You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by "KARR, DAVID" <dk...@att.com> on 2017/04/07 21:44:39 UTC

2-way auth with SSL, ClientBuilder, gets "unable to find valid certification path to requested target", but curl call works

I'm trying to use CXF ClientBuilder to make a call to a REST service on an SSL connection using 2-way auth.

I was having some trouble populating the keystore of the ClientBuilder because my key file was in the PKCS#1 format.  After I converted the file to PKCS#8 format, I was able to build the client, but now I'm getting a "unable to find valid certification path to requested target" error when I try to make a connection.  I didn't have any particular problem populating the truststore of the ClientBuilder, but that error message may indicate there's something wrong with it.

I'm able to make a "curl" call to the same URL using the given key and cert files, and that gets through the SSL handshake fine.

The details for my issue are at http://stackoverflow.com/questions/43268952/cxf-rest-client-call-with-2-way-auth-failing-with-unable-to-find-valid-certific .

Note that the last "Update" in the posting talks about how I turned on "-Djavax.net.debug=all", and it shows some suspicious debug output associated with that.  It seems like it thinks the truststore "is" the cacerts file in my JDK, even though I created the truststore in memory from a single certificate, like this:
-------------------
			KeyStore	trustStore	= KeyStore.getInstance("jks");
			trustStore.load(null, "changeit".toCharArray());
			Certificate	cert	= buildCertFromFile("<path to cert file>");
			trustStore.setCertificateEntry("cert", cert);

                ...

			ClientBuilder	builder	= ClientBuilder.newBuilder();
			builder.trustStore(trustStore);
                ...
                client	= builder.build();
-------------------

Any idea what might be going wrong here?

RE: 2-way auth with SSL, ClientBuilder, gets "unable to find valid certification path to requested target", but curl call works

Posted by "KARR, DAVID" <dk...@att.com>.

> -----Original Message-----
> From: KARR, DAVID
> Sent: Friday, April 07, 2017 2:45 PM
> To: users@cxf.apache.org
> Subject: 2-way auth with SSL, ClientBuilder, gets "unable to find valid
> certification path to requested target", but curl call works
> 
> I'm trying to use CXF ClientBuilder to make a call to a REST service on
> an SSL connection using 2-way auth.
> 
> I was having some trouble populating the keystore of the ClientBuilder
> because my key file was in the PKCS#1 format.  After I converted the
> file to PKCS#8 format, I was able to build the client, but now I'm
> getting a "unable to find valid certification path to requested target"
> error when I try to make a connection.  I didn't have any particular
> problem populating the truststore of the ClientBuilder, but that error
> message may indicate there's something wrong with it.
> 
> I'm able to make a "curl" call to the same URL using the given key and
> cert files, and that gets through the SSL handshake fine.
> 
> The details for my issue are at
> https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__stackoverflow.com_questions_43268952_cxf-2Drest-2Dclient-2Dcall-
> 2Dwith-2D2-2Dway-2Dauth-2Dfailing-2Dwith-2Dunable-2Dto-2Dfind-2Dvalid-
> 2Dcertific&d=DwIFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=OsTemSXEn-
> xy2uk0vYF_EA&m=DzSVzlGEoaFygAJENSnehgD5ehjAem6IM6Vo8IuH-
> YA&s=ThuvL33Ybj8mx6ykQQIWBp7dMM403UEv-JXrtEzHZuA&e=  .
> 
> Note that the last "Update" in the posting talks about how I turned on
> "-Djavax.net.debug=all", and it shows some suspicious debug output
> associated with that.  It seems like it thinks the truststore "is" the
> cacerts file in my JDK, even though I created the truststore in memory
> from a single certificate, like this:
> -------------------
> 			KeyStore	trustStore	= KeyStore.getInstance("jks");
> 			trustStore.load(null, "changeit".toCharArray());
> 			Certificate	cert	= buildCertFromFile("<path to cert
> file>");
> 			trustStore.setCertificateEntry("cert", cert);
> 
>                 ...
> 
> 			ClientBuilder	builder	= ClientBuilder.newBuilder();
> 			builder.trustStore(trustStore);
>                 ...
>                 client	= builder.build();
> -------------------
> 
> Any idea what might be going wrong here?

If it matters, I've gotten past this.  The key was properly integrating the key and cert into a keystore, some of which I just have to understand that it works, without understanding all the details.  I did have to load the keystore in the ClientBuilder, but not the truststore.