Quick deployment to AWS: java.security.cert.CertPathValidatorException: validity check failed

et1 · November 6, 2024, 3:25pm

Jmix 1.6.1 / IntelliJ 2024.1.3 on MacOS here. Quick deployment to AWS is failing with error “PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed” and a “NotAfter” due to expired certificate when connecting to docker daemon on AWS.

How can the certificate be renewed deploying on the same AWS instance using the quick deploy option?

I found how server and client certificates can be created on Protect the Docker daemon socket | Docker Docs . The new server certificates will be stored at the location specified in daemon.json on the AWS instance. However, where do the client certificates have to be updated? In other words, where does Jmix/IntelliJ store the docker TLS client certificates when using the quick deployment to AWS option?

Thank you.

a.oblozhko · November 7, 2024, 6:19am

Hi

my guess is this can be operating system wide or at JVM level. If problem happens during deploy from your computer, you should check it’s operating system/software parameters and versions referring to this link: "PKIX path building failed" error, even after making sure AWS certs exist in cacerts files · Issue #2145 · aws/aws-sdk-java · GitHub

et1 · November 7, 2024, 10:02am

Thanks for your reply. However, the issue is not with the AWS certificate but with the docker daemon certificates. The serve certificates can be renewed easily on the AWS instance (the location is stated in domain.json). The question is where the client certificate is located that jmix uses when deploying to the docker daemon on AWS?

a.oblozhko · November 7, 2024, 11:09am

Jmix Studio relies on IntelliJ IDEA docker integration functionality, try to check the following url for reference: Docker connection settings | IntelliJ IDEA Documentation

et1 · November 7, 2024, 1:57pm

Finally was able to resolve the issue. For anyone interested:

The IntelliJ IDEA server configurations are stored in the following xml file (MacOS):
~/Library/Application Support/JetBrains/${IDEA_VERSION}/options/remote-servers.xml

In this file, the location of the Docker TLS certificates can be found under the dockerCertsPath option of the respective configuration tag of the respective remote-server tag:
~/Library/Application Support/jmix/aws/instances/instance_${INSTANCE_ID}/sslCerts

After renewing the certificates of the docker daemon on the AWS instance and the client certificates at the mentioned location using the official instructions found on Protect the Docker daemon socket | Docker Docs everything runs smoothly now.