Trust a Certificate Authority in Java - spring-boot

I'm trying to consume some webservices in my Spring boot Applications, I got this error in swagger when I try to execute my request, I tried to search for the url of the webservices in a browser (https://ip:port) then I got a security error telling me that the certificate authority is not recognized "SEC_ERROR_UNKOWN_ISSUER".. I thought that the problem is coming from there.
I tried to export the certificate from the browser and to import it in my cacerts but it didn't work.. Could a problem in my code be the cause of this error?
{
"timestamp": "2021-11-16T08:11:16.189+00:00",
"status": 400,
"error": "Bad Request",
"message": "I/O error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"path": "***"
}

Okay, I might be late with the answer but I am anyways going to post it here because I am pretty sure someone will need it in the future.
After hours of searching for the answer I found the reason. I haven't imported self-signed root CA certificate into the java's cacerts keystore and therefore, I kept on getting the same exception.
Command to add root CA to the cacerts keystore from one of the stackoverflow answers.
keytool -import -alias mycert -keystore "<<your-JAVA_HOME-directory>>\jre\lib\security\cacerts" -file mycert.cer
However, it did not work for me and I had to point it to
keytool -import -alias mycert -keystore "<<your-JAVA_HOME-directory>>\lib\security\cacerts" -file mycert.cer to my jdk instead of jre folder.
Default password of the keystore is "changeit"

Related

When I run the example code of openai-java in my machine, SSLHandshakeException error happens

I tried to run the example of openai-java, but SSLHandshakeException error happens.
here is my code
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at io.reactivex.internal.util.ExceptionHelper.wrapOrThrow(ExceptionHelper.java:45)
at io.reactivex.internal.observers.BlockingMultiObserver.blockingGet(BlockingMultiObserver.java:91)
at io.reactivex.Single.blockingGet(Single.java:2585)
at com.theokanning.openai.OpenAiService.createCompletion(OpenAiService.java:116)
Also, I used postman to send post requests to https://api.openai.com/v1/completions with my secret-key, it gives "You exceeded your current quota, please check your plan and billing details"
I guess it may because of https Certificate, and I followed How to Resolve Error message "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", and put certificate of https://openai.com/ into my JDK. And It doesn't work. I wanna ask how to fix this problem

SpringBoot in IntelliJ. unable to find valid certification path to requested target

IntelliJ Community Edition, Java8, Spring Boot 2.1.11
Trying to do a basic linkedIn course (Building Reactive apps with Spring Boot2 by Chris Anatalio)
I am unable to run the application. It uses an embedded Mongo DB.
failed
:ReactivespringApplication.main()
org.springframework.beans.BeanInstantiationException: Failed to instantiate [de.flapdoodle.embed.mongo.MongodExecutable]: Factory method 'embeddedMongoServer' threw exception; nested exception is de.flapdoodle.embed.process.exceptions.DistributionException: prepare executable
de.flapdoodle.embed.process.exceptions.DistributionException: prepare executable
java.io.IOException: Could not open inputStream for https://downloads.mongodb.org/win32/mongodb-win32-x86_64-3.5.5.zip
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Update:
I found that LinkedIn provides an 'end' code set for each lecture. I downloaded and imported it and it ran fine. I dont know what is different. Did a WinMerge but no obvious differences.
Been in the same situation, Root cause is that you are behind a proxy server which requires ssl certificate to communicate/download.
Resolution:
1. Try different network, this worked for me when I connected to a mobile hotspot.
2. import/create a ssl certificate or bypass ssl, am also still exploring this path.

SEC_ERROR_INVALID_TIME error in firefox for valid certificate

I have generated a certificate for apache with
openssl ca -config openssl.conf -extensions usr_cert -in reqs/httpd.req -out httpd.pem -startdate 170226000000Z -enddate 180226000000Z -noemailDN
This certificate is accepted by openssl, chrome, git etc. but not by firefox which rejects it with:
xxx uses an invalid security certificate.
The certificate will not be valid until 26.02.2017 01:00.
The current time is 26.02.2017 11:49. Error code: SEC_ERROR_INVALID_TIME
This seems to have something to do with the encoding of the notBefore and notAfter fields (https://bugzilla.mozilla.org/show_bug.cgi?id=1152515) but I've been unable to find any hints to on how to fix this but this really helpful
Re-generate the certificate with valid encodings for time fields
(https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates)
Any advice / hints appreciated!

gradlew.bat (and gradlew) SSLHandShakeException

I'm new to Gradle and was going through this Spring Tutorial found here:
http://spring.io/guides/gs/gradle/
I get to the part where it tells me to add this task:
task wrapper(type: Wrapper) {
gradleVersion = '2.3'
}
I run gradle wrapper which creates the gradlew and gradlew.bat files.
Trying to run both of this I get this exception:
Downloading https://services.gradle.org/distributions/gradle-2.3-bin.zip
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.val
idator.ValidatorException: PKIX path building failed: sun.security.provider.cert
path.SunCertPathBuilderException: unable to find valid certification path to req
uested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339
)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323
)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:
563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLCon
nection.java:1300)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Http
sURLConnectionImpl.java:254)
at org.gradle.wrapper.Download.downloadInternal(Download.java:56)
at org.gradle.wrapper.Download.download(Download.java:42)
at org.gradle.wrapper.Install$1.call(Install.java:57)
at org.gradle.wrapper.Install$1.call(Install.java:44)
at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAcc
essManager.java:65)
at org.gradle.wrapper.Install.createDist(Install.java:44)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:126)
at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:56)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1323)
... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 25 more
I try to hit the webserver at https://services.gradle.org/distributions/gradle-2.3-bin.zip and I'm not getting any sort of error. I'm I missing some sort of config? Any help would be appreciated. Thanks!
if you could not fix anyway. and if you are inside firewall.
then.
you may can not download https.
should fix that Edit gradle-wrapper.properties file.
vi [project]/gradle/wrapper/gradle-wrapper.properties
#distributionUrl=https\://services.gradle.org/distributions/gradle-2.8-bin.zip
distributionUrl=http\://services.gradle.org/distributions/gradle-2.8-bin.zip
change from https to http...
http://blog.cjred.net/gradlew-bat-and-gradlew-sslhandshakeexception/
After I modified, it says: Server returned HTTP response code: 403 for URL: http://services.gradle.org/distributions/gradle-6.0.1-all.zip
I experienced the same problem, however my symptoms were that my Ubuntu machine couldn't resolve any SSL hosts unless I specifically added them to Java's certificate authority (cacert) file.
I stumbled upon this Debian bug, and found a fairly straight-forward resolution: remove ca-certificates-java and install it again:
sudo dpkg --purge --force-depends ca-certificates-java
sudo apt-get install ca-certificates-java
I did a ./gradlew clean for good measure, and everything sprung to life again.
It seems, that the certificates for the gradle site were messed up. Doing a gradlew clean should fix this. See this thread on the Gradle forum: http://discuss.gradle.org/t/urgent-ssl-apache-configuration-for-services-gradle-org-is-bad/8808/4
Steps:
Run gradlew -Djavax.net.debug=all tasks
Go through the debug logs, and see if you find anything out of the ordinary.
In my case, seeing something like Zscaler did the trick, as i know i have Zscaler on(which by the way rewrites the TLS traffic blablabla), and it was trying to find the valid certification path to requested target, which obviously it couldn't find.
2 Options:
Exit Zscaler
If exiting Zscaler is not an option, go to your browser, export Zscaler Root Certificate
If you are using Brave browser, here are the steps:
Settings > Privacy and security > Manage device certificates > Trusted Root Certification Authorities > Find Zscaler Root CA > Export
and import it in the JVM truststore gradle is using, something like:
keytool -import -trustcacerts -alias Zscaler -file "Zscaler Root CA.cer" -keystore "%JAVA_HOME%"\jre\lib\security\cacerts
IMPORTANT: Do a gradlew clean before retrying any command.
In my case the problem was caused by an obsolete (7 years old) version of Java. Even gradlew clean did fail. After a Java update it worked fine.
In my case I was on a company network and behind a proxy, which as I understand it rewrites the SSL certificates, making the Java installation not trust any of them.
To solve it I had to create a gradle.properties file in my home directory under .gradle (~/.gradle/gradle.properties) and add the following line:
org.gradle.jvmargs=-DsystemProp.https.proxyHost=<myProxyHost> -DsystemProp.https.proxyPort=<myProxyPort> -DsystemProp.https.proxyUser=<myProxyUsername> -DsystemProp.https.proxyPassword=<myProxyPassword>
That solution was based on this SO answer: Gradle use certificate authentication for repository
This is because, Gradle tries to find the installed package in your local machine.
If you have the installed location:
D:\apps\gradle-3.3
Follow these steps in eclipse:
New Project
Gradle Project
Enter project Name
Local Installation Directory
Click Finish.
You are good to go.
Create this profile in user home:
$ vi ~/.yarnrc
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
strict-ssl false

trusted certificate entries are not password-protected Spring SAML

I have generated testIdp.cer file by copying 509 entry of the IDP I am planning to connect. Then I created JKS file by executing the following command
keytool -importcert -alias adfssigning -keystore C:\Users\user\Desktop\samlKeystore.jks -file C:\Users\user\Desktop\testIdp.cer
When executed it has asked to enter a password for which I have given a password. For the question "Trust this certificate? [no]:", I have given "y" as input. Message came out as "Certificate was added to keystore".
Then I have configured the following details in securityContext.xml
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="mypassword"/>
<constructor-arg>
<map>
<entry key="adfssigning" value="mypassword"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="adfssigning"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="alias" value="adfssigning" />
<property name="signingKey" value="adfssigning"/>
</bean>
But when I run the application, I get the following two exceptions when the server is starting and when I load the homepage of the application. Can anyone let me know if I am missing anything else.
This exception is occuring when I start the server
Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:327)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.processEntityGroup(SignatureValidationFilter.java:240)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.doFilter(SignatureValidationFilter.java:158)
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.filterMetadata(AbstractMetadataProvider.java:493)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:395)
This exception is occuring when I run the homepage of my application
java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
at java.security.KeyStore.getEntry(Unknown Source)
at org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:132)
Your .cer certificate contains only a public key, you mustn't define <entry key="adfssigning" value="mypassword"/> for public keys; it can only be used for private ones. Simply take out the adfssigning entry and make sure to include a private key instead - just like in the Spring SAML sample application.
The SAML keystore can contain two basic types of keys - public and private ones (plus their certificates). Each key has an alias which is used to refer to it. The keystore itself can be protected by a password (provided in the second constructor parameter), plus each private key can be also protected by an additional password (these are defined in third parameter of the constructor in a map of alias->password). The public keys which you import to the keystore (just like you did with the command above) mustn't be defined in this map. They will be automatically available after being imported without additional declarations. For Spring SAML to work, the keystore must contain at least one private key (the sample application contains private key with alias apollo) and its alias needs to be provided in the third parameter of the constructor.
Your example above fails, because you have imported a public key, but included it in the map which can only be used for private keys.
Vladimir answered correctly the question why the error occurs.
In my answer I want to show how you can import a certificate to the keystore to solve that problem:
You have to import the certificate and private key which could not be done directly by keytool.
The detailed described solution is found here: https://stackoverflow.com/a/8224863/1909531
Here's an excerpt:
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name [some-alias] \
-CAfile ca.crt -caname root
keytool -importkeystore \
-deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore \
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \
-alias [some-alias]
After trying everything, deleting and recreating the jks files multiple times, nothing worked. I then happened to scroll this page and found Pankaj's answer and that was it. I was using the wrong alias in the properties file. As correctly mentioned by Pankaj, We should be using the alias of the PrivateKeyEntry and not the trustedCertEntry in the properties file.
Steps are then as follows :
Create a JKS file using the command below. This would also add the PrivateKeyEntry to the JKS file.
keytool -genkeypair -alias some_alias -keypass some_password -keyalg RSA -keysize 2048 -keystore samlKeystore.jks -validity 1825
Import the IDP cert into it. This would add the trustedCertEntry to the file.
keytool -importcert -alias some_other_alias -file file_name -keystore samlKeystore.jks
Modify your properties file to use the alias you gave while creating the JKS file i.e. the alias for PrivateKeyEntry
sso.keystore.privatekey.alias=some_alias
sso.keystore.default.certificate.alias=some_alias
restart your server.
One other mistake I did in the beginning was that I got a metadata.xml file from IDP and had to create a cert file. I forgot to add the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" before and after the cert, which then generated an invalid cert and gave me grief. Teh cert should be in the format below
-----BEGIN CERTIFICATE-----
BLAH-BLAH-BLAH-CERT
-----END CERTIFICATE-----
This error occurs also when you don't have a private key in your Keystore. SAML uses the private key to generate the Service provider meta data used to communicate with the IDP.
Just add one to the Keystore like this:
keytool -genkey -v -keystore some_key_store.jks -alias some_alias -keyalg RSA -keysize 2048 -validity 36500
Fill in the questions and set validity to an appropriate number of days. (In my example it's valid for 100 years)
Remember to add the public certificate from IDP. Then you should be ready to go.
For those looking for answers in java config please comment out the line
passwords.put("mykeyalias", "mystorepass"); .... shown in code snippet below.
#Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:saml-keystore.jks");
Map<String, String> passwords = new HashMap<>();
// passwords.put("mykeyalias", "mystorepass");
return new JKSKeyManager(storeFile, "mystorepass", passwords, "mykeyalias");
}
After all the above solutions,if the problem is still there, Probably worth checking whether your are using correct alias while using the cert in keystore. in my case, due to having multiple cert entry, i entered incorrect alias(in fact one with Entry type: trustedCertEntry which caused issue. while you should use one with Entry type: PrivateKeyEntry
for that just check the existing cert using
keytool -list -keystore "$JKS_CERT_PATH" -storepass "$JKS_CERT_PASSPHRASE" -noprompt -v
Get the public certificate using openssl command:
openssl s_client -showcerts -connect iam-sso.google.net:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
Import it into the Keystore:
keytool -import -alias "new-qet-alias" -keystore /usr/share/tomcat8/webapps/ROOT/WEB-INF/classes/saml/samlKeystore.jks -file mycertfile.pem

Resources