I'm having issue to communicate between the Cisco CUCM and a script on another server since the CUCM's certificate have been changed.
I'm running the commands from the server towards the Cisco CUCM
After troubleshooting it, Php sends me this :
nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As I know it's SSL related, I imported the new CUCM certificate onto the Debian server which is hosting the script.
By the way, i'm working with OpenSSL 0.9.8o (01 Jun 2010)
I added it to every keystore that I found on the machine (I found 5different keystores) and reloaded with "dpkg-reconfigure ca-certificates" (even if I don't know if the system is using it)
The fact is that I cannot really change the scripts, I'm in charge of the system, not the code.
Which is interesting is this :
1/ Running the command openssl s_client -showcerts -connect ip:443
Is telling me :
CONNECTED
...
verify return code: 18 (self signed certificate)
2/ Running the same command but adding "-CApath /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts"
CONNECTED
...
Verify return code: 0 (ok)
I should conclude that the script (and openssl by default) is not using the CA keystore locate in the java directory
Am I right ?
If I am, how do I know where is the used keystore located ?
Related
I have stored a correct certificate in the Graylog configuration file, in the correct format. The web interface is also accessible via https. However, I get the following error message:
WARN [ProxiedResource] Unable to call https://<...>/api/system/metrics/multiple on node <...>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
WARN [ProxiedResource] Unable to call https://<...>/api/system/inputstates on node <...>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I work on Debian 10 with Graylog 5.0
My Server conf
hope someone can help me
I have stored a correct certificate in the Graylog configuration file, in the correct format. The web interface is also accessible via https. However, I get the following error message.
I have also packed the certificate chain into the cacerts file from elastic via keytool
Last time I was able to work around it by adding a local dns entry to the hosts file, which set the Hostname to the public IP (the certificate did not contain the ip. But now it is)
or do I have the wrong approach?
At first search for the cacerts for graylog
sudo find / -name cacerts
then put in the cert chain via keytool
sudo keytool -import -keystore /usr/share/graylog-server/jvm/lib/security/cacerts -file /etc/ssl/certs/gray.pem
Once this was done it started working.
Charles 4.6.2, macos 12.1
Following this page, https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/
I tried the following steps:
help->ssl proxying->save charles root cert
find where java lives: /usr/libexec/java_home
cd /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/lib/security
sudo keytool -import -alias charles -file ~/Documents/charles-ssl-proxying-certificate.pem. THis prompts for 3 passwords, which I created new/radom passwords for (dont know what they are)
start java thusly: java -jar aem-publish-p4503.jar -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=8888
in charles proxy->ssl proxy settings Check Enable proxy settings.
Add URLs in "include" which the java server will call with port 443.
Now when my java app tries to hit api end points I added to the SSL proxying location, I get the following in the charles proxy sequence output:
URL https://npxx.net
Status Failed
Failure SSL handshake with client failed: An unknown issue occurred processing the certificate (certificate_unknown)
Notes You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu.
Response Code 200 Connection established
Protocol HTTP/1.1
In java logs, I see this:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
NOTE: the external end point the local java process is hitting has a wild card Multi SAN cert from comodo
=== UPDATE 1 ====
I found an undocumented way to add certificates, in charles proxy, there are some cert install options under help:
Help->SSL proxying->Install Charles Root Cert.
This does nothing. Presume it doesnt work on mac
Help->SSL proxying->Install cert on Java VMs
This does work, and prompts for password, then says complete, but doesnt help.
Recently the cert got expired both on Jenkins server (Linux) and IIS server (windows) and we have imported the new certs for both Jenkins and remote slave.
post that it was able to connect when we launch through browser (but pop up with java - (The certificate is not valid and cannot be used to verify the identity of this website) and if we install Jenkins as a service on windows machine it was in starting state (not proceeding with the Running state) and unable to start the Jenkins as slave in logs
i can see this error as following:
"Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Your certs are not correct. Make sure the values for CN and hostname on the cert you imported are the same as the old cert. Make sure you have the intermediate and root certificates imported/trusted as well, as those may have changed with the new certs.
Windows: certlm to check that the intermediate and root certificates are also trusted.
I am trying to access a web service which has SSL enabled from stand alone java program . I was able to generate client from WSDL however when i am trying to invoke web service i get SSL handshake issue . Below is java code
TestWebService sh = (TestWebService) shs.getTestWebServiceExportTestWebServiceHttpPort();
BindingProvider port = (BindingProvider)sh;
port.getRequestContext().put(BindingProvider.
ENDPOINT_ADDRESS_PROPERTY, args[0]);
System.out.println( ((BindingProvider)sh).toString() );
The url that is lets say https://service.test.com/sca/TestWebService?wsdl
Below is the error message
Failed to access the WSDL at:
https://service.testwebservice.com/TestWebServiceExport?wsdl. It failed with:
Got com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Corp Production Root CA V1, O=Cord Inc. is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error while opening stream from https://service.testwebservice.com/TestWebServiceExport?wsdl.
I have installed the ceritificate in IE browser from website but still no luck .
You are on the right track by installing the cert into IE browser - that would allow IE to access the web service without error. However, as your client is Java (and not IE), you need to install the cert into Java.
The Java command for doing this is as follows:
$JAVAHOME/bin/keytool -import -alias service.test.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/certfile.pem
Note: this will install the cert into the default keystore for that Java install. This will affect all Java processes using that JVM. The default password for the keystore is 'changeit'
I did with following steps but its throwing exception:
1.I have installed openam 10.0.0 on windows server 2003.
2.Configured tomcat with ssl on the same windows server machine.
3.It is configured correctly and openam url is accessible with https.
4.Installed openam client sdk on another machine which is ubuntu machine and from that ubuntu machin i am trying to login to openam server using
AuthContext lc = new AuthContext("/","https://server.ensarm.com:8443/openam/namingservice");
AuthContext.IndexType indexType = AuthContext.IndexType.MODULE_INSTANCE;
lc.login(indexType, "DataStore");
return lc;
But i am getting following exception:
ERROR: Naming service connection failed for https://server.ensarm.com:8443/openam/namingservice
com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I didn't understand what could be the problem.Is it due to to my java keystore (needed for ssl configuration) is on windows server machine and i have no keystore on ubuntu machine,
OR
need to import keystore into ubuntu machine.?? Please can anyone help me to get out of this.
“javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:”
It means the server does not have a valid certificate from an Authorized CA.
You are facing this exception because you are try to connect through SSL (https). You would need to import the server certificate into the JRE KeyStore.
Perform the following steps to resolve it:
Getting the certificate: Type the URL (e.g. https://server.ensarm.com:8443/openam/namingservice) in your browser.
You will now probably see a dialog box warning you about the certificate. Now click on the 'View Certificate' and install the certificate. Ignore any warning messages.
Next step would be to install export the certificate and installing it in the jre keystore. Use keytool certificate management utility to perform thishttp://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html .
Exporting certificate: Go to Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) as e.g. mycert.cer.
Go to JRE\BIN and use the keytool -import command to import the file into your cacerts keystore.
E.g. keytool --import -alias MYCA -keystore ..\lib\security\cacerts -file c:\mycert.cer.
Enter keystore password: (by default it will be “changeit”).Input “yes” to the prompts.
Run command keytool -list -keystore ..\lib\security\cacerts . You will now see a list of all the certificates including the one you just added.