ssvm: unable to find valid certification path to requested target

[PPisz]

ISSUE TYPE

• Bug Report

COMPONENT NAME

secondary storage vm

CLOUDSTACK VERSION

4.19.3

CONFIGURATION

OS / ENVIRONMENT

SUMMARY

Can't download and register a template/iso from a site secured with a letsencrypt certificate, for example: https://factory.talos.dev/image/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba/v1.8.3/metal-amd64.iso
Even after manually importing all letsencryt certificates it doesn't work correctly.

STEPS TO REPRODUCE

Create fresh ssvm 4.19.3 and import iso

EXPECTED RESULTS

We can download template/iso from letsencrypt certificate sites

ACTUAL RESULTS

2024-11-21 15:08:55,587 INFO  [storage.template.HttpTemplateDownloader] (agentRequest-Handler-3:null) No credentials configured for host=factory.talos.dev:443
2024-11-21 15:08:56,461 INFO  [storage.template.DownloadManagerImpl] (pool-1-thread-2:null) Download Completion for jobId: a4d992d1-0ae8-4a66-bbcd-2b5973506bd8, status=UNRECOVERABLE_ERROR
2024-11-21 15:08:56,484 INFO  [storage.template.DownloadManagerImpl] (pool-1-thread-4:null) local: /mnt/SecStorage/9bf7d36f-f049-3f71-89a8-101bacf6be00/template/tmpl/36/263/dnld2856126097776773813tmp_, bytes=(0 bytes) 0, error=PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, pct=0

[DaanHoogland]

@PPisz , I think you mean version 4.19.1.3, right? (instead of 4.19.3)

[DaanHoogland]

@PPisz , can you confirm this worked before, in 4.19.1.2 or earlier?

[PPisz]

Unfortunately I don't know how it looked like on earlier versions, it certainly didn't work on 4.19.1.2

[PPisz]

@PPisz , I think you mean version 4.19.1.3, right? (instead of 4.19.3)

Yes, 4.19.1.3

[DaanHoogland]

I can confirm this is an issue in latest 4.18 as well

[weizhouapache]

I can also reproduce the issue with 4.19.1 and 4.20.0.0