tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat unable to validate SSL certificate authority
Date Thu, 03 May 2012 17:38:38 GMT
Andy Ee wrote:
> Dear all,
> 
> I am stuck with this problem for over a month now, and I have tried all ways but to no
avail.
> 
> My Tomcat 6.0.32 is running in Solaris 10 and the JDK version is 1.6.0_21. I deployed
a java program in Tomcat webapps/ which will post some results to a web server via a HTTPS
url. 

So it is *this webapp* which is creating a HTTPS connection to some other webserver, and 
sending it some data, right ?


I received the following error in the catalina.out log.
> 
> [12-05-04 00:57:20] INFO  [http-8080-1]  Sending to (https://abc.test.com/payment/test.jsp)
- timeout: 30000
> [12-05-04 00:57:22] ERROR [http-8080-1] Encounter exception while send status to merchant
status url! sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

and this is a log message *from the webapp*, right ?

> 
> I downloaded and imported the required CA chain certificates into the java truststore
cacerts but it does not help. 
> 
> Next, I tried to set JAVA_OPTS to point Tomcat to the cacerts as the truststore and it
doesn’t help either.
> 
> bash-3.00# /usr/ucb/ps -auxwww | grep tomcat
> root     25578  0.1 11.01145892903712 pts/8    S 00:55:57  2:14 /usr/java/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat-6.0.32/conf/logging.properties
-Xms512m -Xmx1024m -XX:MaxPermSize=512m -XX:+DisableExplicitGC -Djavax.net.ssl.trustStore=/usr/java/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit -Dsun.net.inetaddr.ttl=0 -Djavax.net.ssl.keyStore=/usr/java/jre/lib/security/cacerts
-Djavax.net.ssl.keyStorePassword=changeit -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.endorsed.dirs=/usr/local/apache-tomcat-6.0.32/endorsed -classpath /usr/local/apache-tomcat-6.0.32/bin/bootstrap.jar
-Dcatalina.base=/usr/local/apache-tomcat-6.0.32 -Dcatalina.home=/usr/local/apache-tomcat-6.0.32
-Djava.io.tmpdir=/usr/local/apache-tomcat-6.0.32/temp org.apache.catalina.startup.Bootstrap
start
> 
> The CA certificates were imported into cacerts using the following keytool command.
> 
> keytool -import -trustcacerts -keystore cacerts -file root.cer -alias BuiltinObjectToken-GoDaddyClass2CA
> keytool -import -trustcacerts -keystore cacerts -file inter.cer -alias GoDaddySecureCertificationAuthority
> 
> I also tried to verify by using TestSSL.java and InstallCert.java and both could locate
the CA certificates in cacerts. 
> Therefore I am suspecting that Tomcat is not using cacerts properly.

And this is probably where you are making the wrong analysis.

According to your own description above, the only thing in common between your webapp and

Tomcat, is that they are run by the same JVM.
Tomcat per se has nothing to do with whatever your webapp makes as connections to anything

else.  Tomcat does not even know about this. No Tomcat code is involved in setting up that

connection or using it.
It is matter for your webapp and the JVM alone.
In other words, if your webapp was a stand-alone Java program instead of being a webapp, 
you would get exactly the same error.

I have no idea what the problem really is, but it seems to me that by mentally leaving 
Tomcat out of the equation, you may be able to figure it out by yourself quicker.

For example, extract out of that webapp the code which is setting up that HTTPS 
connection, and make it into a standalone program.  Then run it with the same Java options

as you do with Tomcat above, and see what you get.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message