I am new to code signing and certificates. Short description: I connect to a Alfresco repository to download some documents to the client using OpenCMIS. Everything is working fine until I tested is with our test server which uses SSL (HTTPS Url) connections. Here I get an exception
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have no experience with such things and dont know what I have to do so my application is running properly? I have read I have to use the certificate or a truststore or something? But what exactly I need to do? Can someone help me please?
EDIT: I should have mentioned that I am developing a java web start application. Is there a solution in which I dont have to manually install the certificate to the local truststore?
EDIT2: Okay since I have to import the certificate on every computer this is no longer an option and I will use the workaround which ignores the verification of the certificate.
Thank you anyways guys!!!
i tried this long back for similar problem, and was working.
System.setProperty("javax.net.ssl.trustStore", "");
System.setProperty("javax.net.ssl.trustStorePassword", "");
System.setProperty("javax.net.ssl.trustStoreType", "");
Security.ssl.allowUnsafeRenegotiation", "true");
System.setProperty("javax.net.ssl.keyStore", "");
System.setProperty("javax.net.ssl.keyStorePassword", "");
System.setProperty("javax.net.ssl.keyStoreType", "");
System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
Also the same can be achieved by configuring the trustore and keystore in the application server you are using.
Issue is with certificates not getting imported correctly.
I hope below links will help you out.
Link1
Link2
Related
I have two apps, one is written in nodejs (which in this case is simple mock-server) and spring app (core app). I want to create a SSL connection between this two. Firstly I generated pair of key and cert, then simply setup a nodejs to work over SSL (I used this example: setting SSL - nodeJs).
I have checked that when I wrote in browser https://localhost:3000 it gives me a "secure" connection (with open padlock - so it's ok).
Next I was making a configuration on spring app using setting SSL - Spring. I took a cert from previous step generation and set it in keystore into .p12 file. In spring application I changed the url to node app to https.
When I try to connect from spring app and get some mock data from node I'm getting this stacktrace:
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I found something in stack but when I set this cert in specific directory and then restart my app, result is same.
Have anyone maybe a clue what could be wrong in this configuration and some suggestion how to fix it?
I found the solution of this problem. I don't know why, but when I created a keystore with cert inside and then use it in my spring app it cannot find this keystore with cert globally. I was looking for documentation about openJDK11 (because I used it) and find a link to Enabling Unlimited Strength Jurisdiction Policy and check file for which I have version of openJDK11.
In my case the line from crypto.policy was commented, don't know why. When I uncommented it and set unlimited it gives me one more error, but then I find one another solution. I found that, that I need to add my sign-self certificate to cacerts file (how to add my self-signed cert to cacerts). After this two operation it works as charm.
All,
Our cert expired and we bought another one with new CSR. Its installed for Zimbra webserver. We cannot validate it properly from cert checkers , everything looks good. But our app which was calling this server now trips with :
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
JVM keystore has valid root crt from GoDaddy installed. All the links that I read talk mostly about adding root crt to keystore.
Anyone faced this issued ?
Thanks in advance for some pointers
Problem fixed. I took help of consultant who is expert in SSL issues. Issue is same as everyone is stating that certs are not properly installed. However our java truststore had valid godaddy cert. But that is not all, seems after SHA2 migration, godaddy has changed its cert and intermediates. Even though we installed those, seems we missed something. It would take few hrs to figure it out. But jdk1.7.0_u79 or 1.8.0_u45 have godaddy sha2 certs properly configured and installed. We had to upgrade from 1.7.0_u72 to 1.7.0_u79 and presto problem solved.
I'm trying to write a service in Grails to send push notifications to update passbook passes. I got to the point where I could test to see if the code to connect to the APN server was working, however, I cannot seem to establish a connection using the Java SSLSocket methods.
The first part of the connection works, I receive the certificate from the server and find a trusted certificate in the certificate chain; however, after that, for some reason my client certificate / certificate chain is not ever sent to the server, and hence the connection fails.
I can't seem to figure out why the certificate is not being sent, I use the following code to set up the keystore:
void setupSSLPropertiesForConnection() {
System.setProperty("javax.net.ssl.keyStore", "superSecretFile.p12")
System.setProperty("javax.net.ssl.keyStorePassword", "superSecretPassword")
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12")
System.setProperty("javax.net.ssl.trustStore", "trustStoreFile")
System.setProperty("javax.net.ssl.trustStorePassword", "trustStorePassword")
System.setProperty("javax.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol")
}
and then to try and connect to the APN server:
setupSSLPropertiesForConnection()
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault()
SSLSocket socket = (SSLSocket)factory.createSocket("gateway.push.apple.com", 2195)
I've looked at the PKCS12 file using Java's keytool and there is only one alias, which contains the entire certificate chain for my passbook certificate (certificate, WWDR, Apple Certificate), so I'm stuck on why the certificate isn't being sent when it's requested. Any help as to why it's not sending the certificate information would be muchly appreciated!
Edit: Also, if someone were to post a method of getting a SSL certificate from a .p12 used to sign passes or simply from the passbook certificate downloaded from the iOS dev portal, that is known to work, then I might be able to work backwards from that to figure out what it is I'm doing wrong.
Now I feel silly, apparently the filenames for my client PKCS12 file and the trust store file were both wrong, but in setting the keystore and truststore using the System.setProperty, it doesn't throw any error if the files cannot be found or opened.
I tried changing my code so that I am creating SSLSocketFactory from an SSLContext created with a TrustManagerFactory and a KeyManagerFactory, and when I tried that it threw FileNotFoundError. Now it seems to be working at least. Sigh.
I've been developing a WS client using JAVA and I'm having a problem with SSL authentication. The WS are created on WCF and I have no access to the server, they work through HTTPS and uses a client certificate that needs to be installed on the client first. The server guys sent me a PFX certificate which I successfully installed on the OS (I'm using OS X) and I could then access the WS via a browser (Safari or FF are both that I tried which previously couldn't access the WSs).
I thought any app in the OS would use this certs but when I'm tried my JAVA app it didn't work; at first the following error was being thrown:
"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
I solved this by exporting the certificate to a CER file and using the keytool command line tool to add the certificate into the "cacerts" keyStore JAVA uses. But after this error went away the following started appearing: "403, forbidden". This is obviously because it's not using the SSL client cert for the site but I haven't been able to find a way to send it to it. Any help would be appreciated.
The following is the code I use to post to the WS:
URL url = new URL(p_url);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setDoOutput(true);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", contentType);
OutputStream out = conn.getOutputStream(); // on this line it shows the error
You can either create a specific SSLContext (using a KeyManager initialised with the keystore containing your client cert + private key), from which you derive an SSLSocketFactory, which you set into your HttpsURLConnection, or use the global settings.
You could set the following system properties (for the global settings):
javax.net.ssl.keyStore=path/to/keystore.pfx
javax.net.ssl.keyStoreType=PKCS12
javax.net.ssl.keyStorePassword=xxxxxxxxx
Alternatively, you can create your own KeyManagerFactory/KeyManager as described in this answer.
Since you've imported the server certificate in your cacerts, use null for the TrustManager[] argument of SSLContext.init() (it will pick up the default values).
In addition, since you're on OSX, you could use the KeychainStore directly. To do so, use ....keyStore=NONE, keyStoreType=KeychainStore and keyStorePassword=- (any password will do, since access to the key will be granted when you need it from the OS). I'm not sure if it works on Lion, though. Note that it may fail if you have more than one cert+private key in your store (see this issue).
Looks like you probably need to set up your own SSL SocketFactory,
http://vafer.org/blog/20061010073725/
I would think things have gotten better since 2006, so you may just need to specify a bunch of properties on the command line:
http://stackoverflow.com/questions/875467/java-client-certificates-over-https-ssl
You need to load the keystore they send you in your java application.
You can load it as a file from the file system in a Keystore object and use it. Read this example and especially the part about KeyManager i.e. createKeyManagers method.
Another option would be to load the keystore from windows. Read about Windows-MY provider
I'm trying to print a URL (without having a browser involved at all) but the URL is currently throwing the following:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I'm calling the URL using a JEditorPane's setPage method, which just takes a URL as a parameter. Assuming I can't change anything server side and I still need to get to this resource, how would I go about ignoring the certificate error (or something else that gets me to my goal)?
Accessing this URL via a browser tells me the site is untrusted and asks me if I want to proceed.
Extend JEditorPane to override the getStream() method.
Inside that method, you can open a URLConnection. Test whether it is an HttpsURLConnection. If it is, initialize your own SSLContext with a custom X509TrustManager that doesn't perform any checks. Get the context's SSLSocketFactory and set it as the socket factory for the connection. Then return the InputStream from the connection.
This will defeat any attempts by the runtime to protect the user from a spoof site serving up malware. If that's really what you want…
This is possibly because your certificate in your keystore for accessing target HTTPS URL does not match the certificate from server.
You need to import the certificate in to your JVM's keystore.
Obtain keystore certificatesto access this URL and then importit into the main keystore with
keytool -importkeystore -srckeystore /path/to/custom/keystore -destkeystore $JAVA_HOME/jre/lib/security/cacerts
Assuming you are using Java from $JAVA_HOME
I would use erickson solution.
Another way is to add server's certificate (probably self signed) to your trusted certificates KeyStore (I would do it just in your test enviroment).
Use:
java InstallCert YourHost
to create a jssecacerts file
then copy it to the following folder:
$JAVA_HOME/jre/lib/security
If it is the same server that you will be contacting each time, it might be okay to simply trust this one certificate by adding it to the trust store. I wouldn't add this to the default cacerts file, but you can make your own keystore and specify it through the javax.net.ssl.trustStore system property.
Lastly, if you want to disable PKIX checking completely (which you should only do if you understand that this will compromise security quite a lot) the only way is to implement your own SSL context and trust manager as erickson has suggested.
On a related note: my mutual certifcate authentication with a WCF .net Web Service was causing issues in my test environment. I added these two lines to my code to fix the problem and allow me to work through the issue:
//Uncomment this in case server demands some unsafe operations
System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
//this command allowed me to see the detailed debugger log for detecting the
//issue with my certs.
System.setProperty("javax.net.debug","all");
Here is a nice reference for dealing with SSL negotiation and certifcates in a Java/Windows/Unix world: Transport Layer Security (TLS) Renegotiation Issue Readme