Certificate chaining error : PKIX path validation failed - ssl

I am frequently getting below exceptions. Please advise what to do..
javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: Fail to verify issuer; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1564)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1551)
at com.sun.mail.smtp.SMTPTransport.ehlo(SMTPTransport.java:935)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:426)
at javax.mail.Service.connect(Service.java:288)
at javax.mail.Service.connect(Service.java:169)

Very generic error, Possibly some certificates are missing(java.security.cert.CertPathValidatorException: Certificate chaining error) in the trust store.
Please include more info about what you are doing.

Probably your smtp server is using chained certificates and you imported only last one in chain. You will have to add as signers to the trust store all certificates in the path. Check this post Certificate chaining error in Websphere, it provides some additional info how to add certs to truststore.

Related

Wso2 Ei 6.3 self signed certification error

I am getting below certification error while i am trying to call any API https://:8243/ from a react based frontend application. I have defined my rest API in wso2 EI 6.3. I am not using wso2 APIM.
What i did to resolve this issue:
1. I created a new self signed certificate and created a new key store. Updated carbon.xml, axis2.xml file. Restart the server. I am able to see my certificate in wso2 Ei GUI.
2. I accepted the certificate in browser.
But still i am not able to get rid of this error.
Is this error coming due to self signed certificate? If i will be using any CA signed certificate then this issue will not be there?
Any help or pointer is highly appreciated.
[2020-04-07 08:54:48,841] [-1] [] [HTTPS-Listener I/O dispatcher-2] ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
BR//
Vipin Nirwal
I was able to resolve this issue. I followed the below steps.
I created a self CA first. Then created a certificate signed by my own CA. Import the root certificate of my CA into the browser As this CA needs to be trusted by browser.
After this update carbon.xml, files inside axis2 directory and catalina-server.xml file with proper jks file and password for keystores.
Restarted the server.
You can try to debug it yourself by enabling SSL debug logs in the EI server. In the SSL logs, you can check whether the client certificate and the server certificate is matching. Have a look at the following blog.
https://medium.com/#nipunadilhara/enabling-ssl-debug-logs-for-wso2-products-30833d5de88e

Javamail how to connect to IMAPs mail server, without certificate Validation

I'm trying to connect my Java application to a IMAP server mail on 993, in a test environment.
I'm trying to ignore the certificate validation ,using a recommendation from previous answers to a similar question, as follows:
imapProps.put("mail.imaps.ssl.checkserveridentity", "false");
imapProps.put("mail.imaps.ssl.trust", "*");
but it doesn't seem to work, I'am still getting an exception.
Cannot process current mailbox => sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.mail.MessagingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:727)
So my question is, is it actually possible to use IMAPS protocol to connect to a mail server,without having to check or validate the certificate ?
If it is, choosing to ignore the certificate validation wouldn't it be a 2 sides decision then? JavaApp and the mailServer ?
You need to use the same protocol name in both the properties and in the getStore method call. So, since you're setting the imaps properties, you should be using Store s = session.getStore("imaps");

I am getting getting SSL handshake issue How to disable ssl in karate

When I am trying to access a secure endpoint, I am getting SSL handshake exception even after I disable ssl by using the following karate ways.
option1) declared the following in feature file
* configure ssl = true
option2) declared the following in karate-config.js
karate.configure('ssl', { trustAll: true });
(or)
karate.configure('ssl', true);
Exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Please help me out on this issue.
Maybe you missed to make the url start with https, or vice-versa.
If you still have issues, follow this process: https://github.com/intuit/karate/wiki/How-to-Submit-an-Issue

IBM HTTP SSL certificate not found issue

I have a dev environment with IBM Websphere Liberty 8.5.5; in front of this application server there is an IBM HTTP Server (External CA SSL certificate configured for IBM HTTP).
I'm able to access the IBM HTTP from internet but with /mfpconsole it throws an exception (see below).
[11/28/16 21:02:44:464 SGT] 00000024 com.ibm.mfp.admin.ui.servlet.ServiceProxy E FWLSE3301E: Problem with SSL certificates. Possible fixes: Put the application server's certificate into the truststore. Or define the JNDI property mfp.admin.ui.cors.strictssl to false (not in production environments).
[11/28/16 21:02:44:464 SGT] 00000024 com.ibm.mfp.admin.ui.servlet.ServiceProxy E Exception java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target while redirecting request to :443/mfpadmin/management-apis/2.0/runtimes?fullInfo=true
[11/28/16 21:02:49:759 SGT] 000000c9 com.ibm.ws.ssl.core.WSX509TrustManager E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN= was sent from the target host. The signer might need to be added to local trust store .p12, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[11/28/16 21:02:49:759 SGT] 000000c9 com.ibm.mfp.admin.ui.servlet.ServiceProxy E Received status 500 for GET https://url:443/mfpadmin/management-apis/2.0/runtimes?fullInfo=true
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I added the CA cert in Liberty truststore and it resolved the issue.Thanks

How do I import a certificate with a Java HttpsURLConnection

I want to access a webservice hosted over https from Websphere Application Server.
I am using the following way to make the https connection.
HttpsURLConnection connection= (HttpsURLConnection) new URL(wcfUrl).openConnection();
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setAllowUserInteraction(false);
connection.setInstanceFollowRedirects(false);
connection.setRequestMethod("POST");
connection.setRequestProperty("foo",userId );
connection.setRequestProperty("bar", pwd);
connection.setRequestProperty("Content-Type","application/xml");
connection.connect();
When I try to run this code I get the following error
*com.ibm.jsse2.util.g: PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException:
The certificate issued by CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
*
After I imported the signer certificate in my local server(As explained in this link http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Ftsec_sslretrievesignersport.html) I was able to to connect to the remote server (where the service is deployed over https).
Can I do the same thing through java code without importing the signer certificate?
You don't. You can't import data designed to verify the security of the connection over the connection whose security you're trying to verify. It doesn't make sense. The certificate has to be imported offline. Otherwise you are just creating security breaches.