Certificate chaining error in Websphere - ssl-certificate

I am trying to consume a RESTful service from url https://someurl.com.
I have added the following properties in my code:
Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");
Security.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
Security.setProperty("javax.net.ssl.keyStore", "keystore.jks");
Security.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
Security.setProperty("javax.net.ssl.trustStoreType", "JKS");
The configuration changes that I have done so far are:
set com.ibm.websphere.ssl.retrieveLeafCert to true
retrieved the certificate using url as someurl and port 443 and added it to the truststore.
restarted the server
But I am getting the following exception:
java.security.cert.CertPathValidatorException: Certificate chaining error
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Walmart Root CA, O=Wal-Mart Stores Inc is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:22)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:423)
at com.ibm.jsse2.kb.a(kb.java:192)
at com.ibm.jsse2.kb.a(kb.java:176)
at com.ibm.jsse2.lb.a(lb.java:53)
at com.ibm.jsse2.lb.a(lb.java:464)
at com.ibm.jsse2.kb.s(kb.java:545)
at com.ibm.jsse2.kb.a(kb.java:530)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:79)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:98)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:13)
at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:6)
at com.dwl.tcrm.tester.RESTClient_2.main(RESTClient_2.java:76)

I'm assuming you have a web application, which is trying to access that restful service.
First, you should not set your stores via javax.net.ssl.* properties, but use SSL configurations provided in WebSphere. So comment all these setProperty() calls.
Second, you have to add your service server certificate to the trust store.
Login to web admin console:
Go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates
Click Retrieve from port button, and specify hostname, 443 port, and Alias.
Click Retrieve singer information button.
Verify, if correct certificate is imported (parent).
Save, and restart.
In some versions, the child certificate was imported (not the root), in that case, you will have to manually download the root certificate and intermediate (e.g. via browser, and import that one to the NodeDefaultTrustStore, but this time using Add button, not Retrieve..

This means your certificate is not added in cacerts. Try to execute this command as
keytool -list -v -keystore your_path_to_cacerts (Provide the list of cert in cacerts)
check by matching the serial number of your certificate. If it is not there then please follow the steps given below
To export the Intermediate certificate: Internet Explorer -> Tools -> Internet Options -> Content -> Certificates ->
To view the Certificate Path: Select Certificate -> View -> Certification Path ->
To Export the Certificate: Select Certificate -> Export -> DER
encoded Binary Format -> Save ( From Firefox -> Tools -> Options -> Advanced -> Encryption -> View Certificates )
(Given here - http://www-01.ibm.com/support/docview.wss?uid=swg21592616) after this add this exported certificate with below command
keytool -import -trustcacerts -Keystore CACERTS(path) -alias alias -file cert path export in step 3
My issue was the same and I am able to resolve it by following these steps

Related

SSLError(SSLCertVerificationError) when presenting client side cert and key

I have a website that is hosted behind company's network. You could only connect to it using the client.crt and client.key. This client.crt is signed by a self signed ca.crt which is referenced in the apache config file.
I installed the server certificate (servercrt.crt) on my machine and can make a curl request with no issues:
curl https://my_url.com:53234 --cert path/to/client.crt --key path/to/client.key
I also imported the client.crt in the browser. When navigate to the url the browser asks to select the client certificate. Once selected the right client certificate, it opens up the page without issues.
However, I have problems with python. When I try to connect using python:
import requests
clientcertfile = './client.crt'
clientcertkeyfile = './client.key'
servercert = './servercert.pem'
requests.get(url='https://my_url.com:53234, cert= (clientcertfile, clientcertkeyfile), verify = servercert)
I get the following error:
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')
But, I can connect to this url when set the verify=False which I don't want. The requests package just displays a warning that its better not to set the verify=False option.
I have looked at here, here and here but no joy.
Any ideas?
Apparently, I was using the wrong ca.crt for the server. Once I replaced it with the right certificate. It fixed the issue.
#Steffen's comment helped solved the issue.

Unable to connect mule Anypoint Connectors Update Site

I'm trying to download object store.
I'm getting below error while connecting to Anypoint Connectors Update Site - https://repository.mulesoft.org/connectors/releases/3.5.0
Unable to read repository at https://repository.mulesoft.org/connectors/releases/3.5.0/content.xml.
Unable to read repository at https://repository.mulesoft.org/connectors/releases/3.5.0/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It seems you are facing some ssl certificate issues, this usually occurs when your JVM truststore contains self-signed certificates (i.e. certificates not signed by a CA).
This case occurs when Java attempts to connect to another application over SSL (e.g.: HTTPS, IMAPS, LDAPS), it will only be able to connect to that application if it can trust it. The way trust is handled in the Java world is that you have a keystore (typically $JAVA_HOME/lib/security/cacerts), also known as the truststore. This contains a list of all known Certificate Authority (CA) certificates, and Java will only trust certificates that are signed by one of those CAs or public certificates that exist within that keystore.
But before jumping to conclusion do check Case 1 and 2
Case 1 : Check if the link is not blocked by your firewall
Do refer the Mulesoft Doc
Case 2 : Simply update your java (this is easy way)
Case 3 : Download Certificate manually and add in Java's truststore
Refer this link to know how to download certificate manually and this link to add the certificate to the truststore (you will need OpenSSL toolkit to transform the certificate to required format, it is described in the the mentioned link), and in case you are not familiar with different extension related to SSl certificate go check out this SO answer

WinRm - Cannot create a WinRM listener on HTTPS due to incorrect SSL certificate

I want to use WinRM with https transport. I've bought a Comodo certificate (the error states I cannot use a self-signed certificate) with the Subject matching my FQDN (Full computer name in System) of my Windows 10 computer (not domain joined):
CN = my.domain.net
OU = PositiveSSL
OU = Domain Control Validated
When trying to create a https listener with the following command:
WinRm quickconfig -transport:https
I get the error message:
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
I've installed (doubleclick the *.crt file) the certificate in several stores (local machine / personal and Trusted Root Certification Authorities) but WinRM fails to create the https listener. The http listener is working OK.
Some extra info: When using certreq to try to install the *.cer certificate, I get the error:
Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
How do I get WinRM working with https?
Here is how I solved this issue:
create a SSL CSR using DigiCert Certificate Utility for Windows from digicert.com
use the generate CSR to request a certificate. I used versio.nl but I'll guess there are a lot of CA's out there
Install the certificate by double clicking it
go to the certificate manager for user
rightclick the certificate (it should me in the personal store) and export it
- follow the wizard and be sure to export the private key
install the newly exported certificate (mark the key as exportable and include all extended properties) in the local computer certificate store
Open an console (cmd) with administrator privilidges and type:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS 
#{Hostname="server.fqdn";CertificateThumbprint="YOURCERTIFICATETHUMPPRINT"}
This worked for me. Some things to check if it is not working:
is the certificate still valid (check the date range)
check if the certificate property 'Subject" has a CN value with the FQDN of your computer
check if the listener is installed (winrm e winrm/config/listener)
I took me a lot of hours to figure this out. I hope it will help some of you out there.
I also experienced this issue - the answer from RHAD was partially helpful, but I needed to use an entirely internally generated CA.
The problem was caused by the Key algorithm I had chosen. Using the same configuration, only changing the key it works:
Failed key: elliptic curve cryptography with the brainpoolP512t1 curve (in the certificate this showed as: Public Key Algorithm: id-ecPublicKey / ASN1 OID: brainpoolP512t1 )
Successful key: an RSA key: (in the certificate: RSA Public-Key: (4096 bit))
Hopefully this helps others with similar issues.

ColdFusion CFHTTP and SSL Certs

Background: I have an ongoing problem with a Connection Failure error message when I try connecting to an API using CFHTTP. While reviewing the API in SoapUI I noticed there was a button SSL Info (3 certs) which is outlined below. When I click the button a window of copy pops up with the headlines outlined below.
"SSL Info (3 certs)"
CipherSuite:
PeerPrincipal
Peer Certificate 1:
Peer Certificate 2:
Peer Certificate 3:
I have a feeling these are the key to getting my application to connect and pull the JSON correctly.
Question: How or Where do I install this cert information. Should I copy all 310 lines in the window with the cert information and place it in new file and save it somewhere?
Any info would be great.
I have answered the question of installing certificates before. Here are the steps again to save you from searching...
If you are using cfhttp to connect via SSL (https) then the ColdFusion server definitely needs the certificate installed to successfully connect. Here is a previous answer that I gave on a similar issue:
Here are the steps you need to perform in order to install the certificate to the Java keystore for ColdFusion. First, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.
The default truststore is the JRE's cacerts file. This file is typically located in the following places:
Server Configuration:
cf_root/runtime/jre/lib/security/cacerts
Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/lib/security/cacerts
Sun JDK installation:
jdk_root/jre/lib/security/cacerts
Consult documentation for other J2EE application servers and JVMs
In order to install the certificate you need to first get a copy of the certificate. This can be done by using Internet Explorer. Note that different versions of Internet Explorer will behave slightly differently but should be very similar to these steps. For example, earlier versions of IE might save the certificate under a different tab than I mention.
Browse to the SSL URL in Internet Explorer - https://xyz/infoLookup.php?wsdl.
View the certificate by clicking on the lock icon and clicking view certificate
Then click the Install Certificate... button (note: if you do not see this button you must close IE and run it as administrator first)
Click on IE's Internet Options and click the Content tab
Click the Certificates button
Find the server's certificate under the Intermediate Certification Authorities tab, select the cert and click the Export... button
Export using DER format
Copy the exported certificate file to your ColdFusion server (you can delete the cert from IE if you want)
Run cmd prompt as administrator on the ColdFusion server
Make a backup of the original cacerts file in case you run into issues
The keytool is part of the Java SDK and can be found in the following places:
Server Configuration:
cf_root/runtime/bin/keytool
Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/bin/keytool
Sun JDK installation:
jdk_root/bin/keytool
Consult documentation for other J2EE application servers and JVMs
To install the cert:
Change directory to your truststore's location (where the cacerts file is located)
Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -import -v -alias your_cert_alias_name -file C:\wherever_you_saved_the_file\cert_file.cer -keystore cacerts -storepass changeit
Type yes at the prompt to "Trust this certificate?"
Note: your_cert_alias_name I used above can be whatever you want
Note: C:\wherever_you_saved_the_file\cert_file.cer change these values to whatever you use for the server folder and certificate file name
To verify the cert:
Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -list -v -keystore cacerts -alias your_cert_alias_name -storepass changeit
Note: your_cert_alias_name use the same name here that you used above to install the cert
Restart the ColdFusion service It will not read the updated cacerts file until you do this.
You can delete the imported certificate file from the server if you wish.

syslog-ng with chained certificates

I have a set up as follows: Root CA-> Intermediate CA -> Client Cert and Server Cert.
On the client side I have a directory containing client.crt, client.key, and a symbolic hash link to chain.crt. chain.crt contains the intermediate cert followed by the root cert (concatenated).
On the server side I have a directory containing server.crt, server.key, and a symbolic hash link to chain.crt. chain.crt is the same as the one described above.
When I run openssl verify -CApath certs.d client.crt. It returns and OK status. The same thing happens when I run it on server.crt.
When I try to send logs from the client to the server, I get errors, on the client side, stating that the Root certificate could not be validated because it is self signed.
The configuration on the client is:
destination d_server {
syslog( "some ip" port(some port) transport("tls")
tls( peer-verify(required-trusted)
cipher-suite(some cipher)
ca-dir(".../certs.d/")
key-file(".../certs.d/client.key")
cert-file(".../certs.d/client.crt") ) );
};
Does anyone know how I can fix this?
certificate chains are supported only in syslog-ng OSE 3.6.1 and later, so you'll have to upgrade. If there is no newer version in your distro repositories, see syslog-ng.org download page