PKIX error in OpsCenter with HTTPS AWS S3 Compatible Storage

Summary

An error PKIX path building failed appears in the UI when configuring OpsCenter backup with an S3 compatible endpoint

Applies to

OpsCenter 6.7.0
AWS S3 Compatible Endpoint

Symptoms

While adding an Amazon S3 HTTPS Compatible Endpoint to OpsCenter, a new feature in OpsCenter 6.7 as per the Backup Service section:

• Azure Blob Storage and Amazon S3-compatible storage support are now included for backup and restore operations.

the following error might occur:

Location validation error: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The Java Virtual Machine (JVM) is unable to validate the Certificate Authority (CA) chain for the SSL/TLS connection to the S3 Endpoint.
This occurs if a dedicated/internal CA to the company is used and the JVM is unaware of this CA in the truststore.

Prerequisites

The following solution assumes that a valid set of CA certificates are available and have been configured on the S3 HTTPS endpoint.
This is not covered by DataStax as the CA certificates topic is a rather large and documented topic on the web, and information on configuring HTTPS with a CA should be available from the provider of the S3 Compatible Endpoint.

Validation

1- Confirm the certificate chain is retrieved from the DSE environment on the S3 Compatible Endpoint.
openssl s_client -showcerts -connect <s3httpsEndpoint>:443

2- Validate that the CA certificate chain exists in the JVM truststore. By default, $JAVA_HOME/jre/lib/security/cacerts
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -alias <CAalias>

Solution

The operation to import root/intermediate CA needs to be done for the JVM of:
- Opscenter
- the agents/nodes that need to be backed up.
The reason is that the Agents are in charge of connecting to the S3 container to push the data to backup and therefore need to be aware of the CA.

If the Root and Intermediate certificates of the CA are not available in the JVM truststore, there are numerous resources on the internet to explain how to import them (repeat with a different alias/file for intermediate CA). ie:
keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -alias <CArootAlias> -import -file <rootcaCertificateFile>