I am trying to get response code for this site "https://www.ssfcu.org/en-us/Pages/default.aspx".
The code snippet is:
try{
HttpURLConnection connection = pingUrl(location);
responseCode = connection.getResponseCode();
}catch(Exception e) {
}
public HttpURLConnection pingUrl(String url) throws Exception{
int count = 0;
HttpURLConnection conn = null;
conn = (HttpURLConnection) new URL(url).openConnection();
conn.setRequestMethod("GET");
conn.setConnectTimeout(2000);
conn.setInstanceFollowRedirects(false);
conn.setReadTimeout(10000);
conn.connect();
Thread.sleep(1000);
return conn;
}
But I am getting an exception:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
How can I resolve this?
An old COMODO root certificate expired on May 30.
https://www.reddit.com/r/linux/comments/gshh70/sectigo_root_ca_expiring_may_not_be_handled_well/
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
Don't know if this affects www.ssfcu.org, but you might try importing updated certs to your java keystore:
Fetch https://crt.sh/?d=1720081 and https://crt.sh/?d=1199354
Convert crt files to der files: openssl x509 -in 1720081.crt -outform der -out 1720081.der
keytool -import -file 1720081.der -keystore your-keystore -alias Comodo (or alias UserTrust for 1199354)
Your keystore is in your JRE_HOME directory in the file lib/security/cacerts. You'll need root privilege to edit the cacerts file.
Edit: I looked closer and Comodo isn't involved in www.sfcu.org's certificate chain, but the instructions above are correct as long as you can identify the root or intermediate certificate that has expired. We coincidentally ran into an issue with linkedin.com today. Like www.ssfcu.org, they too use a certificate chain from DigiCert, so perhaps they had some certs expire recently, too.
Related
I received a new keystore .jks file for ssl connection to replace an old, but working, .jks keystore file, but I got "unexpected handshake message: serve_hello" error. I was told to make sure the keystore contains a client cert, so I used keytool to export its cert to a pem file, then use openssl to check the purpose. The result shows
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
...
However when I applied the same process to check the old but working jks file I got the same result. Wonder if this is the right way to verify the certificate? And how to troubleshooting this handshake error with the new jks file?
Thanks!
The extended key usage extension contains OIDs which define the purpose:
id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
-- TLS WWW server authentication
-- Key usage bits that may be consistent: digitalSignature,
-- keyEncipherment or keyAgreement
id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
-- TLS WWW client authentication
-- Key usage bits that may be consistent: digitalSignature
-- and/or keyAgreement
https://datatracker.ietf.org/doc/html/rfc5280 Page 44
See: https://oidref.com/1.3.6.1.5.5.7.3.1 and https://oidref.com/1.3.6.1.5.5.7.3.2
When opening a certificate on Windows you can see the extension here:
I'm trying to set up an ssl connection to a mongodb instance I have running in a container on my machine and keep running into,
nioEventLoopGroup-2-4, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I created a self signed .pem for mongo with,
openssl req -x509 -newkey rsa:4096 -keyout mongo.key -out mongo.crt -days 365 -nodes
cat mongo.key mongo.cert > mongo.pem
Moved those into a folder, mounted it as a bind volume in my container and added
--sslMode requireSSL --sslPEMKeyFile /etc/boundfolder/mongo.pem
to the mongo startup. I can connect to this with the mongo client.
I am setting up my mongo client in scala like so,
val hostConf = ClusterSettings.builder().hosts(List(new ServerAddress(hostName)).asJava).build()
val clientSettings = MongoClientSettings.builder()
.streamFactoryFactory(NettyStreamFactoryFactory())
.clusterSettings(hostConf)
val withTLS = clientSettings.sslSettings(
SslSettings.builder()
.enabled(true)
.invalidHostNameAllowed(true)
.build())
MongoClient(withTLS.build())
Lastly, I created a keystore with,
keytool -importcert -trustcacerts -file mongo.crt -keystore mongo.keystore
and am starting the application with the following parameters,
-Djavax.net.ssl.keyStore=/path/to/mongo.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.debug=SSL
I'm pretty sure the issue is either what, or how, I'm adding the self signed cert to the keystore. Thanks for any help you can give.
I use Eclipse to make ssl socket server-client communication.
I am trying to use self signed certificate.
I make keystorage with Eclipse keytool.
Than I try to load this keystorage:
String ksName = "herong.jks";
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(ksName), ksPass);
But I get following message:
herong.jks (No such file or directory)
Name of keysotre is correct. May be I should do something else? now I only create keystore and certificate in key tool.
I am currently testing with EJBCA while having a problem in accessing the administration page.
The EJBCA-4.0.13 is running on CentOS 6.2, with apache-ant-1.8.4, jboss-5.1.0-GA, mysql and mysql-connector-java. Installation is OK and no error occured in the jboss server log and I can access the EJBCA public web page with the url: https://:8443/ejbca. While I cannot access the administration page(https://:8443/ejbca/adminweb) with this information:
Authorization Denied
Cause: Your certificate is revoked or cannot be located in the database.
Any idea will be appreciated!
This is done in LocalCertificateStoreSessionBean.authenticate method. This could mean that you have not properly generated SuperAdmin certificate, or it is revoked, timed out or is issued by another CA that EJBACA's AdminCA.
Check your superadmin.p12 with:
openssl pkcs12 -nokeys -in ./superadmin.p12 -out superadmin.pem
openssl x509 -in ./superadmin.pem -text
I'm using several RESTful webservice in JAVA based web-application. I'm using the RESTeasy client to access my webservice. Here all communication between the client and service is through XML(JAX-B xml annotated detail classes). Here are the following codes
String serviceURL = "https://service.company.com/Service/getService"
ServiceRequestDetail serviceRequestDetail = getServiceRequestAsDetailClass();
ServiceResponseDetail serviceResponseDetail = new ServiceResponseDetail();
ClientRequest clientRequest = new ClientRequest(serviceURL);
clientRequest.accept(MediaType.APPLICATION_XML);
clientRequest.body(MediaType.APPLICATION_XML, serviceRequestDetail);
ClientResponse<ServiceRequestDetail> response =
clientRequest.post(ServiceRequestDetail.class);
if (response.getStatus() != 200) {
throw new RuntimeException("Failed : HTTP error code : " +
response.getStatus());
}
ServiceResponseDetail serviceResponseDetail =
response.getEntity(ServiceResponseDetail.class);
and when I try to access my service I get the "Peer not Authenticated" error
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
...
Is there any way to add the SSL configuration details in the RESTeasy client? any other suggestions for solving this issue is also welcome
Thanks in advance
I found out the answer but I'm really sorry for the late response.
To answer my question, RESTeasy client does support TLS/SSL. Infact the problem was I missed to install the certificate into the JVM.
keytool -import -alias <Replace certificate Alias name> -keystore $JAVA_HOME\jre\lib\security\cacerts -file <Replace your Certificate file location>
This solved the issue of "Peer Not Authenticated". Hope it helps. Kudos
If you don't want to add certificate to JVM and keep this cert separate. You can load the cert as part of your code like below.
// load the certificate
InputStream fis = this.getClass().getResourceAsStream("file/path/to/your/certificate.crt");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(fis);
// load the keystore that includes self-signed cert as a "trusted" entry
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, null);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
keyStore.setCertificateEntry("cert-alias", cert);
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);`
then attach to rest easy builder like
resteasyClientBuilder.sslContext(sslContext)