Get self-signed certificates to work with Cloud Foundry Integration for Eclipse Plug-In

featured-pcfIf your like myself you use self-signed certificates in your lab environment, as its quick and easy.  In my Pivotal Cloud Foundry lab I have generated a self-signed certificate in the Elastic Runtime configuration.  When you have a self-signed certificate you add --skip-ssl-validation to your cf api and cf login commands.

With the latest builds of the Cloud Foundry Integration for Eclipse Plug-In, self-signed certificates have an issue.  They will generate an error with something to the effect of:

Caused by: 
    PKIX path building failed: 
    unable to find valid certification path to requested target


It will ask you if you wish to ignore this, but regardless the integration will fail, and it won’t be able to validate your credentials, and so you will have no Cloud Foundry integration.

I really like the Cloud Foundry integration in Eclipse so I set off on a way to figure out how to make it work.  Originally I tried an older version of the plug-in, version 1.7.3, which appeared to work.  I was using this with PCF which has just been released.  I removed an application however, and when it did, I believe it removed my apps_manager application which exists in the system org.  I know this sounds weird, because 1) the plug-in should not be removing the apps_manager service under any circumstances, 2) even if it wanted to, my credentials I used in Spring Tool Suite did not have the authority to remove an app from the system org.  I did not spend a lot of time looking into this, I just noticed that I removed an application, and all the sudden my developer console was gone.  (Developer Console is now known as Apps Manager).

To get the integration to work you need to add the self-signed certificate from your PCF to your Java keystore.  Its important to understand which version of Java your running, you may have several versions of Java installed.  Typically the version that is being used is defined by $JAVA_HOME, but you’ll want to verify with STS/Eclipse which version its using or maybe add the certificate to all your versions.

I use a Mac, and typically the original Java installed by Apple is in /System/Library/Java/JavaVirtualMachines.  For example my system has like so:

nettles:~ bfeeny$ ls /System/Library/Java/JavaVirtualMachines/

This however is not the version I am using.  When you install later versions, from Oracle for example, they are installed in /Library/Java/JavaVirtualMachines:

nettles:~ bfeeny$ ls /Library/Java/JavaVirtualMachines/

This is the one I am using, and it can be further verified by looking at my $JAVA_HOME:

nettles:~ bfeeny$ echo $JAVA_HOME

Java stores its trusted certificates in a keystore, which on my system is located at


The first thing to do is extract the self-signed certificate from your Cloud Foundry, an easy way to do this is using openssl like so:

nettles:~ bfeeny$ openssl s_client -connect < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/public.crt
depth=0 C = US, O = Pivotal, CN = *.cf.lab.local

verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, O = Pivotal, CN = *.cf.lab.local
verify return:1

We can verify its there:

nettles:~ bfeeny$ more /tmp/public.crt


Of course, if you have access to the Ops Manager, you can just go into the Elastic Runtime tile and look at the IPs and Ports and grab the certificate from there, that is where you created it in the first place.  There are two certificates listed, the first one is the public one, which is the one you want, and the second is the private.  Whether you use openssl or just cut and paste it, the result should be the same.







Now you simply have to import the certificate into the Java keystore:

nettles:~ bfeeny$ sudo keytool -import -alias -keystore $JAVA_HOME/jre/lib/security/cacerts -file /tmp/public.crt
Password: <enter your admin password here>
Enter keystore password:  <default password is changeit>
Owner: CN=*.cf.lab.local, O=Pivotal, C=US
Issuer: CN=*.cf.lab.local, O=Pivotal, C=US
Serial number: fd47803cc1af3192158f65513be978e9747e9c4f
Valid from: Tue Apr 14 21:44:51 EDT 2015 until: Thu Apr 13 21:44:51 EDT 2017
Certificate fingerprints:
MD5:  C4:DA:C3:02:B4:25:FC:A9:1E:A1:FB:3A:E0:F7:B5:AD
SHA1: EB:A4:1E:A5:EA:D4:BE:7A:A3:CD:9B:D4:4D:BF:1F:1C:DD:97:52:ED
SHA256: 12:7C:1E:69:32:D4:28:FE:6B:EE:2A:DE:91:FB:76:5E:A6:1F:29:DA:15:A5:4C:21:E8:4C:73
Signature algorithm name: SHA1withRSA
Version: 3
#1: ObjectId: Criticality=false
SubjectAlternativeName [
 DNSName: *.cf.lab.local
Trust this certificate? [no]:  yes
Certificate was added to keystore

After this is done, simply restart your Eclipse or Spring Tool Suite application, and it should now allow you to add a Cloud Foundry instance with no issue.  If you have already added an instance, simply delete it and re-add it.  Fill out your credentials, and all should validate properly.

Update: I passed this onto Pivotal and they have added it to their Knowledge Base!

This entry was posted in Cloud Foundry, Pivotal and tagged , , , . Bookmark the permalink.

Leave a Reply