SOLR not starting with SSL - ssl

I have setup solr on local system. It works fine without ssl however for SSL solr gives exception:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
at org.eclipse.jetty.start.Main.start(Main.java:457)
at org.eclipse.jetty.start.Main.main(Main.java:75)
Caused by: java.io.IOException: Invalid keystore format
I have generated p12 and jks using commands:
“C:\Program Files\Java\jdk-10.0.1\bin\keytool.exe” -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:127.0.0.1 -dname “CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country”
and
“C:\Program Files\Java\jdk-10.0.1\bin\keytool.exe” -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Kept secret as password for all phrases. Copied the jks and p12 file to solr-6.6.2/server/etc folder. Updated the solr.in.cmd file and uncommented these lines:
SET SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SET SOLR_SSL_KEY_STORE_PASSWORD=secret
SET SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SET SOLR_SSL_TRUST_STORE_PASSWORD=secret
SET SOLR_SSL_NEED_CLIENT_AUTH=false
SET SOLR_SSL_WANT_CLIENT_AUTH=false
SET SOLR_SSL_KEY_STORE_TYPE=JKS
SET SOLR_SSL_TRUST_STORE_TYPE=JKS
When I try to run with: solr -p 8984 it gives the above said exception.
Can you please help me out with the setup. Been googling but can't seem to find the resolution.

Ok I have resolved the issue. Seems like my java version was
"1.8.0 ea"
. When I uninstalled and reinstalled the new version
"1.8.0_171"
, solr started in https.
I also tried java version 10 and it had the same issue with solr 6.6.2

Related

Getting an error when starting Jenkins with PEM certificate

I recently set up my jenkins ci server, and I wanted to add HTTPS SSL certification. I got a certificate from Let's Encrypt and I have the certificate and private key as PEM files, according to the documentation, I can pass the paths of the two files to jenkins by command-line arguments(I use the integrated Winston server in the jenking WAR file). My startup command looks like this:
java -jar jenkins.war
--httpPort=8080
--httpsPort=443
--httpsCertificate=path/to/certificate.pem
--httpsPrivateKey=path/to/key.pem
But when I start jenkins I get this error:
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:212)
at winstone.Launcher.<init>(Launcher.java:172)
at winstone.Launcher.main(Launcher.java:355)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:375)
at Main.main(Main.java:151)
Caused by: winstone.WinstoneException: Cannot load private key; try using a Java keystore instead.
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:156)
at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:81)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:33)
at winstone.Launcher.spawnListener(Launcher.java:210)
... 8 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:151)
... 11 more
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:545)
... 16 more
2020-05-02 16:14:21.351+0000 [id=1] SEVERE winstone.Logger#logInternal: Container startup failed
java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:545)
Caused: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:151)
Caused: winstone.WinstoneException: Cannot load private key; try using a Java keystore instead.
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:156)
at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:81)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:33)
at winstone.Launcher.spawnListener(Launcher.java:210)
Caused: java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:212)
at winstone.Launcher.<init>(Launcher.java:172)
at winstone.Launcher.main(Launcher.java:355)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:375)
at Main.main(Main.java:151)
The old jenkins documentation has notes on using java keystore, not sure why the latest (2.235.3) has changed HTTPS notes to using pem/key files.
You may refer to https://github.com/garyttt/unattended_jenkins_image_build, pick up the shell functions and run the generate_self_signed_jks.sh to generate a testing .jks file.
The syntax is for example:
JENKINS_OPTS="--prefix=/jenkins --httpPort=-1 --httpsPort=8083 --httpsKeyStore=/var/jenkins_home/selfsigned.jks --httpsKeyStorePassword=secret"
In case you need the content of the shell function, it is:
$ display_shell_function generate_self_signed_jks
generate_self_signed_jks ()
{
keytool -genkey -keyalg RSA -alias selfsigned -keystore selfsigned.jks -validity 365 -keysize 4096;
keytool -export -alias selfsigned -keystore selfsigned.jks -rfc -file selfsigned.cer;
keytool -list -v -keystore selfsigned.jks;
keytool -importkeystore -srckeystore selfsigned.jks -destkeystore selfsigned.p12 -deststoretype pkcs12
}
OR
You may convert .pem file to .jks as per convert certificate from pem into jks

Why do I get a CertificationExpiredException when my SSL Certificate has been renewed and repalced in Payara 5?

I have been running a Glassfish4 server with an SSL Certificate for my Websocket based app for a number of months now. I recently switched to Payara5. When I set up the Payara server, everything worked great. Now, the certificate has expired, and after renewing it (same process I've always done), the Payara server still thinks it's using the old certificate.
The process I've been going through since the beginning is:
cert-bot renews the certificate automatically.
replace the old certificate with the new certificate in the keystore I'm using
restart the server
This works, and has always worked, for my Glassfish server. But not the Payara server. I've had to revert to Glassfish while I try and figure this out. I checked in the keystore in Payara for the alias, and it shows the new certificate's expire date. So, as far as I can tell, it should be fine.
The commands I've used to renew the certificate are as follows:
openssl pkcs12 -export -in $LETS_ENCRYPT/live/www.mywebsite.com/fullchain.pem -inkey $LETS_ENCRYPT/live/www.mywebsite.com/privkey.pem -out $LETS_ENCRYPT/live/www.mywebsite.com/pkcs.p12 -name mywebsite.com
keytool -importkeystore -deststorepass *password* -destkeypass *password* -destkeystore $LETS_ENCRYPT/live/www.mywebsite.com/letsencrypt.jks -srckeystore $LETS_ENCRYPT/live/www.mywebsite.com/pkcs.p12 -srcstoretype PKCS12 -srcstorepass *password* -alias mywebsite.com
keytool -importkeystore -srckeystore $LETS_ENCRYPT/live/www.mywebsite.com/letsencrypt.jks -destkeystore $PAYARA_HOME/glassfish/domains/domain1/config/keystore.jks
$PAYARA_HOME/bin/asadmin restart-domain
I checked the keystore afterwords with:
keytool -v -list -keystore $PAYARA_HOME/glassfish/domains/domain1/config/keystore.jks -alias mywebsite.com
and it shows:
Certificate[1]:
Owner: CN=www.mywebsite.com
Issuer: CN=Let's Encrypt Authority X3....
Serial number: ******
Valid from: Wed Apr 03 17:22:48 PDT 2019 until: Tue Jul 02 17:22:48 PDT 2019
The error from the client app shows:
…
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.glassfish.grizzly.ssl.SSLUtils.sslEngineWrap(SSLUtils.java:427)
at org.glassfish.grizzly.ssl.SSLConnectionContext.wrap(SSLConnectionContext.java:337)
at org.glassfish.grizzly.ssl.SSLUtils.handshakeWrap(SSLUtils.java:303)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:673)
at org.glassfish.grizzly.ssl.SSLFilter.doHandshakeStep(SSLFilter.java:308)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:598)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:310)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:515)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:250)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:684)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501)
... 25 more
Caused by: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 31 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri May 17 12:21:27 PDT 2019
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 36 more
Which would indicate it is using the old certificate, or something along those lines.
I discovered that I have two keystore.jks locations. The one that my Payara server defaults to is located in the
$PAYARA_HOME/glassfish/domains/domain1
not
$PAYARA_HOME/glassfish/domains/domain1/config
The JVM Option for the keystore location is set to :
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks,
so I thought I was altering the correct keystore. But, I suppose Payara doesn't use this value, or I have it set wrong. Either way, I just changed my script file to use the domain1/keystore.jks instead of domain1/config/keystore.jks.
Perhaps I goofed my setup and this all could have been avoided. But I figure I should leave this here anyway, in case someone else has a similar issue.

Restassured - Facing issue with SSL - Untrusted Resources

I have tried following things-
Ist thing - Using -RestAssured.useRelaxedHTTPSValidation();
RestAssured.given().proxy(ProxySpecification.host("proxy.corp.ups.com").withPort(8080).withAuth(User, Password)).when().get(url);
•Getting Status code as 502...
2nd Thing- I downloaded the PEM file from Browser and then convert it into the .jks file using
$ keytool -importcert -alias "equifax-ca" -file EquifaxSecureGlobaleBusinessCA-1.crt -keystore truststore_javanet.jks -storepass test1234
then using
InputStream keyStoreStream = Thread.currentThread().getContextClassLoader().getResourceAsStream("ABC.jks");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(keyStoreStream, "Password".toCharArray());
response = RestAssured.given().proxy(ProxySpecification.host("proxy.corp.ups.com").withPort(8080).withAuth(UName, Pwd)).trustStore(keyStore).when().get(url);
getting error - javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
Please help me with the above issue
I'm not sure if this is the same problem I faced sometime ago, but in my case I solved the issue with this command:
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure
More on this here: https://brunozambiazi.wordpress.com/2016/01/19/java-security-invalidalgorithmparameterexception-the-trustanchors-parameter-must-be-non-empty/

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [duplicate]

This question already has answers here:
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
(33 answers)
Closed 8 months ago.
I am making Webservice call thru TLS connection(https) in Tomcat 7.x
While calling the WebService, I am getting following Error. What would be the issue? I have tried creating Certificates and CA.
FYI - https://sites.google.com/site/ddmwsst/create-your-own-certificate-and-ca
I imported CA certificate and other certificates and still I am getting this issue. Please advice.
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://localhost:8443/myDomain/MyService?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:92)
... 37 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1902)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1032)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1328)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:632)
at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:189)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:799)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:764)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:123)
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:237)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:300)
... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 61 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
I am testing Certificates by creating locally. So I followed these steps.
Keys>keytool -genkey -alias TLS -keystore TLSKeyStore.jks -keyalg RSA -sigalg SHA1withRSA
Keys>keytool -export -alias TLS -file TLS.cer -keystore TLSKeyStore.jks
Keys>keytool -certreq -alias TLS -keystore TLSKeyStore.jks -file TLS.csr
CA>set RANDFILE=rand
CA>openssl req -new -keyout TLSkey.pem -out TLSreq.pem -config C:\OpenSSL-Win64\bin\openssl.cfg
CA>openssl x509 -signkey TLSkey.pem -req -days 3650 -in TLSreq.pem -out TLSroot.cer -extensions v3_ca
CA>openssl x509 -CA TLSroot.cer -CAkey TLSkey.pem -CAserial serial.txt -req -in ../Keys/TLS.csr -out ../Keys/TLSTestCA.cer -days 365
Keys>keytool -import -alias TLSCA -file ../CA/TLSroot.cer -keystore TLSKeyStore.jks
Keys>keytool -import -alias TLS -file TLSTestCA.cer -keystore TLSKeyStore.jks
Here's an overall summary of how to import certificates to fix the following error:
Error while trying to execute request.
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
How to import certificates
Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
Click "more info" > "security" > "show certificate" > "details" > "export..".
Save as .der
Repeat for any certificates you need to import
Locate $JAVA_HOME/jre/lib/security/cacerts
Import all *.der files into the cacerts file using the following:
sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
sudo keytool -import -alias mysiteprod -keystore $JAVA_HOME/jre/lib/security/cacerts -file prod.der
sudo keytool -import -alias mysitedev -keystore $JAVA_HOME/jre/lib/security/cacerts -file dev.der
The default keystore password is 'changeit'
You can view the change that you made with this command that shows the Certificate fingerprint.
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
If this doesn't solve the problem, try adding these java options as arguments:
-Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
-Djavax.net.ssl.trustStorePassword="changeit"
My guess is that you might have missed a step. I was having the same error until I realized I imported the wrong certificate
Finally I got the way to solve this issue.
Refer this InstallCert.java in this link. Run this program as Standalone by passing arguments as localhost:9443 and Program creates jssecacerts file under eclipse.
Copy this jssecacerts file into your JDK_HOME\jre\lib\security\ folder. That should solve the issue
Happy TLS setup!!!

"unable to find valid certification path to requested target" after adding new Keystore to ActiveMQ

We use ActiveMQ to queue up messages from remote clients.
The clients use the following URL to connect to ActiveMQ on our server;
ssl://www.mydomain.com:61616
This worked fine in the past and was set up by a developer know longer with the company.
Recently we had to update our SSL Cert as the old one had ran out. We did this successfully for our http server but have only now realised that a copy of the original keystore still resided in the ActiveMQ config folders.
We have tried to place the new keystore into the ActiveMQ config folders, overwriting the old keystore. However this does not appear to work and all connections are rejected with the following stack trace;
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
What are we doing wrong here?
We've listed the contents of both the old and new keystore using the keytool -list command and they appear to be very similar (apart from the dates of course).
Is there additional updates we need to make to the clients calling the above url to accept our new keystore?
It may be that your truststore is out of synch with your keystore. Here is the general way to set it up from scratch; your config will differ, so adapt as needed:
Generate certs for each of the clients, and register the client certs with the broker truststore.
> keytool -genkey -alias producer -keyalg RSA -keystore myproducer.ks
> keytool -genkey -alias consumer -keyalg RSA -keystore myconsumer.ks
Export both certs
> keytool -export -alias producer -keystore myproducer.ks -file producer_cert
> keytool -export -alias consumer -keystore myconsumer.ks -file consumer_cert
Import the certs into the producer truststore (new file)
> keytool -import -alias producer -keystore mybroker.ts -file producer_cert
> keytool -import -alias consumer -keystore mybroker.ts -file consumer_cert
Copy the broker truststore to whichever location you had the old one in, usually {ACTIVEMQ_HOME}/conf. You can generally see this in your broker config:
<broker ...>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/mybroker.ks"
keyStorePassword="test123"
trustStore="file:${activemq.base}/conf/mybroker.ts"
trustStorePassword="test123"/>
</sslContext>
</broker>