tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
Subject Re: Valid certificate chain failing with "unable to find valid certification path to requested "
Date Thu, 03 Apr 2014 22:53:59 GMT
On 4.4.2014 0:27, Toby Lazar wrote:
> As others have noted here on other threads, you can use:
>
> http://portecle.sourceforge.net/
>
> to see exactly which certificates your server is providing clients (Examine
> SSL/TLS connection).  Viewing server certificates via browsers can be
> misleading since they don't distinguish within the chain between
> certificates provided by the server and those already trusted by the client
> (browser).

You also may double check your chain using other online tools like:

   https://www.ssllabs.com/ssltest/
   http://www.digicert.com/help/

I never used SSLShopper, so I don't know how reliable it is.


Another way to check certificate chain directly in server keystore is

   keytool -list -keystore server.jks -v


To check Chris' assumption about missing ROOT certificate on the client, 
you may turn on TLS debugging on the client using JVM option

   -Djavax.net.debug=all

At start it will print all root certificates trusted by the client. It 
may reveal that your system ROOT CA list on the client is outdated, 
messed up, or overriden with e.g. JVM option -Djavax.net.ssl.trustStore. 
It will also print TLS handshake details.


Jefferey:
 >      The hostname (www.xxxxxxxxxx.net) is correctly listed in the 
certificate. Common name: www.xxxxxxxxx.net
 >      SANs: www.xxxxxxxxxx.net, xxxxxxxxxx.net

Check if your Java code indeed uses one of those URL's listed in the 
certificate (www.xxxxxxxxxx.net, xxxxxxxxxx.net), and not some third one 
not listed in the certificate, or IP address.

-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message