You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "KARR, DAVID" <dk...@att.com> on 2017/04/07 21:44:39 UTC
2-way auth with SSL, ClientBuilder, gets "unable to find valid
certification path to requested target", but curl call works
I'm trying to use CXF ClientBuilder to make a call to a REST service on an SSL connection using 2-way auth.
I was having some trouble populating the keystore of the ClientBuilder because my key file was in the PKCS#1 format. After I converted the file to PKCS#8 format, I was able to build the client, but now I'm getting a "unable to find valid certification path to requested target" error when I try to make a connection. I didn't have any particular problem populating the truststore of the ClientBuilder, but that error message may indicate there's something wrong with it.
I'm able to make a "curl" call to the same URL using the given key and cert files, and that gets through the SSL handshake fine.
The details for my issue are at http://stackoverflow.com/questions/43268952/cxf-rest-client-call-with-2-way-auth-failing-with-unable-to-find-valid-certific .
Note that the last "Update" in the posting talks about how I turned on "-Djavax.net.debug=all", and it shows some suspicious debug output associated with that. It seems like it thinks the truststore "is" the cacerts file in my JDK, even though I created the truststore in memory from a single certificate, like this:
-------------------
KeyStore trustStore = KeyStore.getInstance("jks");
trustStore.load(null, "changeit".toCharArray());
Certificate cert = buildCertFromFile("<path to cert file>");
trustStore.setCertificateEntry("cert", cert);
...
ClientBuilder builder = ClientBuilder.newBuilder();
builder.trustStore(trustStore);
...
client = builder.build();
-------------------
Any idea what might be going wrong here?
RE: 2-way auth with SSL, ClientBuilder, gets "unable to find valid
certification path to requested target", but curl call works
Posted by "KARR, DAVID" <dk...@att.com>.
> -----Original Message-----
> From: KARR, DAVID
> Sent: Friday, April 07, 2017 2:45 PM
> To: users@cxf.apache.org
> Subject: 2-way auth with SSL, ClientBuilder, gets "unable to find valid
> certification path to requested target", but curl call works
>
> I'm trying to use CXF ClientBuilder to make a call to a REST service on
> an SSL connection using 2-way auth.
>
> I was having some trouble populating the keystore of the ClientBuilder
> because my key file was in the PKCS#1 format. After I converted the
> file to PKCS#8 format, I was able to build the client, but now I'm
> getting a "unable to find valid certification path to requested target"
> error when I try to make a connection. I didn't have any particular
> problem populating the truststore of the ClientBuilder, but that error
> message may indicate there's something wrong with it.
>
> I'm able to make a "curl" call to the same URL using the given key and
> cert files, and that gets through the SSL handshake fine.
>
> The details for my issue are at
> https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__stackoverflow.com_questions_43268952_cxf-2Drest-2Dclient-2Dcall-
> 2Dwith-2D2-2Dway-2Dauth-2Dfailing-2Dwith-2Dunable-2Dto-2Dfind-2Dvalid-
> 2Dcertific&d=DwIFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=OsTemSXEn-
> xy2uk0vYF_EA&m=DzSVzlGEoaFygAJENSnehgD5ehjAem6IM6Vo8IuH-
> YA&s=ThuvL33Ybj8mx6ykQQIWBp7dMM403UEv-JXrtEzHZuA&e= .
>
> Note that the last "Update" in the posting talks about how I turned on
> "-Djavax.net.debug=all", and it shows some suspicious debug output
> associated with that. It seems like it thinks the truststore "is" the
> cacerts file in my JDK, even though I created the truststore in memory
> from a single certificate, like this:
> -------------------
> KeyStore trustStore = KeyStore.getInstance("jks");
> trustStore.load(null, "changeit".toCharArray());
> Certificate cert = buildCertFromFile("<path to cert
> file>");
> trustStore.setCertificateEntry("cert", cert);
>
> ...
>
> ClientBuilder builder = ClientBuilder.newBuilder();
> builder.trustStore(trustStore);
> ...
> client = builder.build();
> -------------------
>
> Any idea what might be going wrong here?
If it matters, I've gotten past this. The key was properly integrating the key and cert into a keystore, some of which I just have to understand that it works, without understanding all the details. I did have to load the keystore in the ClientBuilder, but not the truststore.