We have deployed a WSO2 API Manager to expose the APIs of the system. When we published an API with a https target endpoint (Eg: https://abc.d.e:), the requests get failed with the following exception.
TID: [-1234] [] [2017-06-26 06:46:43,226] ERROR {org.wso2.carbon.apimgt.hostobje
cts.APIProviderHostObject} - Error occurred while connecting to backend : https
://list-micro.aws.na.sysco.net:9090, reason : sun.security.validator.ValidatorEx
ception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBu
ilderException: unable to find valid certification path to requested target {org
.wso2.carbon.apimgt.hostobjects.APIProviderHostObject}
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExce
ption: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
Wso2/Carbon uses Java 8 .. Keep in mind there is an issue where the apparently SSL client doesn't pares SNI very well. So if you are using multiple certificates on 1 ip address, this could be the issue:
http://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html
Related
I have developed a biometric authencation system on java8u144 and active directory password reset using ldaps on java8u191. When I tried to combine them...
Forst biometric encryption popped error for invalid key size. I updated JCE UNLIMITED .THEN BIOMETRIC STARTED WORKING BUT ldaps connection issues remain for ssl handshake pkix path building failed
I am not able to fix it
Pls help me out
I am running out of time
i am getting following exception
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-8084-exec-2, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
http-nio-8084-exec-2, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 2E .......
http-nio-8084-exec-2, called closeSocket()
http-nio-8084-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
on java8u144 without jce code was working but biometric needed unlimited strength. i tried java8u144 java8u162 java8u191
currently using java8u162.
above exception is coming only after JCE upgrade.
kindly guide how to get certificate chain for this.
NOTE LDP.exe is working on client sucessfully.
& OPENSSL : unable to verify first cerificate
I am trying to connect Rest service from my application. And my application is deployed to WAS server.
I am using Spring RestTemplate to consumer the rest service and everything working fine in my local WAS setup.
But when i deploy my code to QA environment (lower environment region), i am getting below error in my log file.
[4/30/18 17:18:22:355 EDT] 00000207 SystemErr R org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://host:port/resourcename": com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=XXX Root CA, O="The XXX Services Group, Inc." is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error; nested exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=XXX Root CA, O="The XXX Services Group, Inc." is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[4/30/18 17:18:22:355 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:607)
[4/30/18 17:18:22:356 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557)
[4/30/18 17:18:22:357 EDT] 00000207 SystemErr R at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:357)
I have imported the certs for the port and host using signer certificate option, but still the issue not resolved (Also tried importing root certs). Can any one let me know what could be the issue?
This looks like the JVM you are using does not trust one of the intermediate certificates, as the error suggests.
You need to retrieve the whole certificate chain, not just the root CA certificate and the certificate of the server. You can use your browser or openssl to retrieve the certificate chain. Your client JVM MUST trust each and every certificate in the certificate chain.
See the following:
https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux
I am trying to configure the 3node secured Nifi cluster setup by followinng the below Link .
But between nodes the connection not happened after enabled SSL/LDAP and i am getting the below error.
2017-04-01 09:05:47,494 WARN [Clustering Tasks Thread-2] o.apache.nifi.controller.FlowController Failed to send heartbeat due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'HEARTBEAT' protocol message due to: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2017-04-01 09:05:47,494 ERROR [Process Cluster Protocol Request-7] o.a.nifi.security.util.CertificateUtils The incoming request did not contain client certificates and thus the DN cannot be extracted. Check that the other endpoint is providing a complete client certificate chain
2017-04-01 09:05:47,494 WARN [Process Cluster Protocol Request-7] o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message from HKLPATHAS02.hk.example.com due to org.apache.nifi.cluster.protocol.ProtocolException: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
org.apache.nifi.cluster.protocol.ProtocolException: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.getRequestorDN(SocketProtocolListener.java:221) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:133) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) [nifi-socket-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_102]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_102]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_102]
Caused by: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromClientSSLSocket(CertificateUtils.java:306) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromSSLSocket(CertificateUtils.java:261) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.getRequestorDN(SocketProtocolListener.java:219) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
... 5 common frames omitted
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) ~[na:1.8.0_102]
at org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromClientSSLSocket(CertificateUtils.java:291) ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
... 7 common frames omitted
Please guide me to resolve this thread.
The error is saying that one node in the cluster is attempting to make a heartbeat connection to the other node, but it is not providing a valid client certificate in order to authenticate itself during the TLS handshake negotiation. There are a few possible reasons for this error:
The node is not sending the client certificate. Ensure that nifi.security.needClientAuth=true and nifi.cluster.protocol.is.secure=true are present in your nifi.properties file.
The truststore on the receiving node does not contain the public key certificate of the connecting node. When you followed the instructions from that link, how did you generate the respective certificates? Using the Apache NiFi TLS Toolkit as described by Pierre should ensure that all node certificates are signed by the same CA and that the CA is imported into the common truststore. If you manually generated your certificates, ensure that they are trusted on each node (you can do this with OpenSSL's s_client tool).
I am trying to push the company app into Pivotal Cloud Foundry. The app should be bound with service registry. I didn't do any changes in application.yml file. I had have service-registry service in my Pivotal apps manager console. After I pushed my company app into PCF and binded with service-registry service. I did restage my company app. The app is not registered in the service registry console.
2016-06-06T11:25:36.72+0530 [APP/0] OUT Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://p-spring-cloud-services.uaa.******.com/oauth/token":sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to fin
d valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.securit
y.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
and
2016-06-06T05:49:35.000+00:00 [APP] OUT 2016-06-06 05:49:35.668 ERROR 22 --- [pool-5-thread-1] com.netflix.discovery.DiscoveryClient : DiscoveryClient_COMPANY/https://p-spring-cloud-services.uaa.******.com/oauth/token:****** - was unable to refresh its cache! status = Error requesting access token.
How to solve these issues?
The cause of problem is ssl certification for PCF. I think you are not uploaded ssl certificate to your environment.
Your PCF instance should have valid root certificates of your apps installed at their side and vice versa....
I'm getting below error for public stream using Twitter 4j in IBM WAS 6.1.Can you please suggest on this issue .
INFO: com.ibm.jsse2.util.h: No trusted certificate found
com.ibm.jsse2.util.h: No trusted certificate found
Relevant discussions can be found on the Internet at:
http://www.google.co.jp/search?q=944a924a or
http://www.google.co.jp/search?q=24fd66eb
TwitterException{exceptionCode=[944a924a-24fd66eb 944a924a-24fd66c1 944a924a-24fd66c1], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.3}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:192)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)
at twitter4j.internal.http.HttpClientWrapper.post(HttpClientWrapper.java:98)
at twitter4j.TwitterStreamImpl.getFilterStream(TwitterStreamImpl.java:304)
at twitter4j.TwitterStreamImpl$7.getStream(TwitterStreamImpl.java:292)
at twitter4j.TwitterStreamImpl$TwitterStreamConsumer.run(TwitterStreamImpl.java:462)
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.n.a(n.java:28)
at com.ibm.jsse2.jc.a(jc.java:235)
at com.ibm.jsse2.db.a(db.java:268)
at com.ibm.jsse2.db.a(db.java:272)
at com.ibm.jsse2.eb.a(eb.java:56)
at com.ibm.jsse2.eb.a(eb.java:122)
at com.ibm.jsse2.db.m(db.java:351)
at com.ibm.jsse2.db.a(db.java:173)
at com.ibm.jsse2.jc.a(jc.java:535)
at com.ibm.jsse2.jc.g(jc.java:203)
at com.ibm.jsse2.jc.a(jc.java:97)
at com.ibm.jsse2.jc.startHandshake(jc.java:44)
at com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:38)
at com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:34)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:866)
at com.ibm.net.ssl.www2.protocol.https.a.getOutputStream(a.java:38)
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:150)
... 5 more
Caused by: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.util.g.a(g.java:24)
at com.ibm.jsse2.util.g.b(g.java:54)
at com.ibm.jsse2.util.e.a(e.java:9)
at com.ibm.jsse2.yb.checkServerTrusted(yb.java:4)
at com.ibm.jsse2.hb.checkServerTrusted(hb.java:9)
at com.ibm.jsse2.eb.a(eb.java:193)
... 17 more
Jul 3, 2013 10:14:56 AM twitter4j.internal.logging.CommonsLoggingLogger info
INFO: Waiting for 500 milliseconds
Jul 3, 2013 10:14:56 AM twitter4j.internal.logging.CommonsLoggingLogger info
INFO: Establishing connection.
The issue is now resolved by adding SSL certificate in JVM. This page really helped me to understand SSL connection concept in Java.