Installer\core\build.xml:1173: java.lang.IllegalArgumentException: certificate cannot be null (upgrade fails from ePO 5.3.3)

Technical Articles ID: KB91719
Last Modified: 2023-07-31 04:46:13 Etc/GMT

Environment

ePolicy Orchestrator (ePO) 5.10.x

NOTE: ePO 5.3.x is End of Life.

Problem

An upgrade from ePO 5.3.x to 5.10.x fails, which causes the upgrade process to roll back.

The Core-Upgrade.log file records the following error:

check-regenerate-certs:

[echo] catalina.home is D:/Program Files (x86)/McAfee/ePolicy Orchestrator/server

Regenerate-certs:

BUILD FAILED
D:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1964: The following error occurred while executing this line:
D:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:2000: The following error occurred while executing this line:
D:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1161: The following error occurred while executing this line:
D:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1179: java.lang.IllegalArgumentException: certificate cannot be null
at com.mcafee.orion.core.util.ValidateUtil.throwIfNull(ValidateUtil.java:93)
at com.mcafee.orion.core.cert.CertificateAndPrivateKey.<init>(CertificateAndPrivateKey.java:63)
at com.mcafee.orion.core.cert.CertificateAndPrivateKey.<init>(CertificateAndPrivateKey.java:84)
at com.mcafee.orion.core.cert.CaCertUtil.loadCACertificateAndPrivateKey(CaCertUtil.java:418)
at com.mcafee.orion.core.cert.CaCertUtil.generateCASignedCert(CaCertUtil.java:362)
at com.mcafee.orion.core.cert.CaCertUtil.generateCASignedCert(CaCertUtil.java:122)

at com.mcafee.orion.core.install.CreateClientAuthKeystoreTask.execute(CreateClientAuthKeystoreTask.java:38)

Cause

The ca.keystore file is corrupt. The ca.keystore file only contains certificate information and doesn't contain the needed private key mykey information.

The error "Certificate cannot be null" indicates that the installer is looking to load loadCACertificateAndPrivateKey.
When the CA.keystore file is missing the key, the system also fails to regenerate the server certificate.
When the upgrade fails with the errors above, you need to recheck that you can log on to the ePO console.

NOTES:

Every time ePO 5.10.x or 5.9.x is upgraded, it regenerates all ePO certificates.
Investigations have found that, in a few cases, the ePO 5.3.x certificates become corrupted, leading to upgrade failures.

Solution

Test that your system can be resolved using this solution, and then replace the corrupted file.

Step 1: Verify that this article resolves your problem:

Log on to the ePO Console.
Click Menu, Configuration, Server Settings.
Click Server Certificate, Edit, and then click Save.

If you see the following error, this article resolves your problem. Otherwise, contact Technical Support. See the "Related Information" section for details.

"Could not regenerate the server certificate due to an unexpected error. Check the server log for details."

Step 2: Locate the corrupted ca.keystore file:

On the ePO Server system:
1. Download ePO_KeyInfo_Exporter_v1.2.zip attached to this article to a temporary folder.
2. Extract all files.
3. Locate the batch file ePO_KeyInfo_Exporter_v1.2.bat.
4. Run the batch file as an administrator.
  
  A text file is created named keys.txt, which contains the needed data.
Open keys.txt with a text editor.

Example A - Output of a corrupted ca.keystore file.
- In this example, the ca.keystore file shows that there's only certificate information. The mykey information is missing.
- File locations:
  - server/keystore/ca.keystore
  - server/keystore/ca.keystore.old

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keystore type: JKSKeystore type: JKSKeystore provider: SUN
Your keystore contains 1 entry
Alias name: servercaCreation date: Apr 15, 2014Entry type: trustedCertEntry
Owner: CN=Orion_CA_bhhwapeps1, OU=Orion, O=McAfeeIssuer: CN=Orion_CA_bhhwapeps1, OU=Orion, O=McAfeeSerial number: 7c02bda704fe36b2Valid from: Wed Dec 31 16:00:00 PST 1969 until: Fri Apr 22 06:35:25 PDT 2039Certificate fingerprints: MD5: 2B:96:D5:D6:B5:E9:C4:02:A8:FB:9D:91:05:AD:E6:3C SHA1: FC:02:F7:72:B9:EB:A7:F5:E6:61:23:C6:9C:ED:31:49:DE:B5:A3:96 SHA256: 7C:73:01:5D:BC:B5:63:13:EB:3B:5B:04:97:5F:6C:5A:A3:EE:AE:A8:FF:A8:71:49:BC:5F:4C:7D:C6:4E:DD:F7 Signature algorithm name: SHA1withRSA Version: 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Example B - Output of a good ca.keystore.old file:

In this example, the file ca.keystore.old shows that there are two certificate bits of information. The mykey information is present.
File locations:
- server/keystore/ca.keystore
- server/keystore/ca.keystore.old

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Keystore type: JKSKeystore type: JKSKeystore provider: SUN
Your keystore contains 2 entries
Alias name: cacertCreation date: Apr 29, 2009Entry type: trustedCertEntry
Owner: CN=Orion_CA_bhhwapeps1, OU=Orion, O=McAfeeIssuer: CN=Orion_CA_bhhwapeps1, OU=Orion, O=McAfeeSerial number: 7c02bda704fe36b2Valid from: Wed Dec 31 16:00:00 PST 1969 until: Fri Apr 22 06:35:25 PDT 2039Certificate fingerprints: MD5: 2B:96:D5:D6:B5:E9:C4:02:A8:FB:9D:91:05:AD:E6:3C SHA1: FC:02:F7:72:B9:EB:A7:F5:E6:61:23:C6:9C:ED:31:49:DE:B5:A3:96 SHA256: 7C:73:01:5D:BC:B5:63:13:EB:3B:5B:04:97:5F:6C:5A:A3:EE:AE:A8:FF:A8:71:49:BC:5F:4C:7D:C6:4E:DD:F7 Signature algorithm name: SHA1withRSA Version: 3

**************************************************************************************
Alias name: mykeyCreation date: Apr 29, 2009Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=Orion_CA_bhhwapeps1, OU=Orion, O=McAfeeIssuer: CN=Orion_CA_bhhwapeps1, OU=Orion, O=McAfeeSerial number: 7c02bda704fe36b2Valid from: Wed Dec 31 16:00:00 PST 1969 until: Fri Apr 22 06:35:25 PDT 2039Certificate fingerprints: MD5: 2B:96:D5:D6:B5:E9:C4:02:A8:FB:9D:91:05:AD:E6:3C SHA1: FC:02:F7:72:B9:EB:A7:F5:E6:61:23:C6:9C:ED:31:49:DE:B5:A3:96 SHA256: 7C:73:01:5D:BC:B5:63:13:EB:3B:5B:04:97:5F:6C:5A:A3:EE:AE:A8:FF:A8:71:49:BC:5F:4C:7D:C6:4E:DD:F7 Signature algorithm name: SHA1withRSA Version: 3
**************************************************************************************

Step 3: Continue only if you've located a corrupt ca.keystore file.
If you see the mykeyCreation is missing in your output file, take the following action:

Stop the Tomcat service on the ePO server:
1. Press Windows+R.
2. Type services.msc into the field and press Enter.
3. Right-click McAfee ePolicy Orchestrator #.#.# Application Server and click Stop.
4. Leave the services window open.
Rename the active corrupt file:
- From: ca.keystore
- To: ca.keystore.new
Rename the good file that contains both keys:
- From: ca.keystore.old
- To: ca.keystore
Start the Tomcat service on the ePO server:
1. Press Windows+R.
2. Type services.msc into the field and press Enter.
3. Right-click McAfee ePolicy Orchestrator #.#.# Application Server and click Start.
4. Close the services window.
Confirm that the problem is resolved:
1. Log on to the ePO Console.
2. Click Menu, Configuration, Server Settings.
3. Click Server Certificate, Edit, then click Save.
  
  NOTE: When you click Save, no error is shown, which confirms that the problem is resolved.

Related Information

Contacting Technical Support

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Attachment

ePO_KeyInfo_Exporter_v1.2.zip
759Bytes • < 1 minute @ broadband

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Installer\core\build.xml:1173: java.lang.IllegalArgumentException: certificate cannot be null (upgrade fails from ePO 5.3.3)

Environment

Problem

Cause

Solution

Related Information

Attachment

Affected Products

Languages:

Title

Title

Knowledge Center

Installer\core\build.xml:1173: java.lang.IllegalArgumentException: certificate cannot be null (upgrade fails from ePO 5.3.3)

Environment

Problem

Cause

Solution

Related Information

Attachment

Affected Products

Languages:

Choose your region

Title

Title