I use apache http client on https address, I get:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
so i used InstallCert.java however after after running InstallCert.java
I get
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
why do i still have a problem? it looks like the problem changed but why? how can i then resolve the second problem? I thought install cert should resolve it fully...
instead of using InstallCert.java I ended up using manual add certificate and it worked:
Digital Certificate: How to import .cer file in to .truststore file using?
Related
I need help connecting to Apache's Directory Server using SSL. I'm able to connect to the LDAP server but when I try to connect to LDAPS, I keep getting errors. I have enabled TSLv1.2 protocol in the server's configuration and still no luck. I have followed Apache's user guide exactly and still no luck!
Here is my code trying to connect using Apache's LDAP Client API:
Edit: I added the trust manager.
public class SecureP2P {
public static void main(String[] args) throws LdapException, IOException, NamingException {
LdapConnectionConfig config = new LdapConnectionConfig();
config.setLdapHost(Network.LOOPBACK_HOSTNAME);
config.setLdapPort(10636);
config.setUseSsl(true);
config.setEnabledProtocols("TLSv1.2");
config.setSslProtocol("TLSv1.2");
config.setTrustManagers(new NoVerificationTrustManager());
LdapConnection connection = new LdapNetworkConnection(config);
connection.connect();
connection.bind("uid=admin,ou=system", "secret");
connection.unBind();
connection.close();
}
}
Error Message from Client:
WARN : org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL
handshake failed.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:519)
atorg.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:947)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:535)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:703)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:659)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:648)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1120)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:601)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:360)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:500)
... 15 more Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:793)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:567)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 31 more
Exception in thread "main" org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: PROTOCOL_ERROR: The server will disconnect!
at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2169)
at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:129)
at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:112)
at edu.fau.security.network.SecureP2P.SecureP2P.main(SecureP2P.java:26)
Error Message from Server:
[13:21:10] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice to
client.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:519)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:535)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:697)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:651)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:640)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1097)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.mina.filter.ssl.SslHandler.unwrap(SslHandler.java:753)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:688)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:574)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:359)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:500)
... 15 more
I don't get the "Certificate Unknown Exception" from the server. Even if I try using Apaches Directory Studio to connection to the server with SSL it still won't authenticate! The certificate is generated by apacheDS so I don't know what is the issue. This is really frustrating.
I was able to solve the issue. I created a certificate using Keytool and imported into the keystore for the ApacheDS configuration. I was able to get connected and authenticated through LDAPS. I just don't understand why the certificate generated by ApacheDS doesn't get accepted by Apache Directory Studio's client.
For sure you have a case of self-signed server certificate not being accepted by the client, I recognize all the signs.
You mention a NoVerificationTrustManager class (never a very good idea by the way - better create a trustmanager that reads a configured certificate or keystore) but I doubt that it is actually used.
I think with Apache's API you need to set a specific TrustManager using the method LdapConnectionConfig.setTrustManagers(TrustManager... tms).
Otherwise, you will have to find a way to ensure your TrustManager is really used.
If we know about SSL certificate, we can use specific TrustManager impelmentaion, otherwise simply we can use as below
LdapConnectionConfig ldapConnectionConfig = new LdapConnectionConfig();
ldapConnectionConfig.setLdapPort(port);
ldapConnectionConfig.setLdapHost(ip);
ldapConnectionConfig.setUseSsl(useSSL);
ldapConnectionConfig.setTrustManagers(new TrustEverythingSSLTrustManager());
LdapNetworkConnection connection = new LdapNetworkConnection(ldapConnectionConfig);
I am trying to run mvn install from command prompt I am getting the below exception.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator
Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1836)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1337)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:154)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:966)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1262)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1289
)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1273
)
at org.apache.maven.wagon.providers.http.httpclient.conn.ssl.SSLConnecti
onSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:280)
at org.apache.maven.wagon.providers.http.httpclient.impl.conn.HttpClient
ConnectionOperator.upgrade(HttpClientConnectionOperator.java:167)
at org.apache.maven.wagon.providers.http.httpclient.impl.conn.PoolingHtt
pClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:329)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.MainC
lientExec.establishRoute(MainClientExec.java:392)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.MainC
lientExec.execute(MainClientExec.java:218)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.Proto
colExec.execute(ProtocolExec.java:194)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.Retry
Exec.execute(RetryExec.java:85)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.Redir
ectExec.execute(RedirectExec.java:108)
at org.apache.maven.wagon.providers.http.httpclient.impl.client.Internal
HttpClient.doExecute(InternalHttpClient.java:186)
at org.apache.maven.wagon.providers.http.httpclient.impl.client.Closeabl
eHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.maven.wagon.providers.http.AbstractHttpClientWagon.execute
(AbstractHttpClientWagon.java:756)
at org.apache.maven.wagon.providers.http.AbstractHttpClientWagon.fillInp
utData(AbstractHttpClientWagon.java:854)
... 8 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1319)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 33 more
When I try to run mvn clean it is working properly.
I try to figure it out with google, that the above error is caused by certification error.
I download the InstallCert.java file and runned it and copy pasted the file into the "C:\Program Files\Java\jdk1.7.0\bin"
But still am getting the certification error.
Am I doing anything wrong?
I found out that you need to enable the server setting in the settings.xml file.
For example:
<server>
<id>deploymentRepo</id>
<username>****</username>
<password>****</password>
</server>
This allowed me to overcome the SSL certificate error.
solution downloading root ca ssl certificate and install it into cacerts file of your jre which is used by maven!Checkout this full answer it is quite descriptive.
My company keeps the Maven dependencies on a server that has an invalid SSL certificate. We must use https to connect. When I try to run Maven, it cannot download the resources.
I know the name of the site I am trying to go to. I'd be happy to either add a security exception for the site, or just shut off all the validation of ssl certificates so that all https sites will be considered valid.
I am using Maven 3.0.4.
Here are some highlights of the stack trace when I try to build:
Caused by: org.sonatype.aether.transfer.ArtifactTransferException: Could not transfer artifact
org.apache.maven:maven-plugin-api:pom:2.0.6 from/to NexusExternal (<code>https</code>:
//mydumbcompanysbrokensite:8443/nexus/content/groups/public):
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
...
Caused by: org.apache.maven.wagon.TransferFailedException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
You can simply disable Maven SSL validation by adding these options to the command line :
-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
We recently changed all the certificates and Jenkins seems to have been affected by that. It is unable to publish to confluence and it gives the following error:
ERROR: Publisher com.myyearbook.hudson.plugins.confluence.ConfluencePublisher aborted due to exception
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
We use self signed certificates for our internal services. I added the new certificate into the trust store of the server running jenkins using the keytool command. The problem persist.
I am unable to track the source of the problem now.
Any help would be highly appreciated.
Thanks,
SanZig
I finally figured it out. It was a problem with the location of the trusted keystore.
It's better to always add the certificates into the /var/lib/jenkins/.keystore rather than adding in the PATH_TO_JAVA_HOME/jre/lib/security/cacerts. If you still want to add the certificate into the cacerts then an ARG should be added in the application's config file:
JAVA_ARGS="-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts"
Sometimes you may need to add the certificate in ~/.keystore
Connecting to the LDAP server over TLS fails with the exception
org.springframework.ldap.UncategorizedLdapException: Failed to negotiate TLS session; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:155)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:109)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:125)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:287)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:571)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:556)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:411)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:431)
I have checked the appropriate certificates are present in my key store and imported missing ones as described in PKIX path building failed while making SSL connection however I am still getting the exception. Any ideas?
Thanks,
Nigel
The problem is with the certificates produced by LDAP servers, this has been verified and issue now resolved.