You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by jairaj kamal <ja...@gmail.com> on 2015/05/11 20:24:21 UTC
SSL Handshake Exceptions
Hi,
I had earlier configured Self Sign certs to the tomcat version6 appserver
and was able to navigate with https.
Now when I try accessing above appserver url via Load Balancer Web server I
see handshake exceptions in logs. Is there any setting required at
webserver end ?
*I get below Exceptions*
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at
com.redwood.r2w.webservices.email.RWEmailSOAPStub.validateWebService(RWEmailSOAPStub.java:362)
at
com.redwood.r2w.component.manager.WsManager.validateEmailWebServiceUrl(WsManager.java:105)
at
com.redwood.r2w.component.manager.WSValidatorRunnable.run(WSValidatorRunnable.java:18)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at
org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at
org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 13 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 31 more
*Jairaj Kamal*
Re: SSL Handshake Exceptions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andy,
On 5/11/15 4:50 PM, Andy Wang wrote:
> Honestly, I'm going to be a little purposefully obtuse here.
> Manipulating your trust store is a security step. You really need
> to understand what you're doing and why, so I'd suggest you do some
> google searches to read up on it using keywords pulled out of my
> original response.
+1
> I will add one more thing. Your original stack trace showed the
> webserver to be some com.redwood.r2w class. Quick googling finds
> that this is some commercial product. You might want to try the
> support channels from your vendor as they may have special
> instructions for trusting self-signed certs.
Also, the underlying library is Apache Components HttpClient. You
probably won't just be able to set a system-wide trust-store and be
able to use that. I agree with Andy that you should contact your
vendor about how to configure trust for remote websites (the one with
the self-signed certificate).
- -chris
> On 05/11/2015 02:30 PM, jairaj kamal wrote:
>> Hi,
>>
>> Can you share the steps to import the certificate into the
>> jssecacerts truststore, my client is webserver.
>>
>> *Jairaj Kamal*
>>
>>
>> On Mon, May 11, 2015 at 2:16 PM, Andy Wang <aw...@ptc.com>
>> wrote:
>>
>>>
>>>
>>> On 05/11/2015 01:24 PM, jairaj kamal wrote:
>>>
>>>> javax.net.ssl.SSLHandshakeException:
>>>> sun.security.validator.ValidatorException: PKIX path building
>>>> failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>>> unable to find valid certification path to requested target
>>>>
>>>
>>> This usually means that the ssl client (the client that's
>>> originating the direct connection to the ssl server) is unable
>>> to construct a proper certificate trust path for the server.
>>>
>>> As you noted, you used a self-signed cert. This means that you
>>> need to import the certificate into the jssecacerts truststore
>>> (or if your client has it's own truststore, it needs to be
>>> imported there).
>>>
>>> Andy
>>>
>>>
>>> --------------------------------------------------------------------
- -
>>>
>>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVUSJhAAoJEBzwKT+lPKRYep0P/RjpvS85Q9RyizOU/Yhi0ZSn
5hjJ4lZ5yaQ8vAwafLKdpPWEU0EnDpcaJ7bWR/gtAkPA/OBNPY6qnbzgmP0S+QIB
ql3blINSSC9I39xsAgwwJki24PKKdR6XOPJLpkDhTWI/81D/i40tBnwuHRhAEq14
oTkoThkHNOkDAyr+ZL3iLVw2q+5ICOzihxsxsB097FXP9W0ViaD5rAu/bMCScw6+
L4LrFMj5LfSRLls5lKz5s9yaIxtosIVav7rm/GMJwwhbeR/f1wSB6xqvLDC5i8OR
PTv3k+4ZyfuUzNSWLiC4Bx6SgqeWfTiVA1/bXGrpMZhGr9vaVrqzt3fc0fpHMbRx
+p0rUJQVmSAydEGyWAKTTuJnNmZ3PMu+VzHD7HrLLadZQebHp7Bi4QCVi/iiGZnd
uLKgu5MnuV9E3zDo7+boD+rbye+OxpQZIRfF69AcFPXEMlroN+As/Kpmnf/sUZgL
SomYXAC1eVbxXYOmthrd4KPDsDOmW5JGhRcT0X7BRb0M8v1tkxSQzWLs63jCyZTG
r+70g7Nn19s19WDgtuKJ4dYmXLDw2v35zPRX880uE+C7pe7gbtY2aa+bPVeL3g8x
MZWbnDpMFVoTOvaj727yU8aPck1reO6y0Mw6CdFdXdBmng3vxFGbL7gYYO98R0yE
n354x+6jDin21x3unbWF
=rkfr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Handshake Exceptions
Posted by Andy Wang <aw...@ptc.com>.
Honestly, I'm going to be a little purposefully obtuse here.
Manipulating your trust store is a security step. You really need to
understand what you're doing and why, so I'd suggest you do some google
searches to read up on it using keywords pulled out of my original response.
I will add one more thing. Your original stack trace showed the
webserver to be some com.redwood.r2w class. Quick googling finds that
this is some commercial product. You might want to try the support
channels from your vendor as they may have special instructions for
trusting self-signed certs.
Andy
On 05/11/2015 02:30 PM, jairaj kamal wrote:
> Hi,
>
> Can you share the steps to import the certificate into the jssecacerts
> truststore, my client is webserver.
>
> *Jairaj Kamal*
>
>
> On Mon, May 11, 2015 at 2:16 PM, Andy Wang <aw...@ptc.com> wrote:
>
>>
>>
>> On 05/11/2015 01:24 PM, jairaj kamal wrote:
>>
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>> valid certification path to requested target
>>>
>>
>> This usually means that the ssl client (the client that's originating the
>> direct connection to the ssl server) is unable to construct a proper
>> certificate trust path for the server.
>>
>> As you noted, you used a self-signed cert. This means that you need to
>> import the certificate into the jssecacerts truststore (or if your client
>> has it's own truststore, it needs to be imported there).
>>
>> Andy
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Handshake Exceptions
Posted by jairaj kamal <ja...@gmail.com>.
Hi,
Can you share the steps to import the certificate into the jssecacerts
truststore, my client is webserver.
*Jairaj Kamal*
On Mon, May 11, 2015 at 2:16 PM, Andy Wang <aw...@ptc.com> wrote:
>
>
> On 05/11/2015 01:24 PM, jairaj kamal wrote:
>
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>>
>
> This usually means that the ssl client (the client that's originating the
> direct connection to the ssl server) is unable to construct a proper
> certificate trust path for the server.
>
> As you noted, you used a self-signed cert. This means that you need to
> import the certificate into the jssecacerts truststore (or if your client
> has it's own truststore, it needs to be imported there).
>
> Andy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: SSL Handshake Exceptions
Posted by Andy Wang <aw...@ptc.com>.
On 05/11/2015 01:24 PM, jairaj kamal wrote:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
This usually means that the ssl client (the client that's originating
the direct connection to the ssl server) is unable to construct a proper
certificate trust path for the server.
As you noted, you used a self-signed cert. This means that you need to
import the certificate into the jssecacerts truststore (or if your
client has it's own truststore, it needs to be imported there).
Andy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org