You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andy Ee <an...@singnet.com.sg> on 2012/05/03 19:20:58 UTC
Tomcat unable to validate SSL certificate authority
Dear all,
I am stuck with this problem for over a month now, and I have tried all ways but to no avail.
My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is 1.6.0_21. I deployed a java program in Tomcat webapps/ which will post some results to a web server via a HTTPS url. I received the following error in the catalina.out log.
[12-05-04 00:57:20] INFO [http-8080-1] Sending to (https://abc.test.com/payment/test.jsp) - timeout: 30000
[12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while send status to merchant status url! sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I downloaded and imported the required CA chain certificates into the java truststore cacerts but it does not help.
Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as the truststore and it doesn�t help either.
bash-3.00# /usr/ucb/ps -auxwww | grep tomcat
root 25578 0.1 11.01145892903712 pts/8 S 00:55:57 2:14 /usr/java/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/logging.properties -Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC -Djavax.net.ssl.trustStore=/usr/java/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dsun.net.inetaddr.ttl=0 -Djavax.net.ssl.keyStore=/usr/java/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed -classpath /usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar -Dcatalina.base=/usr/local/apache-tomcat-6.0.32 -Dcatalina.home=/usr/local/apache-tomcat-6.0.32 -Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.32/temp org.apache.catalina.startup.Bootstrap start
The CA certificates were imported into cacerts using the following keytool command.
keytool -import -trustcacerts -keystore cacerts -file root.cer -alias BuiltinObjectToken-GoDaddyClass2CA
keytool -import -trustcacerts -keystore cacerts -file inter.cer -alias GoDaddySecureCertificationAuthority
I also tried to verify by using TestSSL.java and InstallCert.java and both could locate the CA certificates in cacerts. Therefore I am suspecting that Tomcat is not using cacerts properly.
Any help is greatly appreciated!
Regards,
Andii
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat unable to validate SSL certificate authority
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Andy Ee [mailto:andii@singnet.com.sg]
> Subject: Tomcat unable to validate SSL certificate authority
> I received the following error in the catalina.out log.
"Logging" to stdout is bad practice for anyone's webapp.
> Therefore I am suspecting that Tomcat is not using cacerts properly.
Therefore you are wrong, since Tomcat isn't using the JVM's cacerts file at all. It's your application that's making the outbound HTTPS request - Tomcat isn't involved. You need to investigate the code that's making the outbound request; running it outside of Tomcat in a standalone program will probably be an easier environment to debug. Once that's working, then try it again in a webapp.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat unable to validate SSL certificate authority
Posted by Andy Ee <an...@singnet.com.sg>.
Hi,
Thanks for all the inputs. I found that another war file in webapps/ has set environment to point to it's own keystore, thus it overwrites the JAVA_OPTS somehow. Now that I have imported the certificates into that "keystore" as well, everything works!
Regards,
Andii
--- Andr� Warnier <aw...@ice-sa.com> wrote:
> Andy Ee wrote:
> > Dear all,
> >
> > I am stuck with this problem for over a month now, and I have
> tried all ways but to no avail.
> >
> > My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is
> 1.6.0_21. I deployed a java program in Tomcat webapps/ which will
> post some results to a web server via a HTTPS url.
>
> So it is *this webapp* which is creating a HTTPS connection to some
> other webserver, and
> sending it some data, right ?
>
>
> I received the following error in the catalina.out log.
> >
> > [12-05-04 00:57:20] INFO [http-8080-1] Sending to
> (https://abc.test.com/payment/test.jsp) - timeout: 30000
> > [12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while
> send status to merchant status url!
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>
> and this is a log message *from the webapp*, right ?
>
> >
> > I downloaded and imported the required CA chain certificates into
> the java truststore cacerts but it does not help.
> >
> > Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as
> the truststore and it doesn�t help either.
> >
> > bash-3.00# /usr/ucb/ps -auxwww | grep tomcat
> > root 25578 0.1 11.01145892903712 pts/8 S 00:55:57 2:14
> /usr/java/bin/java
> -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/logging.properties
> -Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC
> -Djavax.net.ssl.trustStore=/usr/java/jre/lib/security/cacerts
> -Djavax.net.ssl.trustStorePassword=changeit -Dsun.net.inetaddr.ttl=0
> -Djavax.net.ssl.keyStore=/usr/java/jre/lib/security/cacerts
> -Djavax.net.ssl.keyStorePassword=changeit
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed
> -classpath /usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar
> -Dcatalina.base=/usr/local/apache-tomcat-6.0.32
> -Dcatalina.home=/usr/local/apache-tomcat-6.0.32
> -Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.32/temp
> org.apache.catalina.startup.Bootstrap start
> >
> > The CA certificates were imported into cacerts using the following
> keytool command.
> >
> > keytool -import -trustcacerts -keystore cacerts -file root.cer
> -alias BuiltinObjectToken-GoDaddyClass2CA
> > keytool -import -trustcacerts -keystore cacerts -file inter.cer
> -alias GoDaddySecureCertificationAuthority
> >
> > I also tried to verify by using TestSSL.java and InstallCert.java
> and both could locate the CA certificates in cacerts.
> > Therefore I am suspecting that Tomcat is not using cacerts
> properly.
>
> And this is probably where you are making the wrong analysis.
>
> According to your own description above, the only thing in common
> between your webapp and
> Tomcat, is that they are run by the same JVM.
> Tomcat per se has nothing to do with whatever your webapp makes as
> connections to anything
> else. Tomcat does not even know about this. No Tomcat code is
> involved in setting up that
> connection or using it.
> It is matter for your webapp and the JVM alone.
> In other words, if your webapp was a stand-alone Java program
> instead of being a webapp,
> you would get exactly the same error.
>
> I have no idea what the problem really is, but it seems to me that
> by mentally leaving
> Tomcat out of the equation, you may be able to figure it out by
> yourself quicker.
>
> For example, extract out of that webapp the code which is setting up
> that HTTPS
> connection, and make it into a standalone program. Then run it with
> the same Java options
> as you do with Tomcat above, and see what you get.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat unable to validate SSL certificate authority
Posted by André Warnier <aw...@ice-sa.com>.
Andy Ee wrote:
> Dear all,
>
> I am stuck with this problem for over a month now, and I have tried all ways but to no avail.
>
> My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is 1.6.0_21. I deployed a java program in Tomcat webapps/ which will post some results to a web server via a HTTPS url.
So it is *this webapp* which is creating a HTTPS connection to some other webserver, and
sending it some data, right ?
I received the following error in the catalina.out log.
>
> [12-05-04 00:57:20] INFO [http-8080-1] Sending to (https://abc.test.com/payment/test.jsp) - timeout: 30000
> [12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while send status to merchant status url! sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
and this is a log message *from the webapp*, right ?
>
> I downloaded and imported the required CA chain certificates into the java truststore cacerts but it does not help.
>
> Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as the truststore and it doesn’t help either.
>
> bash-3.00# /usr/ucb/ps -auxwww | grep tomcat
> root 25578 0.1 11.01145892903712 pts/8 S 00:55:57 2:14 /usr/java/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/logging.properties -Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC -Djavax.net.ssl.trustStore=/usr/java/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dsun.net.inetaddr.ttl=0 -Djavax.net.ssl.keyStore=/usr/java/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed -classpath /usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar -Dcatalina.base=/usr/local/apache-tomcat-6.0.32 -Dcatalina.home=/usr/local/apache-tomcat-6.0.32 -Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.32/temp org.apache.catalina.startup.Bootstrap start
>
> The CA certificates were imported into cacerts using the following keytool command.
>
> keytool -import -trustcacerts -keystore cacerts -file root.cer -alias BuiltinObjectToken-GoDaddyClass2CA
> keytool -import -trustcacerts -keystore cacerts -file inter.cer -alias GoDaddySecureCertificationAuthority
>
> I also tried to verify by using TestSSL.java and InstallCert.java and both could locate the CA certificates in cacerts.
> Therefore I am suspecting that Tomcat is not using cacerts properly.
And this is probably where you are making the wrong analysis.
According to your own description above, the only thing in common between your webapp and
Tomcat, is that they are run by the same JVM.
Tomcat per se has nothing to do with whatever your webapp makes as connections to anything
else. Tomcat does not even know about this. No Tomcat code is involved in setting up that
connection or using it.
It is matter for your webapp and the JVM alone.
In other words, if your webapp was a stand-alone Java program instead of being a webapp,
you would get exactly the same error.
I have no idea what the problem really is, but it seems to me that by mentally leaving
Tomcat out of the equation, you may be able to figure it out by yourself quicker.
For example, extract out of that webapp the code which is setting up that HTTPS
connection, and make it into a standalone program. Then run it with the same Java options
as you do with Tomcat above, and see what you get.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org