Solved: Add a custom certificate to the cluster node TrustStore

abnerlusung · ‎15 Dec 2023

Hi ,

I created a self signed certificate using

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout abc.pem -out abc.pem

I followed this command from https://docs.dynatrace.com/docs/managed-cluster/configuration/how-to-add-a-certificate-to-server-tru...

nohup <PRODUCT_PATH>/installer/reconfigure.sh --update-cert --network-proxy-cert-file <cert_file>.cer &

And I have encountered this issue.

2023-12-15 06:58:01 UTC SEVERE  [<server,0x3>] [<platform>, LoggingThrowableHandler] VirtualMachineError in thread "main@main": java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext); taskInfo= ... Terminating Runtime with exit code=2
java.lang.InternalError: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
	at java.net.http/jdk.internal.net.http.HttpClientImpl.<init>(Unknown Source)
	at java.net.http/jdk.internal.net.http.HttpClientImpl.create(Unknown Source)
	at java.net.http/jdk.internal.net.http.HttpClientBuilderImpl.build(Unknown Source)
	at java.net.http/java.net.http.HttpClient.newHttpClient(Unknown Source)
	at com.dynatrace.sso.shared.api.idp.IdpUriSupplier.<init>(IdpUriSupplier.java:91)
	at com.dynatrace.sso.shared.api.idp.IdpUriSupplier.newInstance(IdpUriSupplier.java:135)
	at com.compuware.apm.server.core.api.ServerLifecycle.<init>(ServerLifecycle.java:878)
	at com.compuware.apm.server.onprem.OnPremServerLifecycle.<init>(OnPremServerLifecycle.java:712)
	at com.compuware.apm.server.onprem.OnPremServerStartup.lambda$main$0(OnPremServerStartup.java:29)
	at com.compuware.apm.server.core.ServerStartup.commonMain(ServerStartup.java:34)
	at com.compuware.apm.server.onprem.OnPremServerStartup.main(OnPremServerStartup.java:22)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
	at java.base/java.security.Provider$Service.newInstance(Unknown Source)
	at java.base/sun.security.jca.GetInstance.getInstance(Unknown Source)
	at java.base/sun.security.jca.GetInstance.getInstance(Unknown Source)
	at java.base/javax.net.ssl.SSLContext.getInstance(Unknown Source)
	at java.base/javax.net.ssl.SSLContext.getDefault(Unknown Source)
	... 11 more
Caused by: java.security.KeyStoreException: problem accessing trust store
	at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(Unknown Source)
	at java.base/javax.net.ssl.TrustManagerFactory.init(Unknown Source)
	at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getTrustManagers(Unknown Source)
	at java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(Unknown Source)
	at java.base/sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(Unknown Source)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
	at java.base/java.security.Provider.newInstanceUtil(Unknown Source)
	... 16 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
	at java.base/sun.security.util.DerInputStream.getLength(Unknown Source)
	at java.base/sun.security.util.DerValue.init(Unknown Source)
	at java.base/sun.security.util.DerValue.<init>(Unknown Source)
	at java.base/sun.security.util.DerValue.<init>(Unknown Source)
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source)
	at java.base/java.security.KeyStore.load(Unknown Source)
	at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(Unknown Source)
	at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(Unknown Source)
	at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(Unknown Source)
	... 26 more

Any ideas what I did wrong? Your help is very much appreciated 🙂

Best Regards,

Abner

RazTN7 · ‎15 Dec 2023

Hello @abnerlusung

1. Get the .pem version of the certificate assigned to Proxy.
2. Run the reconfigure.sh command and it should complete without any errors:

nohup <PRODUCT_PATH>/installer/reconfigure.sh --update-cert --network-proxy-cert-file <cert_file>.pem &

3. Restart all the services (If needed)

Cheers!

RN

Have a nice day!

abnerlusung · ‎15 Dec 2023

This is exactly what I did.

RazTN7 · ‎15 Dec 2023

Did you receive similar message post execute reconfigure.sh

Error - 'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte

Have a nice day!

abnerlusung · ‎18 Dec 2023

Hi @RazTN7 ,

I did not see this message 🤔

Kind Regards,

Abner

Julius_Loman · ‎18 Dec 2023

Most likely you need to strip the PEM file to contain just the certifikacte (no private key, no other information, just everything between BEGIN CERTIFICATE and END CERTIFICATE, including those two lines).

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner