4

I have a very weird issue and looking for some tips. I have a certificate sent by client that I need to install so I can access HTTPS webservice. The certifcate has been installed, in both windows and Linux OS. using keytool command

keytool -import -alias ca -file somecert.cer -keystore cacerts –storepass changeit

when i deploy my application in windows tomcat I can communicate with HTTPS web server. However Linux tomcat gives me and error:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)

This means it couldn't find the certifcate. The certifcate is at java security cacerts. I have used keytool -list command and it is there.

I have no idea why it works in windows and not linux. I have tried setting the paramaters in the My servlet

System.setProperty("javax.net.debug", "all"); 
System.setProperty("javax.net.ssl.trustStore", "/usr/java/jdk1.5.0_14/jre/lib/security/cacerts"); 
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

It still doesn't work.

My questions are:

1.Anyone has any idea why this isn't working, I have tired everything?

2.How do you enbale SSL debuging for tomcat.Ss setting System.setProperty("javax.net.debug", "all") works ? For some reason I don't see any SSL debug Info in Catalina.out. Do I need to change anything else.What kind of debug info should i see.

Any help is greatly appericated I am out of ideas.

Mikael Engver
  • 4,378
  • 4
  • 43
  • 52
user1088352
  • 361
  • 2
  • 4
  • 10
  • Did you configure SSL in Tomcat? By default it isn't running. – Brian Dec 08 '11 at 19:23
  • is there a SSL client in tomcat, If there is i think it is running beacuse I have other HTTPS coomunication whihch work fine. only this one doesn't work. Could you help me check if it is running. Tomcat is a client here. I know for tomcat SSL server there are soem configuration – user1088352 Dec 08 '11 at 19:32
  • 1
    Could you clarify "I have a certificate sent by client"? Are you talking about client certificates? It sounds that your application (running within Tomcat) is a client that connects to another server (and thus has little to do with Tomcat itself). Is it the case? – Bruno Dec 08 '11 at 19:37
  • Thats exactly what your saying Bruno. MY application (running within Tomcat) is a client that connects to another server (and thus has little to do with Tomcat itself). The applciation is a WAR depolyed on tomcat.tomcat uses JRE 5 which i have certifcate installed, – user1088352 Dec 08 '11 at 19:44
  • 1
    Any tips how Do i debug this? or activate SSL debug – user1088352 Dec 09 '11 at 15:04
  • Are you 100% sure that it is the webserver that is the issue and not a problem with the application not accepting the certificates? – Brian Dec 09 '11 at 16:40

2 Answers2

6

To solve this problem you could try the following

Download SSLPoke.java

SSLPoke.java

Compile it:

javac SSLPoke.java

Once you compile code call SSLPoke as

java -Djavax.net.debug=all SSLPoke [your https host] 443

In the output you will see where java is looking for cacerts.

Once you know the exact location use keytool to import your file to cacerts

keytool -import -alias [your https host] -keystore [the location returned]/cacerts -file [your.crt]

And that is all, restart tomcat and it must be working right.

Some times when you have lot of java versions on the same Linux machine even adding [your.crt] to the cacerts returned by debug does not work, if this is the case add [your.crt] to all cacerts on the Linux machine you can find them all with:

locate cacert

once the Linux machine return all the locations of cacerts for example:

/home/xuser/NetBeansProjects/porjectx/conf/cacerts
/opt/otherlocation/j2sdkee1.3.1/lib/security/cacerts.jks
/opt/icedtea-bin-6.1.12.7/jre/lib/security/cacerts
/opt/icedtea-bin-6.1.13.5/jre/lib/security/cacerts
/opt/icedtea-bin-7.2.4.1/jre/lib/security/cacerts
/opt/oracle-jdk-bin-1.7.0.76/jre/lib/security/cacerts
/opt/sun-j2ee-1.3.1/lib/security/cacerts.jks

add [your.crt] to all of them with keytool and restart tomcat.

If you dont have the file your.crt you can get it with command

openssl s_client -connect [your https host]:443 < /dev/null

and copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----

I hope this help you

sbasurto
  • 63
  • 1
  • 5
0

Have you inspected the certificate itself to see if there are any root certificates missing in the Certificate Path?

Also, keep in mind that if you're pointing to Java's built-in cacerts and you go to update Java, your cert(s) will get overwritten. I typically use an alternate keystore location for this reason.

Matt Borja
  • 1,451
  • 17
  • 38