Issue with Hotfix Scan Check online

General
, , ,
1

Getting below error while trying to scan the hotfix catalog through online check . For now we are doing it manually by downloading the catalog ,upload and scan it but would like check what is wrong with “online check”.

DSS : pzRefreshCatalogFTPString is already pointed to https://hotfixcatalog.pega.com/CATALOG.ZIP

when check the logs it’s says SSL related exception so probably connection is not established ..Can you pls share what certificates are missing/required to make connection to the hotfix catalog url .

Hotfix.jpg
Hotfix.jpg832×847 58.1 KB

nable to read Catalog from filesystem
com.pega.pegarules.priv.updatemanager.InstallException: Have exceeded the maximum number of attempts (5) for downloading the catalog.
at com.pega.pegarules.updatemanager.util.CatalogRetrieverImpl.retrieve(CatalogRetrieverImpl.java:68) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.util.CatalogRetrieverImpl.retrieve(CatalogRetrieverImpl.java:54) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.api.UpdateManagerAPIImpl.refreshCatalog(UpdateManagerAPIImpl.java:282) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.api.UpdateManagerAPIImpl.refreshCatalog(UpdateManagerAPIImpl.java:278) ~[prprivate-updatemanager.jar:?]
at com.pegarules.generated.activity.ra_action_pzrefreshcatalogfromftp_89ee5113b933d763bc654e0c9542dc89.step1_circum0(ra_action_pzrefreshcatalogfromftp_89ee5113b933d763bc654e0c9542dc89.java:168) ~[?:?]
at com.pegarules.generated.activity.ra_action_pzrefreshcatalogfromftp_89ee5113b933d763bc654e0c9542dc89.perform(ra_action_pzrefreshcatalogfromftp_89ee5113b933d763bc654e0c9542dc89.java:76) ~[?:?]
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:2872) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:11502) ~[prprivate-session.jar:?]
at com.pegarules.generated.activity.ra_action_pzdownloadcatalogopt

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) ~[?:1.8.0_202]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) ~[?:1.8.0_202]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) ~[?:1.8.0_202]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) ~[?:1.8.0_202]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:1.8.0_202]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_202]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:1.8.0_202]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:1.8.0_202]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.8.0_202]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564) ~[?:1.8.0_202]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) ~[?:1.8.0_202]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) ~[?:1.8.0_202]
at java.net.URL.openStream(URL.java:1045) ~[?:1.8.0_202]
at com.pega.pegarules.updatemanager.util.MiscUtils.downloadFileFromURL(MiscUtils.java:338) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.util.CatalogRetrieverDataModelImpl.refreshCatalog(CatalogRetrieverDataModelImpl.java:55) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.util.CatalogRetrieverImpl.retrieve(CatalogRetrieverImpl.java:63) ~[prprivate-updatemanager.jar:?]
… 66 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:1.8.0_202]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:1.8.0_202]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:1.8.0_202]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_202]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:1.8.0_202]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:1.8.0_202]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ~[?:1.8.0_202]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:1.8.0_202]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_202]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:1.8.0_202]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:1.8.0_202]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.8.0_202]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564) ~[?:1.8.0_202]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) ~[?:1.8.0_202]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) ~[?:1.8.0_202]
at java.net.URL.openStream(URL.java:1045) ~[?:1.8.0_202]
at com.pega.pegarules.updatemanager.util.MiscUtils.downloadFileFromURL(MiscUtils.java:338) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.util.CatalogRetrieverDataModelImpl.refreshCatalog(CatalogRetrieverDataModelImpl.java:55) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.util.CatalogRetrieverImpl.retrieve(CatalogRetrieverImpl.java:63) ~[prprivate-updatemanager.jar:?]
… 66 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_202]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_202]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_202]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:1.8.0_202]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:1.8.0_202]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:1.8.0_202]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_202]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:1.8.0_202]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:1.8.0_202]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ~[?:1.8.0_202]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:1.8.0_202]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_202]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:1.8.0_202]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:1.8.0_202]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:1.8.0_202]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.8.0_202]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564) ~[?:1.8.0_202]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) ~[?:1.8.0_202]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) ~[?:1.8.0_202]
at java.net.URL.openStream(URL.java:1045) ~[?:1.8.0_202]
at com.pega.pegarules.updatemanager.util.MiscUtils.downloadFileFromURL(MiscUtils.java:338) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.util.CatalogRetrieverDataModelImpl.refreshCatalog(CatalogRetrieverDataModelImpl.java:55) ~[prprivate-updatemanager.jar:?]
at com.pega.pegarules.updatemanager.util.CatalogRetrieverImpl.retrieve(CatalogRetrieverImpl.java:63) ~[prprivate-updatemanager.jar:?]
… 66 more

2

@Brahmesh@

I have looked into the error provided and the issue happens when the system doesn’t have the required certificates to connect to the hotfix catalog location.

Please upload the relevant certificate in your server to fix this issue. You’ll need to know:

  • What is this application server ?
  • Where is the Certificate installed ? In what trust store?

Try the following .

  • Import the correct root certificate into your jvm’s truststore (specifically the one pointed at by javax.net.ssl.trustStore java property – for example: -Djavax.net.ssl.trustStore=C:\cacerts\truststore.keystore . This is not the truststore where you import certs into Pega.)
  • Download cert from https://www.digicert.com/kb/digicert-root-certificates.htm#roots (specifically “DigiCert Assured ID Root CA”)
  • Import the downloaded cert into the JVM’s truststore using keytool (for example, keytool -importcert -file DigiCertAssuredIDRootCA.crt.pem -keystore truststore.keystore -storetype jks -alias digicert ). Please don’t import the pega intermediate cert.

Please perform the steps mentioned in the below documentation to mitigate the issue behavior and proceed with hotfix installation.

Automatically verifying hotfix files during installation

Please see the support document Specifying the Hotfix Catalog location for Pega Hotfix Manager for other hotfix details.

If you have questions about this update or about the case in general, please log a support incident via the MSP and provide the INC id here.

3

@Brahmesh@

Check the below DSS is configured in your environment or not as a first step.

Owning Ruleset: Pega-UpdateManager

Setting Purpose: hotfixmanager/automaticmaintenance/lastdownload

Value: https://hotfixcatalog.pega.com/CATALOG.ZIP

Please configure it if it’s not there and try perform online scan option.