I am using below lines of code to verify broken links
huc = (HttpURLConnection) (new URL(url).openConnection());
huc.setRequestMethod("HEAD");
huc.setReadTimeout(5000);
huc.connect();
respCode = huc.getResponseCode();
when script enters huc.connect() line , it throws below exception.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I solve it? I need to run this script locally and also in github actions pipeline.
You get this error when your Website certificate is not added to Trusted store. Please follow below step to add certificate to trusted store.
Open the website and Download the certificate by clicking on the lock icon->Connection is secure->Certification-> click on the root->Certification path->Copy to file-> and store in your local system with an alias name.
Now you need to add certificate to $JAVA_HOME\lib\security\cacerts using below command
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>
eg:
keytool -import -noprompt -trustcacerts -alias myaddedcertaliasname
-file /localsystempath/to/my/cert/myCert.cer -keystore /path/to/my/jdk/jre/lib/security/cacerts/keystore.jks -storepass
changeit
Please note the default password for key store is changeit.
Once you import the certificate to your key store you should no more get this error
Related
Recently We have enabled SSL on AEM and after that we are facing issue to connect with third party services.
For some services we are getting
javax.net.ssl.SSLException: java.security.ProviderException: Could not derive key
Any pointers on how to resolve this issue?
Thanks,
Nidhi
I had this issue a while ago. The cert file was not installed to the java keystore in my case.
Ensure the cert file is installed to the java keystore. This command will list the installed certs, check if your cert is in there, you can search by the alias that was used to install the cert.
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
This will help you import to keystore if cert is not installed
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
You can also search by the alias that was used to install the cert
keytool -list -v -keystore keystore.jks -alias youralias
If you have multiple versions of java installed, ensure java_home points to the location of java where the cert is installed. Also check if PATH contains the same path.
I have been attempting to help one of our sites with an error message they are getting while using an application that uses Glassfish. When signing into the application, the following errors are thrown:
CommunicationException: An error occurred while making the HTTP request to . This could be due to the fact that the server certificate is notconfigured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
In Server.log, the following is displayed:
0400|SEVERE|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=287;_ThreadName=Thread-1;|Failed to load keystore type JKS with path C:\glassfishv3\glassfish\domains\domain1/config/keystore.jks due to Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
The site is only experiencing this problem when they change the glassfish master password. When the master password is left as its default setting, everything works correctly. The default master password is "changeit".
Additionally, the site generates and imports a certificate for use with glassfish. The following are the steps that are performed, in order, for generating a certificate and changing the password:
Stopped Glassfish service.
Opened MMC.MSC: Action --> All Tasks --> Request New Certificate
From the Certificate Enrollment wizard, chose a Computer type certificate. Click Properties Button and configure certificate. It gets a friendly name of "s1as" and an exportable private key of key size 2048. Private key is exported as a pfx file and certificate is exported as a cer file. The files are saved in the glassfish config folder. Details about this process available if needed.
DOS prompt opened and this command is run inside the glassfish config folder:
keytool -delete -alias s1as -keystore keystore.jks -storepass changeit
Following command is run:
keytool -import -v -trustcacerts -alias -file root.cer -keystore cacerts.jks -storepass changeit
Answered "Y" to trust the certificate.
Ran the following command to replace the original self-signed certificate with the pfx one.
keytool -importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
Entered password, and a success message appears afterwards that 1 entry was succesfully imported.
Ran this command:
keytool -list -keystore keystore.jks -rfc
A lot of output is produced, including a long Alias name. Thsi long alias is used in the next command.
Ran the following command:
keytool -changealias -alias "" -destalias "s1as" -keypass changeit -keystore keystore.jks -storepass changeit
Ran the following command in asadmin:
change-master-password --savemasterpassword=true
Entered Current password of "changeit"
Entered new password of 123456
Re-entered 123456.
Success message that master password changed succesfully.
Started glassfish service
In my local testing, this procedure has worked and I am able to use the application with no errors. But on the site I am aiding, when they follow the same process, they receive the errors I listed at the top of this message.
My specific questions:
Could the site's certificate be causing this problem? If so, is there a way I could test that the certificate is the issue?
What other things might potentially be generating the errors? Could the "change-master-password" command not be properly changing the password, or could there be something else that needs to have the password changed as well?
I have found the solution to this, and I am posting it here should someone in the future encounter the same issue that I have. Hopefully this will save someone much frustration some day.
In domain.xml, the following 2 lines needed to be added in the jvm-options area.
<jvm-options>-Djavax.net.ssl.keyStorePassword=[password]</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStorePassword=[password]</jvm-options>
While I'm trying to register with my phone, I'm getting this error:
Authentication Failed
UPDATE 3.18.14;
Okay , i compiled .apk file correctly with correct .bks file .Still i'm getting same error ! Should i change hosts file in my phone(samsung NOTE 3) ?
NOTES:
In application conf, server address: 192.168.1.100
I can connect on mobile browser with https://192.168.1.100:9443
Just execute this command.
keytool -importkeystore -srckeystore CA.p12 -srcstoretype PKCS12
-destkeystore wso2mobilemdm.jks
CA needs to be the one you have used to sign your SSL certificate.
try creating all certificate in one folder.before creating ,just copy wso2carbon.jsk and client-truststore.jks in that folder.
try only single password wherever ask. but in last step use wso2_mobile when it ask.
copy wso2carbon.jsk, client-truststore.jks and wso2mobilemdm.jks from that folder to repository/resources/security folder to overwrite.
then in that folder copy bcprov-jdk15on-149.jar and run following command in that folder.
keytool -importcert -trustcacerts -keystore emm_truststore.bks -storetype bks -storepass wso2carbon -file ca_cert.pem -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ./bcprov-jdk15on-149.jar
thats it you will see emm_truststore.bks in that folder.
I have a webstart application where I want to do client authentication while connecting to the server. I have created pkcs12 certificate which I install using certmgr.exe and it works fine.
I want to do for every client that uses the application. How should I do this? If I distribute the certificate
I get a bad_certificate error. I know there isn't a problem with the certifcate because it would work if you install the certificate using the browser.
I had created the public key using
keytool -export -alias myKey -keystore abc.p12" -storetype PKCS12 -storepass mypassword -rfc -file abc.cer
then I imported this file into my server's keystore for mutual authentication using:
keytool -import -v -file abc.cer -keystore C:\apache-tomcat-7.0.26\tomcat.keystore" -storepass mypassword
after this, if I install abc.p12 certificate in certmgr, it works fine.
To be able to do it from Java, I needed a truststore. I created a truststore where I import the public key using
>keytool -import -keystore client-truststore.jks -file abc.cer
If I try to access the server using
-Djavax.net.ssl.keyStore=abc.p12
-Djavax.net.ssl.keyStorePassword=mypassword
-Djavax.net.ssl.trustStore=trustore.jks
-Djavax.net.ssl.trustStorePassword=mypassword
I'm not sure if I'm doing the right thing. Please let me know what you think.
What should I be doing? Please let me know your suggestions.
You should have imported it into your server's trust store, not its keystore.
You have to import the cert to your certs file, in the JDK is the cacerts file. After do that you have to view the cert is living on the file, and you will have do that on every client.
The thing about the trust store is that you create your own JKS file.
We use ActiveMQ to queue up messages from remote clients.
The clients use the following URL to connect to ActiveMQ on our server;
ssl://www.mydomain.com:61616
This worked fine in the past and was set up by a developer know longer with the company.
Recently we had to update our SSL Cert as the old one had ran out. We did this successfully for our http server but have only now realised that a copy of the original keystore still resided in the ActiveMQ config folders.
We have tried to place the new keystore into the ActiveMQ config folders, overwriting the old keystore. However this does not appear to work and all connections are rejected with the following stack trace;
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
What are we doing wrong here?
We've listed the contents of both the old and new keystore using the keytool -list command and they appear to be very similar (apart from the dates of course).
Is there additional updates we need to make to the clients calling the above url to accept our new keystore?
It may be that your truststore is out of synch with your keystore. Here is the general way to set it up from scratch; your config will differ, so adapt as needed:
Generate certs for each of the clients, and register the client certs with the broker truststore.
> keytool -genkey -alias producer -keyalg RSA -keystore myproducer.ks
> keytool -genkey -alias consumer -keyalg RSA -keystore myconsumer.ks
Export both certs
> keytool -export -alias producer -keystore myproducer.ks -file producer_cert
> keytool -export -alias consumer -keystore myconsumer.ks -file consumer_cert
Import the certs into the producer truststore (new file)
> keytool -import -alias producer -keystore mybroker.ts -file producer_cert
> keytool -import -alias consumer -keystore mybroker.ts -file consumer_cert
Copy the broker truststore to whichever location you had the old one in, usually {ACTIVEMQ_HOME}/conf. You can generally see this in your broker config:
<broker ...>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/mybroker.ks"
keyStorePassword="test123"
trustStore="file:${activemq.base}/conf/mybroker.ts"
trustStorePassword="test123"/>
</sslContext>
</broker>