coco18.org:943
(Gardener-managed cert)openssl s_client -showcerts -connect vmr-bbda6d45-5eb5-40b9-88db-da6c3523738a.vmr.eu12.ssb-live.live.messagebroker.net.sap:943
(not Gardener-managed cert)Anything else we need to know?
Environment: cluster psb-prod/sandbox
Help us categorise this issue for faster resolution:
/area certification networking /os garden-linux /platform aws
/priority critical