tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <jeffery.scott.cr...@gmail.com>
Subject Valid certificate chain failing with "unable to find valid certification path to requested "
Date Thu, 03 Apr 2014 18:25:33 GMT
I’m using tomcat 7.0.50 on CentOS 6.5 on a headless blade server; 8 processor cores, 18 GB
RAM.


My java client is opening an HttpsURLConnection:


    SSLContext sc = SSLContext.getInstance("TLS");
    sc.init(null, null, null);
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    URL url = new URL(urlText);
    HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
    urlConnection.setHostnameVerifier(DO_NOT_VERIFY);
    urlConnection.setDoOutput(true);
    try (OutputStreamWriter output = new OutputStreamWriter(urlConnection.getOutputStream(),
"UTF-8")) {
        output.write(msg.writeNodes(false));
        output.write("\n");
        output.flush();
    }


On getting the urlConnection.getOutputStream() the following exception is thrown:


    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
    PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:

    unable to find valid certification path to requested target


If I set the SSLContext to accept all hosts it works.


I can see the servlet’s “Hello World” message from a web browser. Chrome says that it
has a valid certificate.


I verified that the certificates were valid using SSLShopper:
 
    www.xxxxxxxxx.net resolves to xxx.xxx.xxx.xxx
 
    Server Type: Apache/2.2.15 (CentOS)  
    The certificate should be trusted by all major web browsers (all the correct intermediate
certificates are installed).  
    The certificate was issued by GoDaddy.  
    The certificate will expire in 364 days.
  
    The hostname (www.xxxxxxxxxx.net) is correctly listed in the certificate. Common name:
www.xxxxxxxxx.net
    SANs: www.xxxxxxxxxx.net, xxxxxxxxxx.net
    Valid from April 3, 2014 to April 3, 2015
    Serial Number: 0431cbc326fefc
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: Go Daddy Secure Certificate Authority - G2 
  
    Common name: Go Daddy Secure Certificate Authority - G2
    Organization: GoDaddy.com, Inc.
    Location: Scottsdale, Arizona, US
    Valid from May 3, 2011 to May 3, 2031
    Serial Number: 7 (0x7)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: Go Daddy Root Certificate Authority - G2 
  
    Common name: Go Daddy Root Certificate Authority - G2
    Organization: GoDaddy.com, Inc.
    Location: Scottsdale, Arizona, US
    Valid from August 31, 2009 to December 31, 2037
    Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: Go Daddy Root Certificate Authority - G2


I have similar setup. The keystores are in the same folder, the server.xml are the same except
for the hostnames and the keystore password. The server with the problem is not using the
default keystorepassword of "changeit"



Any help would be greatly appreciated.


Jeff Crump
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message