I'm facing a certificate chaining error in a Websphere application server. After installing the certificate, it is working for first request and getting Certificate chaining error for the subsequent request.
Please find the log file
javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.h: PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued
by EMAILADDRESS=*.#.com, CN=****, OU=****, O=****, ST=****, C=
is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining
error
There can be multiple reasons behind this error. You can enable WAS SSL logs and check the trace logs or share here.
PS: It has been observed that WAS serves few incoming requests immediately after installing certificate. Experienced the same issue and the reason was installed wrong sequence of chain certificate at host side.
Related
After applying the latest Windows Updates I'm getting an:
Error 500--Internal Server Error
trying to access my URL using HTTP (not HTTPS!) protocol.
Looking in Weblogic logs, I found this error:
ServletContext#199346236[app:analytics module:analytics path:/analytics spec-version:2.5 version:11.1.1]] Root cause of ServletException.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
How can I solve this issue?
I don't know where I can find this expired certificate and if this is the real problem because I'm not using an HTTPS protocol trying to access my site.
You will have to find the location of your certificates first or your certificates are located in your keystore. If so, you can display content of your keystore and check which certificates you have.
Do you use Weblogic in combination with OSB? If yes, then the keystore is propably configured in your Enterprise Manager. If not, then your keystore is configured on Weblogic level which can be found at servers -> keystores tab
I don't know if this is the solution but let's try it out.
I'm trying to do an API using SSL. When I perform the call, I get the following error:
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://yyyyy.zzz/123":sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I know there are many questions in StackOverflow regarding this issue, but the ones I saw was because certificate was self-signed. In this case certificate is valid and browser recognize it without problems as a valid one.
So my question is, why does it fail when calling from Java and it does work well when using the browser?
I had same issue. The browser recognized the certificate (and certificate path), but Java Virtual Machine did not. The error text was the same.
In my case the trust root was in Browser keystore, and in Java trust keystore. So everyone could check thrust path. But if your server returns not the whole certificate path, but only server one, it is harder. In this case, the certificate path could be validated only if validator has the INTERMEDIATE certificate in its thrust-store.
Because the java keystore is not updated as regularly as these in browsers, you could have the intermediate certificate in browser, but not in JVM.
Possible solutions in this case:
server to return the whole certificate chain
the intermediate certificate to be added in java trust store
For more info check Certificate path discovery in Java
Below error message throwing when sent the API request. We have already configured the valid SSL Certificate of this domain, even no error message showing when open the browser.
SSL Cert provider: komodo
Caused by: java.security.cert.CertPathValidatorException: CA key usage
check failed: keyCertSign bit is not set
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)
How can i resolve this problem ?
You need to add the certification to environment.Below link will helpful if you deploy the your application in weblogic server.
http://docs.oracle.com/cd/E13214_01/wli/docs70/b2bsecur/keystore.htm
How to send mail using gmail from IBM Websphere Application Server 7 using javamail 1.4 api without using a certificate? I either get
javax.mail.MessagingException:
Exception reading response; nested
exception is:
javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.g: PKIX path
building failed:
java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not
build a valid CertPath.; internal
cause is:
java.security.cert.CertPathValidatorException:
The certificate issued by OU=Equifax
Secure Certificate Authority,
O=Equifax, C=US is not trusted;
internal cause is:
java.security.cert.CertPathValidatorException:
Certificate chaining error
or
Must issue a STARTTLS command first
javamail
The same application works fine if I run it inside a main function in a java application. I have configured WAS mail sessions. Can someone please provide a working logic for the application and configuration in WAS for that?
I'm trying to read from a secure (i.e. SSL) web page, in Java code.
I'm trying to use both URLConnection (java.net) and Apache's HTTPClient.
In both cases, when I make the request, I get this exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path validation failed:
java.security.cert.CertPathValidatorException:
basic constraints check failed:
pathLenConstraint violated - this cert
must be the last cert in the
certification path at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at
com.sap.river.coghead.rest.Main.testJavaHTTPConnection(Main.java:45)
at
com.sap.river.coghead.rest.Main.main(Main.java:32)
Caused by:
sun.security.validator.ValidatorException:
PKIX path validation failed:
java.security.cert.CertPathValidatorException:
basic constraints check failed:
pathLenConstraint violated - this cert
must be the last cert in the
certification path at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)
at
sun.security.validator.Validator.validate(Validator.java:203)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 13 more Caused by:
java.security.cert.CertPathValidatorException:
basic constraints check failed:
pathLenConstraint violated - this cert
must be the last cert in the
certification path at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at
java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)
... 18 more
Note that I've succeeded in establishing a non-ssl connection, to a different host though.
I'm also able to view this page using the browser - the certificates are validated correctly there.
Do you I need to somehow change the order of certificates as they are retrieved from the server?
Is there some configuration I'm missing?
Thanks in advance,
Lior
I dug in further and the answer lies in the fact that I needed to import the necessary certificates into the keystore used by the JVM to authenticate SSL.
The key store is the 'cacerts' file under the jre/lib/security folder in the jre that is used to run the program.
I manually exported the site's certificates - all of them.
Then I imported it into my default keystore using the 'keytool' utility provided by Sun. Note that you have to import them in the correct order.
I then put the new keystore instead of the JRE's one - and it worked.
I guess it would've been better to import the certificates directly to the JRE's keystore, but the tool asked me for a password which i didn't know.
I believe there's also a way to program around this more easily, just haven't found it yet. I'll be happy to get some pointers (TrustManager class in JSSE?).
Finally, some credit. This post here: http://javaishdiscoveries.blogspot.com/2009/02/battle-with-cacerts-and-https.html helped to point me in the right direction.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path at
pathLenConstraint
see (Note about certificate chains) in
http://groups.google.com/group/google-checkout-developers-forum/web/google-checkout-and-ssl-certificates?version=49
google says it may be problem with certificate chain order, I have just found that my cert is not in order, not fixed yet, working on it. I will update this later.
old post:
Have almost the same problem.
Adding certificate manualy to keystore helps, but I'd prefer to do it more automatically, with my client.
So my solution:
I will use keystore just for this one app, and one host
1. keystore does not exist - create with some generated password
2. save password in config file
3. ask user (or dont) whether he wants to accept this certificate
4. if so - save it to keystore, and use it when needed
Is this a good solution? Any comments?
The problem was with certificate chain order.
It was: A->C->B, but should be A->B->C, once we fixed chain order the application started to work.
I havent personally fixed the certs. but this post was helpful
http://groups.google.com/group/google-checkout-api-troubleshooting/browse_thread/thread/99862c11d37d3127