We Keep Coding

Using modern Java HTTP client to Tomcat 9; cannot get HTTPS to work though self-signed certs in place [duplicate]

This question already has answers here:
"PKIX path building failed" and "unable to find valid certification path to requested target"
(53 answers)
Unable to find valid certification path to requested target - error even after cert imported
(17 answers)
Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(29 answers)
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
(33 answers)
Closed 7 months ago.
Tomcat configured for both 8080 and 8443:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1"
connectionTimeout="20000"
scheme="https"
secure="true"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyAlias="tomcat"
certificateKeystoreFile="certificates/tomcat.jks"
certificateKeystorePassword="changeit"
truststoreFile="certificates/tomcat.jks"
truststorePassword="changeit" />
</SSLHostConfig>
</Connector>
This code works:
HttpRequest request = HttpRequest.newBuilder()
.uri( new URI( "http://localhost:8080/application/" ) )
.headers( "Content-Type", "application/xml" )
.headers( "Accept", "application/xml" )
.POST( HttpRequest.BodyPublishers.ofString( PAYLOAD ) )
.build();
HttpResponse< String > response = client.send( request, HttpResponse.BodyHandlers.ofString() );
while the HTTPS code fails with IOException: PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target:
HttpRequest request = HttpRequest.newBuilder()
.uri( new URI( "https://localhost:8443/application/" ) )
.headers( "Content-Type", "application/xml" )
.headers( "Accept", "application/xml" )
.POST( HttpRequest.BodyPublishers.ofString( PAYLOAD ) )
.build();
HttpResponse< String > response = client.send( request, HttpResponse.BodyHandlers.ofString() );
...despite running JVM with:
-Djavax.net.ssl.keyPassword=changeit
-Djavax.net.ssl.keyStore=/opt/tomcat/certificates/tomcat.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=/opt/tomcat/certificates/trust.jks
-Djavax.net.ssl.trustStorePassword=changeit
Here's how I built the certificate artifacts:
$ keytool -genkeypair -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -validity 365 -keystore tomcat.jks -dname "cn=windofkeltia.com"
$ keytool -export -alias tomcat -file tomcat.crt -keystore tomcat.jks-storepass changeit
$ openssl genrsa -out trust.key 2048
$ openssl req -new -x509 -days 365 -key trust.key -out trust.crt -subj "/CN=windofkeltia.com/"
$ keytool -importcert -alias tomcat -file trust.crt -keystore trust.jks -storePass changeit
# ll
-rw-r--r-- 1 tomcat tomcat 863 Jul 28 11:32 tomcat.crt
-rw-r--r-- 1 tomcat tomcat 2697 Jul 28 11:31 tomcat.jks
-rw-r--r-- 1 tomcat tomcat 1314 Jul 28 15:26 trust.crt
-rw-r--r-- 1 tomcat tomcat 1287 Jul 28 15:26 trust.jks
-rw------- 1 tomcat tomcat 1679 Jul 28 15:26 trust.key

Hybris Commerce ERR SSL VERSION OR CIPHER MISMATCH

I have created a certificate with OpenSSL
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -new -key server.key -out server.csr
keytool -import -trustcacerts -alias server.key -file server.crt -keystore
and placed keystore.jks into ${catalina.home}/lib/
server.xml
<Connector port="9002"
maxHttpHeaderSize="8192"
maxPostSize="4194304"
maxThreads="150"
protocol="org.apache.coyote.http11.Http11Protocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol = "TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="${catalina.home}/lib/keystore.jks"
keystorePass="123456"
On Chrome it gives following error:
This site can’t provide a secure connection
13.236.191.242 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
curl -Iv https://11.231.191.212:9001/
Trying 11.231.191.212...
TCP_NODELAY set
Connected to 11.231.191.212 (11.231.191.212) port 9001 (#0)
schannel: SSL/TLS connection with 11.231.191.212 port 9001 (step 1/3)
schannel: checking server certificate revocation
schannel: using IP address, SNI is not supported by OS.
schannel: sending initial handshake data: sending 156 bytes...
schannel: sent initial handshake data: sent 156 bytes
schannel: SSL/TLS connection with 11.231.191.212 port 9001 (step 2/3)
schannel: failed to receive handshake, need more data

The problem was that I was creating a Self-signed certificate with OpenSSL. But when I generated the certificate from java Keystore then it works perfectly.
keytool.exe -genkey -alias tomcat -keyalg RSA -keystore c:\tomcatkeys
The reason was OpenSSL and keystore produce certificate in different file formats. You see the difference from the link below.
https://security.stackexchange.com/questions/98282/difference-between-openssl-and-keytool

SSL Exceptions while sending https request from my grails web application deployed in tomcat server

I am getting following Exception when HTTPS Request is sent from Grails Web Application deployed in Tomcat Server(8):
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Here is When I make HTTPS Call(On which Point I get this Exception):
String URL = "https://**.**.**.**:8440/*****";
PostMethod postMethod = new PostMethod(URL);
client.executeMethod(postMethod);
I have created the keystore file using keytool command:
keytool -genkey -alias tomcat -keyalg RSA
and changed the server.xml file too of Tomcat but still getting this exception. Here is my Server.XML File:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="443" keystoreFile="/keystore/keystore.jks" keystorePass="password" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
I have gone through the following possible fixes for this but no luck:
http://java.dzone.com/articles/setting-ssl-tomcat-5-minutes
https://tomcat.apache.org/tomcat-3.3-doc/tomcat-ssl-howto.html
http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html
P.S. I simply want tomcat to allow my application to hit HTTPS request for the URL:
String URL = "https://**.**.**.**:8440/*****";
I am rolling my head on this but unfortunately not getting through. Please guide me that what could be the fix for this ? Or I am doing anything wrong ?
Thanks for Your Time :)

Keystore certificate works at Eclipse but Tomcat no

I have an application running in Eclipse, works fine, connect and get a response from webservice that needs a certificate.
But when I deploy and run in Tomcat, I got a error of valid certification:
java.lang.Exception
Message
; nested exception is: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
In my tomcat:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="webapps/.keystore" keystorePass="123456"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />
and in my application, I have another keystore to webservice:
System.setProperty("javax.net.ssl.keyStore", SIC.jks);
System.setProperty("javax.net.ssl.keyStore", keyStore);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);
I tried import certificate to cacerts from keytool and nothing...
I don't have any one idea and my time is over in my job...What can I do to resolve that?
I tried everything I guess...works at Eclipse but on deploy tomcat, I got that error above.

Two suggestions
1. Specify the entire path for the keystoreFile. Eg /opt/webapps/.keystore
2. Do not use special characters "#" in the password.

unable to find valid certification path

I have created a certificate in my system using this command:
keytool -export -file test.cert -keystore test -storepass 123456 -alias sriram
Ans: Certificate stored in file <test.cert>.
I have imported this certificate in cacerts of new system using the command :
keytool -importcert -trustcacerts -file "path-to-public-cert" -keystore JAVA_HOME/jre/lib/security/cacerts".
The output is something like this:Trust this certificate? [no]: yes Certificate was added to keystore.
But still I am getting the link error when I run my jar file in new system...Where I went wrong??

Try to read the Apache Tomcat SSL Configuration How-To.
In Edit the Tomcat Configuration File paragraph it explain that you can had the keystoreFile attribute to the connector configuration.
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>