HCL DX - Renew Your Docker Dev SSL Certificate

Posted on Sep 26, 2021 (last modified Feb 5, 2022)

When using the official Docker images for developing on the HCL Digital Experience platform (formerly IBM WebSphere Portal), you may encounter issues related to certificate expiration. You might notice these errors when attempting to execute a ConfigEngine task, for example. In this post, I'll demonstate the kind of error you're likely to see on the command line and then the steps to fix the issue by renewing your SSL certificate in the WebSphere Admin Console.

Console Errors

Following are two example error stack traces that I produced when trying to execute a ConfigEngine task while the certificate was expired in my local development instance of HCL DXP on Docker.

[wplc-discard-wsadmin-session] [2021-09-25 16:18:40.134] CWPKI0312E: The certificate with subject DN CN=localhost, OU=dockerCell, OU=dockerNode, O=IBM, C=US has an end date 4/26/21 11:37 PM which is no longer valid.
    com.ibm.websphere.management.exception.ConnectorException: ADMC0016E: The system cannot create a SOAP connector to connect to host localhost at port 10033.
            at com.ibm.websphere.management.AdminClientFactory.createAdminClientPrivileged(AdminClientFactory.java:635)
            at com.ibm.websphere.management.AdminClientFactory.access$000(AdminClientFactory.java:127)
            at com.ibm.websphere.management.AdminClientFactory$1.run(AdminClientFactory.java:210)
            at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:63)
            at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:206)
            at com.ibm.wplc.deploy.tasks.AbstractBaseAdminTask.executeTask(AbstractBaseAdminTask.java:492)
            at com.ibm.wplc.deploy.tasks.AbstractBaseWsAdminWrapperTask.executeTask(AbstractBaseWsAdminWrapperTask.java:395)
            at com.ibm.wplc.deploy.tasks.AbstractBaseAdminTask.execute(AbstractBaseAdminTask.java:177)

Here's another part of the stack trace. I post these so that web search engines will index these errors so that you might find this solution when searching.

Caused by: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: com.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed; targetException=java.lang.IllegalArgumentException: Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: com.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed]
    at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:439)
    at com.ibm.ws.management.connector.soap.SOAPConnectorClient.(SOAPConnectorClient.java:238)
    ... 74 more
Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: com.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed; targetException=java.lang.IllegalArgumentException: Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: com.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed]
    at org.apache.soap.transport.http.SOAPHTTPConnection.send(SOAPHTTPConnection.java:475)
    at org.apache.soap.rpc.Call.WASinvoke(Call.java:510)
    at com.ibm.ws.management.connector.soap.SOAPConnectorClient$4.run(SOAPConnectorClient.java:397)
    at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
    at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:382)
    ... 75 more
/opt/HCL/ConfigEngine/config/includes/default_cfg.xml:143: Unable to create remote administration client:  ADMC0016E: The system cannot create a SOAP connector to connect to host localhost at port 10033.
    com.ibm.wplc.deploy.tasks.AbstractBaseAdminTask.executeTask(AbstractBaseAdminTask.java:496)
    com.ibm.wplc.deploy.tasks.AbstractBaseWsAdminWrapperTask.executeTask(AbstractBaseWsAdminWrapperTask.java:395)
    com.ibm.wplc.deploy.tasks.AbstractBaseAdminTask.execute(AbstractBaseAdminTask.java:177)
    org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:275)

Renewing the SSL Certificate in the WebSphere Application Server

The solution is quick and simple. First, I summarize it for you below and then I illustrate the steps with screenshots.

Fix Procedure Summary

Access the WAS console in your web browser and login (typically at: https://localhost:10041/ibm/console/login.do?action=secure)
Click Security > SSL certificate and key management.
Under Related Items, click Key stores and certificates.
Click the appropriate
to which you want to add the new certificate.
- Note: Only self-signed certificates and chained certificates signed with root certificates from the root keystore can be renewed. This is how the official images from HCL are setup for demos and development, though.
Under Additional Properties, click Personal certificates to list the personal certificates.
Select a personal certificate from the list.
Click the Renew button.
Click Apply then OK.

Fix Procedure Illustrated

Click Security (1), and SSL certificate and key management (2). Then, under Related Items, click Key stores and certificates(3).

Click the appropriate to which you want to add the new certificate (4).

Under Additional Properties, click Personal certificates to list the personal certificates (5).

Select a personal certificate from the list (6), then click the Renew button (7).

Click Apply then OK. Notice that the expiration date on the certificate now shows renewed expiration date. Save the changes directly to the master configuration (8).