tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
Subject Re: Valid certificate chain failing with "unable to find valid certification path to requested "
Date Fri, 04 Apr 2014 08:14:13 GMT
On 4.4.2014 5:23, Toby Lazar wrote:
>> I've run my client program with the -Djavax.net.debug=all option. First it
>> listed out all of the trusted authorities. Mine is GoDaddy and this is the
>> record:
>>
>
> That one is not the issuer of your certificate.  GoDaddy has many issuing
> certificates.  The GoDaddy certificate the client trusts expires in 2034
> whereas your issuer certificates expire in 2031/2037.  Also, the DNs are
> different.  Better to identify the trusted certificate by serial number and
> subject key identifier.

+1.

It seems to be known issue with GoDaddy G2 certificate:

http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java

"[GoDaddy] have 2 CA servers, one called Class 2 CA and the other called 
G2 CA. Their Class 2 CA signs all SHA-1 certificates, while the G2 CA 
signs all their SHA-2 certificates. This is where the problem lies - 
GoDaddy has not added their newer G2 CA server to the default java 
truststore - causing default java installations to not trust it's 
authority, and hence, does not trust your chained certificate. The 
work-around until GoDaddy adds the G2 CA server to the default 
truststore is to simply rekey your cert using SHA-1 as-to get a cert 
signed by the Class 2 CA server. Rekeying is free for GoDaddy customers 
until your cert expires (obviously)."

FTR, GoDaddy or any other CA can't just "add" certificate to Java root 
certificates, but it must apply at Oracle for inclusion.


>> This is what I think is the relevant part:
>> [3]: ObjectId: 2.5.29.19 Criticality=true
>> BasicConstraints:[
>>    CA:false
>>    PathLen:2147483647
>> ]

It just says that server certificate you have cannot be used to sign 
other certificates, nothing else. That is irrelevant for you.


-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message