I try to connect with Java 8 via HTTPS to a JNLP file on a an intranet server which has a self-signed TLS certificate.
When Java Web Start tries to load the first resource (a file from that server) specified in the JNLP try, it throws an exception:
javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
...
Caused by: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 39 more
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 46 more
Any idea?
Indeed we did not specify the OCSP responder. But is this really a problem? Interestingly this works on the machine of my workmates (they only get a warning). Some days ago I temporarily installed Java 9 to test something. Is it possible that this mixed something up? I uninstalled it again, btw.
My current workaround is to set “Perform TLS certificate revocation checks on” in the Java Control Panel (Tab “Advanced”) to “Do not check (not recommended)”. But I do not like that.
I got past this today, was just an issue with my certificates - recreated my Keystore, but my truststore was missing the new root/intermediate cert that was specified in the website's certificate. I went back and added the certs to the truststore and restarted the site, and it worked.
keytool -import -trustcacerts -alias root -file NewRoot.cer -keystore cacerts
keytool -import -trustcacerts -alias "Intermed Name Here" -file NewInt.cer -keystore cacerts
-- I was going down a dead-end chasing the OCSP responder when Java was really checking CRL and OCSP, in that order. Fixing the Truststore / CAs was really all that was needed.
Brent
Related
I have a java application developed in play framework. I know that we can use keystore to serve data through https for the play application.
I obtained a certificate of Let’s Encrypt using certbot for my domain. Then i made a pkcs12 file using openssl command and a keystore using keytool.
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile cert.pem -caname root -passout pass:somepassword
keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype pkcs12 -destkeystore keyStore.jks -deststoretype jks -storepass somepassword
I then pointed my play app to the keystore as follows on the application.conf file
play.server.https.keyStore.path = “/etc/letsencrypt/live/test.onlinemanpower.com/keyStore.jks”
play.server.https.keyStore.type = “JKS”
play.server.https.keyStore.password = “somepassword”
When i run the application it runs without a hitch. But when I open the application where it needs to validate through https I get following error:
[^[[31merror^[[0m] p.c.s.NettyServer - cannot load SSL context
java.lang.reflect.InvocationTargetException: null
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96)
at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32)
at play.core.server.NettyServer.liftedTree1$1(NettyServer.scala:91)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider$lzycompute(NettyServer.scala:90)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider(NettyServer.scala:89)
at play.core.server.NettyServer$$anonfun$channelSink$1.apply(NettyServer.scala:158)
Caused by: java.lang.Exception: Unable to find HTTPS keystore at “/etc/letsencrypt/live/test.onlinemanpower.com/keyStore.jks”
at play.core.server.ssl.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:56)
at play.core.server.ssl.DefaultSSLEngineProvider.(DefaultSSLEngineProvider.scala:24)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96)
at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32)
at play.core.server.NettyServer.liftedTree1$1(NettyServer.scala:91)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider$lzycompute(NettyServer.scala:90)
The keystore file exists on the said location. I have tried giving the permission 777 just to check and it still does not work.
Any idea what I am missing on this?
I'm trying to set up an ssl connection to a mongodb instance I have running in a container on my machine and keep running into,
nioEventLoopGroup-2-4, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I created a self signed .pem for mongo with,
openssl req -x509 -newkey rsa:4096 -keyout mongo.key -out mongo.crt -days 365 -nodes
cat mongo.key mongo.cert > mongo.pem
Moved those into a folder, mounted it as a bind volume in my container and added
--sslMode requireSSL --sslPEMKeyFile /etc/boundfolder/mongo.pem
to the mongo startup. I can connect to this with the mongo client.
I am setting up my mongo client in scala like so,
val hostConf = ClusterSettings.builder().hosts(List(new ServerAddress(hostName)).asJava).build()
val clientSettings = MongoClientSettings.builder()
.streamFactoryFactory(NettyStreamFactoryFactory())
.clusterSettings(hostConf)
val withTLS = clientSettings.sslSettings(
SslSettings.builder()
.enabled(true)
.invalidHostNameAllowed(true)
.build())
MongoClient(withTLS.build())
Lastly, I created a keystore with,
keytool -importcert -trustcacerts -file mongo.crt -keystore mongo.keystore
and am starting the application with the following parameters,
-Djavax.net.ssl.keyStore=/path/to/mongo.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.debug=SSL
I'm pretty sure the issue is either what, or how, I'm adding the self signed cert to the keystore. Thanks for any help you can give.
I have an applet jar that I've signed using a key I created and stored using:
keytool.exe -genkey -keyalg rsa -alias myKey
Then I generated a certificate using:
keytool.exe -export -alias myKey -file myCertificate.crt
Finally I signed my applet jar using:
jarsigner.exe myJar.jar myKey
I assume the signing went well because I got only the following message:
Warning:
The signer certificate will expire within six months.
But when I tried to run the applet in Chrome using a simple html, my java console shows the following messages:
...
security: Trust in: *myJar.jar* expired: Wed Dec 31 19:00:00 COT 1969
...
basic: your security settings have blocked a self-signed application from running
ExitException[ 0]com.sun.deploy.security.BlockedException: your security settings have blocked a self-signed application from running
at com.sun.javaws.security.JNLPSignedResourcesHelper.performSecurityCheckForSandbox(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Why is the certificate supposed to be expired? Or what could be the problem? Any ideas?
Note: I also added my site to Java's site list in Security tab of Java Control Panel
I am currently testing with EJBCA while having a problem in accessing the administration page.
The EJBCA-4.0.13 is running on CentOS 6.2, with apache-ant-1.8.4, jboss-5.1.0-GA, mysql and mysql-connector-java. Installation is OK and no error occured in the jboss server log and I can access the EJBCA public web page with the url: https://:8443/ejbca. While I cannot access the administration page(https://:8443/ejbca/adminweb) with this information:
Authorization Denied
Cause: Your certificate is revoked or cannot be located in the database.
Any idea will be appreciated!
This is done in LocalCertificateStoreSessionBean.authenticate method. This could mean that you have not properly generated SuperAdmin certificate, or it is revoked, timed out or is issued by another CA that EJBACA's AdminCA.
Check your superadmin.p12 with:
openssl pkcs12 -nokeys -in ./superadmin.p12 -out superadmin.pem
openssl x509 -in ./superadmin.pem -text
I am new to SSL certification generation, I have generated the SSL certification of type BKS. but during the Jboss starting i am getting the exception: -saying "java.security.KeyStoreException: BKS not found". The below are the steps i am doing to create the keystore file.
keytool -genkey -alias abcd -keystore C:/abcd.keystore -storepass abcd -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath c:/bcpkix-jdk15on-147.jar
I am using JBoss 4.2.3 GA.
Please help me out to resolve this issue.
Thank You,
Pruthvi
Error "BKS not found" would mean that its looking for an alias named BKS. Can you pass on the actual error and also the details of the ssl connector definition (server.xml) ?
Make sure you follow these steps
http://docs.jboss.org/jbossweb/3.0.x/ssl-howto.html
You can try to add the provider into the java.security file as described in Different types of keystore in Java -- BKS
security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider
N means the provider index in the provider list.