I have two different key pair values which generated using Java keytool and stored in two different files called keystore1.jks and keystore2.jks.
What I did is I have imported the key pair from keystore2.jks to keystore1.jks by the below command
keytool -importkeystore -srcstoretype JKS -srckeystore <source_keystorfile> -deststoretype JKS -destkeystore <keystorfile_to_import_keypair>
I have added the keystore1.jks to server to listen in ssl using this keystore.
Now I have import the public key from the file keystore2.jks to truststore file named truststore.jks
From this truststore.jks file when I try to connect to the server which is listen in ssl using keystore1.jks, server unfortunately not accepting the connection and throwing an exception as below
javax.jms.JMSException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:62)
at org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1298)
at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1382)
at org.apache.activemq.ActiveMQConnection.createSession(ActiveMQConnection.java:309)
at com.sample.ssl.job.handler.MessageQueueLocator.getJmsSession(Unknown Source)
at com.sample.ssl.job.handler.MessageQueueLocator.sendMessageToGeneralQueue(Unknown Source)
at com.sample.ssl.communication.JobResposeDispatcherInvoker.dispatchStartupMessage(Unknown Source)
at com.sample.ssl.job.MessageDispatchJob.dispatchStartupMessage(Unknown Source)
at com.sample.ssl.job.MessageDispatchJob.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
at java.io.DataOutputStream.flush(DataOutputStream.java:106)
at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:181)
at org.apache.activemq.transport.InactivityMonitor.oneway(InactivityMonitor.java:255)
at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:168)
at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
at org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:844)
at org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:135)
at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:122)
at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:43)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:184)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 21 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:330)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
... 28 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 32 more
I don't know in which I have made a mistake. In my case half portion of clients use trust store of the key pair from keystore1.jks and remaining use keystore2.jks.
The clients those use trust store of keystore1.jks connecting to the server fine. But those clients use trust store of keystore2.jks is unable to connect.
Please help me in this context to resolve. If I have made anything wrong in my way please give a correct path. Thanks in advance.
I did not understand some things from you..
You have two files that have passwords.. You import the second file to the first.
So. why do you need to use a second file?
I think the command should be: (backup first)
keytool -importkeystore -srckeystore keystore2.jks -deskeystore keystore1.jks
Related
I am loading one of the ssl certificate from a .crt file to access one resource. But when I make the call to that intranet resource. I get following exception. Can someone suggest how to overcome this problem? Also can I disable a DNS check
...
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 81 more
Caused by: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertBC(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 87 more
Caused by: org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException: DNS is not from a permitted subtree.
at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermittedDNS(Unknown Source)
at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermitted(Unknown Source)
I found answer to this problem, sharing if it saves time for anybody else.
What is been observed is that in some cases only CA root certificate is not sufficient. But when other intermediate certs are also loaded then this issue didnt occur. So basically the whole chain certificates were needed to overcome this problem. As a combination of bouncy castle library upgrade and including whole chain certs worked for me.
I need help connecting to Apache's Directory Server using SSL. I'm able to connect to the LDAP server but when I try to connect to LDAPS, I keep getting errors. I have enabled TSLv1.2 protocol in the server's configuration and still no luck. I have followed Apache's user guide exactly and still no luck!
Here is my code trying to connect using Apache's LDAP Client API:
Edit: I added the trust manager.
public class SecureP2P {
public static void main(String[] args) throws LdapException, IOException, NamingException {
LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost(Network.LOOPBACK_HOSTNAME);
config.setLdapPort(10636);
config.setUseSsl(true);
config.setEnabledProtocols("TLSv1.2");
config.setSslProtocol("TLSv1.2");
config.setTrustManagers(new NoVerificationTrustManager());
LdapConnection connection = new LdapNetworkConnection(config);
connection.connect();
connection.bind("uid=admin,ou=system", "secret");
connection.unBind();
connection.close();
}
}
Error Message from Client:
WARN : org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL
handshake failed.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:519)
atorg.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:947)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:535)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:703)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:659)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:648)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1120)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:601)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:360)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:500)
... 15 more Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:793)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:567)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 31 more
Exception in thread "main" org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: PROTOCOL_ERROR: The server will disconnect!
at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2169)
at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:129)
at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:112)
at edu.fau.security.network.SecureP2P.SecureP2P.main(SecureP2P.java:26)
Error Message from Server:
[13:21:10] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice to
client.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:519)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:535)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:697)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:651)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:640)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1097)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.mina.filter.ssl.SslHandler.unwrap(SslHandler.java:753)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:688)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:574)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:359)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:500)
... 15 more
I don't get the "Certificate Unknown Exception" from the server. Even if I try using Apaches Directory Studio to connection to the server with SSL it still won't authenticate! The certificate is generated by apacheDS so I don't know what is the issue. This is really frustrating.
I was able to solve the issue. I created a certificate using Keytool and imported into the keystore for the ApacheDS configuration. I was able to get connected and authenticated through LDAPS. I just don't understand why the certificate generated by ApacheDS doesn't get accepted by Apache Directory Studio's client.
For sure you have a case of self-signed server certificate not being accepted by the client, I recognize all the signs.
You mention a NoVerificationTrustManager class (never a very good idea by the way - better create a trustmanager that reads a configured certificate or keystore) but I doubt that it is actually used.
I think with Apache's API you need to set a specific TrustManager using the method LdapConnectionConfig.setTrustManagers(TrustManager... tms).
Otherwise, you will have to find a way to ensure your TrustManager is really used.
If we know about SSL certificate, we can use specific TrustManager impelmentaion, otherwise simply we can use as below
LdapConnectionConfig ldapConnectionConfig = new LdapConnectionConfig();
ldapConnectionConfig.setLdapPort(port);
ldapConnectionConfig.setLdapHost(ip);
ldapConnectionConfig.setUseSsl(useSSL);
ldapConnectionConfig.setTrustManagers(new TrustEverythingSSLTrustManager());
LdapNetworkConnection connection = new LdapNetworkConnection(ldapConnectionConfig);
Logcat:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:322)
at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:623)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:585)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:627)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:734)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1000(XMPPTCPConnection.java:133)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1023)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$200(XMPPTCPConnection.java:931)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:950)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:324)
at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:225)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:114)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:550)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)
at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:623)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:585)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:627)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:734)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1000(XMPPTCPConnection.java:133)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1023)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$200(XMPPTCPConnection.java:931)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:950)
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:324)
at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:225)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:114)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:550)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)
at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:623)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:585)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:627)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:734)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1000(XMPPTCPConnection.java:133)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1023)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$200(XMPPTCPConnection.java:931)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:950)
03-24 15:56:06.295 17245-17715/de.meisterfuu.smackdemo W/System.err: ... 8 more
03-24 15:56:06.295 17245-17715/de.meisterfuu.smackdemo W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
I am getting this error with localhost using openfire for android
How to fix this issue?
The error is Trust anchor for certification path not found
That means that the server's certificate is not signed by a certificate authority the client knows, or that there is an intermediate certificate that needs to be included on the server.
If for some reason you don't expect the server to have a valid certificate, you need to set a custom TrustManager that won't check it.
I am trying to connect to the smartsheet api using the java sdk they have provided. I am only a beginner in java and programming and completely new to smartsheet.
Here is my code (taken from http://smartsheet-platform.github.io/api-docs/?java#generating-access-token)
import com.smartsheet.api.*;
import com.smartsheet.api.models.*;
import com.smartsheet.api.models.enums.SourceInclusion;
import com.smartsheet.api.models.enums.ColumnType;
import com.smartsheet.api.oauth.*;
public class Test {
public static void main(String[] args) throws SmartsheetException {
SampleCode();
}
public static void SampleCode() throws SmartsheetException {
// Set the Access Token
Token token = new Token();
token.setAccessToken("MY TOKEN");
// Use the Smartsheet Builder to create a Smartsheet
Smartsheet smartsheet = new SmartsheetBuilder().setAccessToken(
token.getAccessToken()).build();
// Get current user.
smartsheet.userResources().getCurrentUser();
}
}
This is the error I am getting.
Exception in thread "main" com.smartsheet.api.internal.http.HttpClientException: Error occurred.
at com.smartsheet.api.internal.http.DefaultHttpClient.request(DefaultHttpClient.java:169)
at com.smartsheet.api.internal.AbstractResources.getResource(AbstractResources.java:192)
at com.smartsheet.api.internal.UserResourcesImpl.getCurrentUser(UserResourcesImpl.java:179)
at com.target.test.Test.SampleCode(Test.java:25)
at com.target.test.Test.main(Test.java:12)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at com.smartsheet.api.internal.http.DefaultHttpClient.request(DefaultHttpClient.java:149)
... 4 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488)
... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 30 more
Error pretty much tells you about what is going wrong
unable to find valid certification path to requested target
The certificate chain returned by the server is not valid. This may happen due to variety of reasons, most likely due to a self-signed/expired/invalid certificate.
You can check the certificates returned from the server using following linux command:
openssl s_client -showcerts -connect yourserverUrl:port
The problem most likely resides on the server side but for testing purposes you can workaround certificate validation error by adding the certs into your keystore as trused certs. Here is the command to add the cert to keystore:
keytool -import -trustcacerts -file intermediate.crt -alias intermediateCA -keystore $JAVA_HOME/jre/lib/security/cacerts
As part of this import you will be asked to trust the cert, a message like this:
Trust this certificate?
Just enter yes and you should be good.
I am trying to make HTTP GET request using HttpURLConnection in java.
When I make get using browser it says me certificate is not trusted do you want to proceed.
I accept certificate and GET request get data. but i am getting certificate exception in java( given below )
What i understood from this exception is, I need to download that certificate and put this
java system property berfore making GET request.
My questions are.
How will download this certificate from browser?
Can I use browser's certificate store in my java program, what do I need to know to use that?
If i want to install certificate in my keystore then what do I need to do?
THANKS A LOT :)
I am trying to download certificate using keytool command. I do not have any idea where certificate is stored in server, but i gave the path of server which i use in browser and browser says certificate is not trusted.
URL gatewayServiceUrl = new URL("http://192.168.55.179:56400/nwa");
HttpURLConnection connection = (HttpURLConnection) gatewayServiceUrl.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("Authorization", getExample.getBasicAuth());
connection.connect();
if (HttpURLConnection.HTTP_OK == connection.getResponseCode()) {
System.out.println("success");
System.out.println(getExample.getDataFromStream(connection.getInputStream()));
} else {
System.out.println("success");
System.out.println(getExample.getDataFromStream(connection.getErrorStream()));
}
System.out.println(connection.getResponseCode());
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at com.testweb.GetExample.main(GetExample.java:18)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
You have to add the issuer CA's of your server certificate (or directly the server certificate in case of for example your cds is selfsigned) to the truststore in order to avoid PKIX path builder exception.
By default java truststore is on JAVA_HOME/jre/lib/security/cacerts (you can specify another trust store with javax.net.ssl.trustStore property).
To do this, first download the server certificate. You can download the server certificate for example with Chrome connecting to the server url and click on the green lock, then select the tab connection and click on certificate information:
Then save this certificate on disc.
Now you have to add this certificate to java trust store, you can do it with java keytool (if is in your path use keytool if not keytool is on JAVA_HOME/bin/keytool):
keytool -import -trustcacerts -alias myServerCertificate -file path/myServerCert.crt -keystore JAVA_HOME/jre/lib/security/cacerts
The default password for cacerts is: changeit
Hope this helps,
The other answers work, but I find exporting the cert in browsers to be troublesome. Here's my steps for exporting then importing the cert all from the command line:
https://gist.github.com/jeffsheets/d2880dc1e2ea241b19f140c54809f750
Command to export a cert from a website to a .cer file (example uses google.com):
openssl s_client -servername google.com -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -inform PEM -outform DER -out google.com.cer
Command to import into local java truststore (use your own location of JAVA_HOME)
"$JAVA_HOME"/bin/keytool -keystore "$JAVA_HOME"/jre/lib/security/cacerts -importcert -alias google.com -file google.com.cer
default java keystore password is changeit
if you get an update denied message, in Windows File Explorer set
security on cacerts file to MODIFY for all Users (or chmod on linux)
if keytool is not found, define a JAVA_HOME environment variable (or
replace $JAVA_HOME with the full path)
Otherwise, Try to follow solution that you can found in this link: https://stackoverflow.com/a/3685601/2088039
You can export a certificate using Firefox, this site has instructions. Then you use keytool to add the certificate.