I am running a IBM Liberty server (on IBM Container) in https with a self signed certificate (described in server.xml).
I am connecting to IBM cloudant database for by DB needs. Everything worked fine until I switched my liberty server to https. I am getting the following excepton
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.cloudant.com, O="Cloudant, Inc.", L=Boston, ST=Massachusetts, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
I followed the documentation here https://www.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.installconfig.doc/install_config/t_install_datastore_config_certificates.html to import the cloudant certificate generated by openssl s_client -connect cloudant.com:443 -showcerts > cloudant.cert to the liberty truststore, but that did not resolve the issue.
Your help is appreciated.
Try with: openssl s_client -connect xxxxx-bluemix.cloudant.com:443 where xxxxx-bluemix.cloudant.com refers to your Bluemix Cloudant service instance.
You can get the service instance domain by launching the Cloudant dashboard in Bluemix from your Cloudant service instance. Click on the API tab on the top right.
Related
I'm working on a gRPC service, and we're using a CA certificate we generated ourselves for our server. Unfortunately, I can't seem to figure out how to tell grpc_cli about that certificate, and so I get "Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed."
I see an option for specifying the client cert and key, but not for the CA cert. What am I missing?
I can connect fine with Python to any external https site without this error:
SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))
But I have a local webserver on my laptop with a self-signed certificate that works fine in itself but Python generates an _ssl.c:1108 error when I try to connect to it.
Any ideas?
The python client does not have access and trust the CA certificate that signed the web server certificate. In your case that is the self-signed web server certificate.
To get the python client working, you can do the following:
disable certificate verification. That is not a good idea but I guess is ok for a quick test. The emphasis is on "it is not recommended".
Download the self-signed certificate and make it accessible to the python client and specify it as trusted CA certificate.
Download and install a certificate from well known CAs such as LetsEncrypt (free) or commercial CAs. This is the recommended approach.
You could go into depth on the items mentioned herein and get a conceptual understanding how TLS operates.
EDIT 1: You could also get a free certificate from LetsEncrypt CA. Or you could get a free test certificate from most of the commercial CAs like DigiCert etc. See this link for getting and installing a free test certificate signed by a DigiCert test CA.
See this for details on python client configuration for TLS.
I have an application running on Centos7 that needs to connect to a remote host over HTTPS. However, it is unable to verify the certificate and fails. Also, if I try to download a file from the server using wget, I get the below error:
[root#foo:~]# wget https://10.65.127.9/index.html
--2017-05-22 09:03:01-- https://10.65.127.9/index.html
Connecting to 10.65.127.9:443... connected.
ERROR: cannot verify 10.65.127.9's certificate, issued by ‘/CN=us6877vnxe7827’:
Unable to locally verify the issuer's authority.
To connect to 10.65.127.9 insecurely, use `--no-check-certificate'.
So I get the certificate from the host:
openssl s_client -connect 10.65.127.9:443 <<<'' | openssl x509 -out /etc/pki/ca-trust/source/anchors/mycert.pem
And execute the following to process it:
update-ca-trust extract
This however results in the same issue.. If I run:
openssl s_client -connect 10.65.127.9:443 -showcerts -debug
I do get some errors and various messages:
depth=0 CN = us6877vnxe7827
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = us6877vnxe7827
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=us6877vnxe7827
i:/CN=us6877vnxe7827
Server certificate
subject=/CN=us6877vnxe7827
issuer=/CN=us6877vnxe7827
---
No client certificate CA names sent
---
Verify return code: 21 (unable to verify the first certificate)
Any ideas what I may be missing? If any further info helps, please let me know.
For wget you need to provide the certificate authority (CA) certificate(s) that signed the https server certificate. If you have those CA certificates - add them under --ca-certificate=file or --ca-directory=directory options
If you don't have them and you want to skip https server certificate verification (unsecure and can be dangerous) then use --no-check-certificate option.
I had the same problem with Jenkins trying to connect to our GitLab server.
The server does have a valid official certificate in our case, but Java didn't except it.
You are right about downloading the certificate.
However, the application you are mentioning is probably running inside a Java Virtual Machine (as a lot of applications are).
So from the point that you downloaded the certificate to a PEM file, you may have to add it to the VM's trusted certificates instead.
This article describes how to do that. Hope it helps.
I am trying to do push messaging using the java-apns library.
I am currently trying to use it .withSandboxDestination() but I am getting an error saying: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.
I have read in quite a few places that it is probably due to a missing CA root certificate. The Provider Communication with Apple Push Notification Service says that:
To establish a TLS session with APNs, an Entrust Secure CA root
certificate must be installed on the provider’s server. If the server
is running OS X, this root certificate is already in the keychain. On
other systems, the certificate might not be available. You can
download this certificate from the Entrust SSL Certificates website.
I am using a windows7 machine for my development phase. I opened mmc.exe and added the certificates snap-in (set up for "Computer" - Q1: is this the right thing to do? ) and I can see under Certificates (Local Computer) -> Trusted root certification authorities -> Certificates the following two certificates by Entrust.net:
Entrust.net Certification Authority (2048)
Entrust.net Secure Server Certification Authority
However, on the Entrust.net site there are many more certificates...
Q2: Which of those certificates do I need?
Q3: Am I looking at the right place or maybe java within tomcat is not using my computer's certificates at all?
Q4: Is there a way for me to see the certificate used by apple's gateway.sandbox.push.apple.com, port 2195 ?
Any help is appreciated.
We are developing an application using tomcat and jersey.
Within this webapplication we need to connect to a https Website with a valid, not expired certificate.
If I do connect to this website locally via my chrome browser, everything works fine!
Unfortunately the tomcat server with our webapp throws an exception. We are using the Apache HttpClient (4.0) to connect to the https site:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
The server certificate is absolutely valid and from thawte.
Three different online tools validated the certificate successfully.
Openssl has an issue, too and showing me three certificates but throwing a simple error:
Verify return code: 20 (unable to get local issuer certificate)
The problem with openssl seems to be that it uses the wrong path /usr/lib/sslinstead of /etc/ssl/certs. If I use the CApath argument pointing to the proper path, openssl works fine so may this be an issue with the httpClient?
So our code for the default client is quite simple:
client = new DefaultHttpClient();
response = client.execute(url); //this throws the exception
EntityUtils.consume(response.getEntity());
It's not an option to allow any certificates by implementing a custom TrustedManager!
Futher I read, that some CA's are not part of the JDK/JRE and so it's certificates should be imported manually into the keystore or use a custom one, but thawte is a well known CA and shouldn't it work on default?
EDIT
I did set the javax.debug properties in catalina.sh so that I have further information about the problem:
http-bio-8080-exec-1, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: basic constraints check failed:
pathLenConstraint violated - this cert must be the last cert in the certification path
I would appreciate any help!
Thanks in advance!
Okay, I got it working!
Although thawte is a well known CA it seems that Java SSL did have some problems with it.
After downloading the ssl Certificate via openssl:
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
and saving it into an pem file, I did the manual import into the java keystore:
keytool -import -alias myAlias -file theCert.pem -keystore lib/security/cacerts
I have no idea why java ssl was not able to validate the thawte certificate properly.
Listing the keystore showed me, that there are 7 thawte trusted certificates in the standard keystore but bizarrely it did not work until I manually imported the pem file
I am trying to understand your setup. You have a SSL certificate (issued by Thwate), installed in tomcat and you can access your site just fine over SSL using say IE or Firefox or Chrome.
But when you try to access it using HttpClient, you receive the above error ?
Is that correct ?
The error clearly indicates that your client does not trust the CA. But if the cert is signed by Thwate (and is installed correctly and is acessible via IE/Firefox etc), then it should work fine.