I have secured my web app with Keycloak that is based on Quarkus. When I start the app:
./mvnw clean compile quarkus:dev
it shows me:
io.quarkus.oidc.OIDCException: OIDC server is not available at the 'quarkus.oidc.auth-server-url' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The Keycloak server is setting up with certificate https://acme-staging-v02.api.letsencrypt.org/directory(not a valid certificate), because it is a DEV environment.
The Keycloak configuration on Quarkus:
quarkus.oidc.auth-server-url=https://dev.oic.databaker.io/auth/realms/databaker
quarkus.oidc.client-id=svc
quarkus.oidc.credentials.secret=!!!secret!!!
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.1.path=/
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED
quarkus.ssl.native=false
How to bypass the error?
The acme-staging Let's Encrypt certificates are for testing purposes and are not trusted by the CAs included with your system.
You need to add the Fake LE Root X1 root certificate to the list of trusted CA certificates.
This is detailed in the Let's Encrypt Acme docs:
The staging environment intermediate certificate (“Fake LE
Intermediate X1”) is issued by a root certificate not present in
browser/client trust stores. If you wish to modify a test-only client
to trust the staging environment for testing purposes you can do so by
adding the “Fake LE Root X1” certificate to your testing trust store.
Important: Do not add the staging root or intermediate to a trust
store that you use for ordinary browsing or other activities, since
they are not audited or held to the same standards as our production
roots, and so are not safe to use for anything other than testing.
Related
I have a local environment with WebLogic 10.3.4 and and .ear app deployed on it. This app must communicate with external services via REST APIs. These external services are exposed in https and use wildcard certificates.
I receive the following exceptions when I try to connect to to one of these services.
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://dds-service.domain.com" General SSLEngine problem; nested exception is javax.net.ssl.SSLHandshakeException: General SSLEngine problem [...]
[...] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [...]
[...] Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So what I tried in first instance was to open the same url the app tries to connect to in my browser, download its wildcard certificate (.cer Base64 encoded) and with key tool import it into the jvm's trust store that WebLogic loads and looks up when trying to validate a cert. I am sure is the correct one because i imported other certificates that caused the same error and also because of this log
<Loading trusted certificates from the jks keystore file C:\WEBLOG~1\wls\JROCKI~1.1-3\jre\lib\security\cacerts.>
At this point, I suppose the problem is related to the way I import the wildcard certificate in WebLogic. I tried to look for different ways to do it but, like this one, require a .pfx file that is not currently available to me at the moment.
Do I need a .pfx to solve this or is there another way?
If someone will ever have the same problem, here is the solution i found: it appears that WLS 10.3.x has issues in trusting certificates wth keys longer than 128 bits, this is what caused the problem in first instance. That said, 2 actions solved my problem
-DUseSunHttpHandler=true added as a VM argument in the setDomainEnv script
Enable JSSE SSL via WLS adminn console (Environment > Servers > server name > Configuration > SSL > Advanced > check the JSSE SSL box)
Click Save, and restart WLS server.
I am trying to integrate MongoDB with hazelcast for distributed caching. The MongoDB has cluster servers and requires a password. When i do a get collection call in the MongoMapStore.java class following the example mentioned in
https://github.com/hazelcast/hazelcast-code-samples/blob/master/hazelcast-integration/mongodb/src/main/java/com/hazelcast/loader/MongoMapStore.java. I get errors such as
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: >PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
etc. If it helps I could produce the entire stacktrace of the errors.
How can I solve this issue.
The error is likely due to a missing Certificate for your DB Server. Ensure your keystore has the required certificate(s). If you do have a the server's public key cert and want to load it, check,
How to import a .cer certificate into a java keystore?
I have an Apache web server fronting a Tomcat 8 web server that is running my website, and I'm switching the top-level domain from my.website.ie to my.website.com. I have some code that runs in response to a particular request that generates a PDF. That code fetches an image (using a URL) which is served from the same web server e.g.
Image.getInstance(new URL("https://my.website.com/img/myimage.png"))
In addition to the domain change, I'm also changing my SSL certificate provider to LetsEncrypt (free SSL certs). My development website at the new .com domain is running and the certificate is valid and does not expire for a number of months.
I have another development server running on a separate machine that is still using the .ie domain. The Tomcat codebase running on both of these servers are identical right now. They are both trying to fetch the image at the URL shown above in that particular piece of code.
On the .ie server, the request that generates the PDF works correctly, without any problems fetching the image. On the .com server, the request fails with this error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
My understanding of this error is that the certificate at the target URL is not trusted (e.g. self-signed), but that is not true in this case. Also, both of the servers are hitting the same URL for the image, so why is one server trusting the certificate and the other not?
I haven't made any additional configuration changes on the .ie server that I haven't made on the .com server (with respect to setting up the new certificate), so is there some other (mis)configuration that I haven't considered?
Not trusted means the used CA is not trusted by the software.
Self-signed certificates are never trusted.
Java has it's own trust store (only on Linux the system trust store is used AFAIR?). If the CA certificate is newer than the used Java version it may happen that Java does not trust the CA. Conclusion: Update your Java.
According to this Stackoverflow answer you need at least Java 8u101 for Let's Encrypt support:
Does Java support Let's Encrypt certificates?
The error says that the chain doesn't lead to a root certificate that is trusted. Trusted CA root certificates are stored in Java's root keystore where the root certificate issued by Let's Encrypt is obviously missing.
You can add the root certificate manually to the store or check if newer versions of Java already contain the certificate.
I have a web application using java 7 and tomcat 6 on ubuntu 12.04. It uses apache cxf to make REST calls to a web service on a different server over https. It has been working fine until about 11am today. Then for each REST call whether GET or POST, I receive
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target errors in catalina.out.
The certificate is in the
jdk/jre/lib/security/cacerts
and does not expire until 2018. When I restart tomcat the program runs fine.
Any idea what would trigger this?
Thanks in advance
Randy
If you are entirely certain that this is not a validity period problem with the service's certificate, here are some more situations to check for:
The certificate on the service side was changed so the one in cacerts is now not doing anything
The certificate you installed was the a system's certificate and you are now connecting to a different node due to load balancing (if so, you would need an intermediate or CA cert)
The service requires Mutual TLS (aka 2-way SSL) and the certificate on your side is now missing or invalid
A host name has changed such that the certificate(s) are no longer valid
Some software or configuration file has changed and now the client and service do not have SSL/TLS versions in common.
i have three java based web application app1,app2 and app3 at production. All 3 are verified by verified CA's and hosted on 3 different web servers
and on https.
app1,app2 is verified by secure trust.app3 is verified by trustwave .
Below is the hierarchy of certificates of certificates ,i can see when i hit any of these app thru web browser.
app1,app2 certificate hirerarchy is same .e
Entrust.net Secure Server Certification Authority---> SecureTrust CA------->*.myAppDomain.com
app3 certificate hirerarchy is
Entrust.net Secure Server Certification Authority---> SecureTrust CA------->TrustWave Organization Validation CA, L------->*.myApp3.com
Now when app1 connect to app2 , works fine. But when app1 connects to app3 gets below exception
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Now i had a look on cacert file(i.e trust store) inside jdk on web server hosting app1 . I tried to found the entries for Entrust,SecureTrust,TrustWave but found only entries like entrustevca, entrust2048ca etc. So if i go by the logic that if root certificate (which is Entrust for both the applications app2 and app3 ) lies in trust store of contacting application(app3) ,which i can see in cacert file on app3 ,then i should not get the above mentioned error when app1 tries to contact app3 thru httpsURLConnection. I am not gettting the cause of this? i am not sure do we need to include the trustwave also , though the root certificate i.e Entrust which internally authenticate trustwave already there?
If i need to include trustwave certificate(used by app2) in cacert file on app3 then by that logic i should also inlcude
securetrust(used by app2) in cacert file on app3 but it is working Fine?
The client's truststore doesn't trust the server's certificate. So there was no trusted CA certificate in the client's truststore that matched anything in the certificate chain supplied by the server. So that certificate chain was incomplete. You need to import everything you were supplied with by the CA into the server's keystore.