tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Ee <an...@singnet.com.sg>
Subject Re: Tomcat unable to validate SSL certificate authority
Date Fri, 04 May 2012 02:46:15 GMT
Hi,

Thanks for all the inputs. I found that another war file in webapps/ has set environment to
point to it's own keystore, thus it overwrites the JAVA_OPTS somehow. Now that I have imported
the certificates into that "keystore" as well, everything works!

Regards,
Andii

--- André Warnier <aw@ice-sa.com> wrote:

> Andy Ee wrote:
> > Dear all,
> > 
> > I am stuck with this problem for over a month now, and I have
> tried all ways but to no avail.
> > 
> > My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is
> 1.6.0_21. I deployed a java program in Tomcat webapps/ which will
> post some results to a web server via a HTTPS url. 
> 
> So it is *this webapp* which is creating a HTTPS connection to some
> other webserver, and 
> sending it some data, right ?
> 
> 
> I received the following error in the catalina.out log.
> > 
> > [12-05-04 00:57:20] INFO  [http-8080-1]  Sending to
> (https://abc.test.com/payment/test.jsp) - timeout: 30000
> > [12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while
> send status to merchant status url!
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> 
> and this is a log message *from the webapp*, right ?
> 
> > 
> > I downloaded and imported the required CA chain certificates into
> the java truststore cacerts but it does not help. 
> > 
> > Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as
> the truststore and it doesn’t help either.
> > 
> > bash-3.00# /usr/ucb/ps -auxwww | grep tomcat
> > root     25578  0.1 11.01145892903712 pts/8    S 00:55:57  2:14
> /usr/java/bin/java
> -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/logging.properties
> -Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC
> -Djavax.net.ssl.trustStore=/usr/java/jre/lib/security/cacerts
> -Djavax.net.ssl.trustStorePassword=changeit -Dsun.net.inetaddr.ttl=0
> -Djavax.net.ssl.keyStore=/usr/java/jre/lib/security/cacerts
> -Djavax.net.ssl.keyStorePassword=changeit
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed
> -classpath /usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar
> -Dcatalina.base=/usr/local/apache-tomcat-6.0.32
> -Dcatalina.home=/usr/local/apache-tomcat-6.0.32
> -Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.32/temp
> org.apache.catalina.startup.Bootstrap start
> > 
> > The CA certificates were imported into cacerts using the following
> keytool command.
> > 
> > keytool -import -trustcacerts -keystore cacerts -file root.cer
> -alias BuiltinObjectToken-GoDaddyClass2CA
> > keytool -import -trustcacerts -keystore cacerts -file inter.cer
> -alias GoDaddySecureCertificationAuthority
> > 
> > I also tried to verify by using TestSSL.java and InstallCert.java
> and both could locate the CA certificates in cacerts. 
> > Therefore I am suspecting that Tomcat is not using cacerts
> properly.
> 
> And this is probably where you are making the wrong analysis.
> 
> According to your own description above, the only thing in common
> between your webapp and 
> Tomcat, is that they are run by the same JVM.
> Tomcat per se has nothing to do with whatever your webapp makes as
> connections to anything 
> else.  Tomcat does not even know about this. No Tomcat code is
> involved in setting up that 
> connection or using it.
> It is matter for your webapp and the JVM alone.
> In other words, if your webapp was a stand-alone Java program
> instead of being a webapp, 
> you would get exactly the same error.
> 
> I have no idea what the problem really is, but it seems to me that
> by mentally leaving 
> Tomcat out of the equation, you may be able to figure it out by
> yourself quicker.
> 
> For example, extract out of that webapp the code which is setting up
> that HTTPS 
> connection, and make it into a standalone program.  Then run it with
> the same Java options 
> as you do with Tomcat above, and see what you get.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message