Error creating first servicegroup - unable to find valid certification path to requested target

[aaronmdec]

Hi, I'm having problem in getting my SMP to interact with the SMK. I'm running it on EC2 Linux, using Tomcat 10. I keep getting the error below when trying to register a new servicegroup:

I was getting the same error too when doing the initial SMP registration via the built in tool, but I was able to get through by registering the SMP via the tool in Peppol Helger.

Troubleshooting steps taken so far I've loaded the PKI cert in a PEM format into my "$JAVA_HOME/lib/security/cacerts", the same cert can be used to connect successfully in a web browser to "https://acc.edelivery.tech.ec.europa.eu/edelivery-sml"

Let me know how this can be resolved please?

Thanks, Aaron

[aaronmdec]

This my screenshot of the tasks area, I still have one more issue to resolve:

[phax]

Okay, that sounds like a problem with the default system trust store. The problem is most likely that your Java JDK/JRE has an empty (or nearly empty) cacerts file. Please see https://stackoverflow.com/questions/11936685/how-to-obtain-the-location-of-cacerts-of-the-default-java-installation and other similar pages to check the content of your cacerts file. There is no particular SMP configuration property to configure the TLS trust store, so you have to rely on the system configuration here.

[aaronmdec]

I checked my cacerts and it wasn't empty. I also decided to delete my current cacerts and loaded a new cacerts from a new JAVA file. I'm still getting the same error.

I'll keep troubleshooting, but just to check, do I need to load my Peppol SMP PKI cert into my cacerts?

[aaronmdec]

So I kind of managed to solve this. I had to makesure my truststore password is blank, and I can successfully register the SMP onto SMK, and register new service groups.

But this also means my certificate information tab has a warning:

Everytime I put in the password for the truststore in the backend file, it doesn't allow me to establish a handshake with the SMK server. Is this a bug?

[phax]

No, please don't load the Peppol SMP PKI in your cacerts. Inside the SMP with path /secure/locale-en_US/menuitem-admin_sysinfo_cacerts (Administration | System truststore).

Regarding the trust store: please see https://github.com/phax/peppol-commons/tree/master/peppol-commons/src/main/resources/truststore for a set of predefined trust stores. Don't do it yourself :)

[aaronmdec]

awesome, this works perfect now! Thanks for your help :)