I am getting below excpetion in jdk1.6.But same it's working JDK1.7 version onwards.
So is this problem with JDK1.6 version?
java.security.cert.CertPathValidatorException: java.io.IOException: Bad encoding in X509 Certificate
at sun.security.provider.certpath.OCSP.check(OCSP.java:219)
at sun.security.provider.certpath.OCSP.check(OCSP.java:85)
at com.strutsrecipes.antbuild.business.PIOCSPValidation.generateCertificatePath(PIOCSPValidation.java:67)
at com.strutsrecipes.antbuild.actions.LoginSearchAction.execute(LoginSearchAction.java:21)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:480)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
Related
On Jmeter, I'm trying to hit an API with https protocol, and encountering the infamous SSLHandshakeException.
Response code:Non HTTP response code: javax.net.ssl.SSLHandshakeException
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints...
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: RSASSA-PSS
Using Java (32 bit) jre 1.8, Jmeter 5.3 on Win7 Enterprise edition.
Server Certificate details:
Version: V3
Signature Algorithm: RSASSA-PSS
From other questions on Stackoverflow, tried these but didn't help:
Commented out jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithms in java.security file.
Have imported the certificate from the server to Java keystore.
My mac has a TFS build agent connecting to a TFS server. That works fine. But when fetching the source code it fails with the following error:
An error occurred: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
When I on the mac, remove the old certificate for the TFS server from the Java Truststore I get the following error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If I add a new certificate for the server, into the Java truststore (the cacerts file) with good new valid time stamps, I get this error:
PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
Thus, I know that I am making changes to the correct cacerts file, since I'am getting different output based on the two scenarios above.
I've been scanning through the cacert file, trying to find if any expired cert for the TFS server is still there. Can't find any.
I've tried importing both the root cert and the site cert, but no difference there.
No problems connecting to the server site with Safari or using curl. The certificate on the server is renewed and has valid timestamps.
Any help would be greatly appreciated.
I managed to get by the issue by installing a brand new, latest version build agent.
I installed OpenJDK 10. What I did was just unpack it, set the PATH variable and the JAVA_HOME variable.
Java even rejects the certificate of google.de (and all others I tried). I tested this by some dummy class that tries to connect. Outcome is:
C:\Users\Alexander\Downloads>java SSLPoke google.de 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)
at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)
at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777)
at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264)
at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098)
at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026)
at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
at java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733)
at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67)
at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 18 more
Found a lot on the net how to add special certs to java but i think in my java installation something is wrong in general.
So my question is what could cause such a thing???
You should verify root certificates inside the cacerts keystore. The file is stored in JAVA_HOME/jre/lib/security/cacerts (or JAVA_HOME/lib/security/cacerts in newer Java versions). As per OpenJDK 10 Now Includes Root CA Certificates post you can use keytool command to count them:
>jdk-10\bin\keytool -cacerts -list | find "Certificate" /c
Enter keystore password: changeit
80
Most likely your Java installation is corrupted and you should reinstall. Do note that OpenJDK is provided by multiple vendors and it could be that you are using an installer which doesn't install the root certificates.
Ended up installing oracle jdk 10 (also 10.0.2) and that works
C:\Users\Alexander\Downloads>java "SSLPoke" google.de 443
Successfully connected
I run ant eclipse-files, but the following weird error, can anyone help me ? Thanks
[get] Error getting http://downloads.sourceforge.net/project/ant-eclipse/ant-eclipse/1.0/ant-eclipse-1.0.bin.tar.bz2 to /Users/jzhang/github/pig/build/ant-eclipse-1.0.bin.tar.bz2
BUILD FAILED
/Users/jzhang/github/pig/build.xml:311: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at org.apache.tools.ant.taskdefs.Get$GetThread.openConnection(Get.java:712)
at org.apache.tools.ant.taskdefs.Get$GetThread.openConnection(Get.java:737)
at org.apache.tools.ant.taskdefs.Get$GetThread.openConnection(Get.java:737)
at org.apache.tools.ant.taskdefs.Get$GetThread.get(Get.java:626)
at org.apache.tools.ant.taskdefs.Get$GetThread.run(Get.java:616)
And I follow the instructions of link here
And After that I can run this command successfully.
keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts"
Here's the screenshot of key explorer. But I can still see the error above.
Please refer this answer for your reference.
You need to install your network Root ssl certificate to your cacerts file.
But key is to find jre which is giving you this error!So make sure about 2 things
Install certificate to cacart file of jre which eclipse is using
Got to preferences => ANT=> runtime => Global Entries
you may see JDK of which tool.lib is getting used by ant.
certificate is root certificate
Please confirm you are using /JDKPATH/jre/lib/security/cacerts
"NOT THE /JDKPATH/lib/cacerts"
use keystore explorer instead of command line.
I have been struggling for almost one week to get my applications up running after moving my applications from Windows 2000 to Windows 2008 R2 Server.
The procedure:
Installed Java JDK 1.7.0_25
Set system environment variable JAVA_HOME to C:\Progra~1\Java\jdk1.7.0_25\
Imported the certificate into cacerts with keytool
Ensured that the certificate exists in keytool with -list.
I have tried to repeat step 3 with InstallCert to ensure that i havent messed anything up.
The above methods did not solve my problem, so i tried to do it programmatically:
System.setProperty("javax.net.ssl.trustStore",
"C:/Progra~1/Java/jdk1.7.0_25/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Still without any luck. I am stuck and not quite sure which direction to go from here.
Stack trace:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at util.SMS.send(SMS.java:93)
at domain.ActivationSMSSenderMain.sendActivationMessagesToCustomers(ActivationSMSSenderMain.java:80)
at domain.ActivationSMSSenderMain.<init>(ActivationSMSSenderMain.java:44)
at domain.ActivationSMSSenderMain.main(ActivationSMSSenderMain.java:341)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 20 more
UPDATE:
Both
System.out.println(System.getProperty("javax.net.ssl.trustStore"));
and
System.out.println(System.getProperty("javax.net.ssl.keyStore"));
returns null.
I ran into similar issues whose cause and solution turned out both to be rather simple:
Main Cause: Did not import the proper cert using keytool
NOTE: Only import root CA (or your own self-signed) certificates
NOTE: don't import an intermediate, non certificate chain root cert
Solution Example for imap.gmail.com
Determine the root CA cert:
openssl s_client -showcerts -connect imap.gmail.com:993
in this case we find the root CA is Equifax Secure Certificate Authority
Download root CA cert.
Verify downloaded cert has proper SHA-1 and/or MD5 fingerprints by comparing with info found here
Import cert for javax.net.ssl.trustStore:
keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem
Run your java code
You've imported the certificate into the truststore of the JRE provided in the JDK, but you are running the java.exe of the JRE installed directly.
EDIT
For clarity, and to resolve the morass of misunderstanding in the commentary below, you need to import the certificate into the cacerts file of the JRE you are intending to use, and that will rarely if ever be the one shipping inside the JDK, because clients won't normally have a JDK. Anything in the commentary below that suggests otherwise should be ignored as not expressing my intention here.
A far better solution would be to create your own truststore, starting with a copy of the cacerts file, and specifically tell Java to use that one via the system property javax.net.ssl.trustStore.
You should make building this part of your build process, so as to keep up to date with changes I the cacerts file caused by JDK upgrades.
If you are using Eclipse just cross check in Eclipse Windows--> preferences---->java---> installed JREs is pointing the current JRE and the JRE where you have configured your certificate. If not remove the JRE and add the jre where your certificate is installed
Per your pastebin, you need to add the proxy.tkk.com certificate to the truststore.
On Windows you can try these steps:
Download a root CA certificate from the website.
Find a file jssecacerts in the directory /lib/security with JRE (you can use a comand System.out.println(System.getProperty("java.home"); to find the folder with the current JRE). Make a backup of the file.
Download a program portecle.
Open the jssecacerts file in portecle.
Enter the password: changeit.
Import the downloaded certificate with porticle (Tools > Import Trusted Certificate).
Click Save.
Replace the original file jssecacerts.
In my case the issue was resolved by installing Oracle's official JDK 10 as opposed to using the default OpenJDK that came with my Ubuntu. This is the guide I followed: https://www.linuxuprising.com/2018/04/install-oracle-java-10-in-ubuntu-or.html