tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Ee <an...@singnet.com.sg>
Subject Tomcat unable to validate SSL certificate authority
Date Thu, 03 May 2012 17:20:58 GMT
Dear all,

I am stuck with this problem for over a month now, and I have tried all ways but to no avail.

My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is 1.6.0_21. I deployed a java
program in Tomcat webapps/ which will post some results to a web server via a HTTPS url. I
received the following error in the catalina.out log.

[12-05-04 00:57:20] INFO  [http-8080-1]  Sending to (https://abc.test.com/payment/test.jsp)
- timeout: 30000
[12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while send status to merchant
status url! sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

I downloaded and imported the required CA chain certificates into the java truststore cacerts
but it does not help. 

Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as the truststore and it doesn’t
help either.

bash-3.00# /usr/ucb/ps -auxwww | grep tomcat
root     25578  0.1 11.01145892903712 pts/8    S 00:55:57  2:14 /usr/java/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/logging.properties
-Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC -Djavax.net.ssl.trustStore=/usr/java/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit -Dsun.net.inetaddr.ttl=0 -Djavax.net.ssl.keyStore=/usr/java/jre/lib/security/cacerts
-Djavax.net.ssl.keyStorePassword=changeit -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed -classpath /usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar
-Dcatalina.base=/usr/local/apache-tomcat-6.0.32 -Dcatalina.home=/usr/local/apache-tomcat-6.0.32
-Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.32/temp org.apache.catalina.startup.Bootstrap
start

The CA certificates were imported into cacerts using the following keytool command.

keytool -import -trustcacerts -keystore cacerts -file root.cer -alias BuiltinObjectToken-GoDaddyClass2CA
keytool -import -trustcacerts -keystore cacerts -file inter.cer -alias GoDaddySecureCertificationAuthority

I also tried to verify by using TestSSL.java and InstallCert.java and both could locate the
CA certificates in cacerts. Therefore I am suspecting that Tomcat is not using cacerts properly.

Any help is greatly appreciated!

Regards,
Andii

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message