IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Software and Applications Forum / need some help with java puke and SSL
Post #356,202
by boxley
4/6/12 12:53:37 PM
Reply
New need some help with java puke and SSL
Someone put a new cert on a loadbalancer
so jave pukes
2012-04-06 11:59:41,652 [http--8081-12] WARN - Content Retrieval Failure: /content/branded/in/us/en/home.footer.html
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)


Google tells me its because a cert signed by an unknown has been encountered so I get the pem file and do the following

keytool -import -trustcacerts -file /local/jdk1.6.0_14/jre/lib/security/java.puke.com.pem -alias CA_ALIAS -keystore ./cacerts
grep the cacerts file and find the signing authority. Restart java and the container. Still get the same error. Anyone have any ideas?
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 55 years. meep
Post #356,207
by folkert
Picture of folkert
4/6/12 1:03:39 PM
Reply
New Intermediate CA Cert and all Chained Certs...
Until you get to the Generated Cert for the SSL webserver.

IOW something like:

CA-Cert --> Intermediate CA-Cert --> Chained CA-Cert --> Your Cert

Whoever its generated by (like GeoTrust or GoDaddy) will have a Cert Chain or Intermediate for you to put on the load balancer. Usually the Load Balancer needs to have the reference Intermediate Cert available to encrypt properly.

I used Squid as an SSL Accelerator and it requires the Actual Cert, they Cert Key and the Intermediate CA-Cert to encrpyt the data properly.
Post #356,209
by boxley
4/6/12 1:07:34 PM
Reply
New no, I found the problem
more than one cert file on the box. Same command pointed at the second cert file fixed it
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 55 years. meep
     need some help with java puke and SSL - (boxley) - (2) - April 6, 2012, 12:53:37 PM EDT
         Intermediate CA Cert and all Chained Certs... - (folkert) - (1) - April 6, 2012, 01:03:39 PM EDT
             no, I found the problem - (boxley) - April 6, 2012, 01:07:34 PM EDT

Truly, you have a dizzying intellect.
49 ms