- This topic has 7 replies, 2 voices, and was last updated 17 years, 4 months ago by
.
-
Posts
-
I have a J2EE app connection from JBoss to a third party system using SSL. The third party certificate recently expired, and they updated it. However, I am still getting the same message:
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA6275)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:56)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)Because I am not intimately familiar with this inherited application, I am slowly trying to find out what I can do. As this worked for years, I am confident it is not in the code. What I am not sure about, or even how to proceed is how to re-establish the trust between the two users.
I looked for a java version on the server and it is “/usr/bin/java” so there isn’t a JRE/lib/security/ directory. Don’t I need to have a copy of the new certificate and then some how use the keystore tool to sign it? If that is the case, I would really appreciate any pointers on how to do that. I am trying to find an old certifcate now, because I believe there must be one somewhere.
I’m going to prefix my reply with “I know nothing about secure comm” but I was wondering if there is a keystore of sorts that needs to get updated with the new cert sort of how code signing certs or SSH certs work where the cert gets added locally to some registry… is that possible?
I believe that there is, but
A) it seems to be called all sorts of things
B) Not entirely sure where it is (I found something called “cacerts” in my jre/lib/security)
C) Really don’t understand how/if to do it. I am very reluctant to start messing around with production code.Maybe someone knows how this works and could dumb it down for me?
I’ll poke around the office and ask, in the mean time any users that know we would love to hear from you.
I did some Googling and as far as I can tell, I need to update my local version of the certificate? I think something like this:
keytool -import -file server.crt -keypass changeit -keystore “…/jre/lib/security/cacerts”
However, I do not know what the server.crt file is. I do have a cacerts file under my jre directory, so do I need to delete that, or will it be updated with this command? Do I need the actual certificate from the remote server I am trying to connect to?
Thanks for any help you can throw my way.
I asked around and no one that I asked in the office was familiar with this process, I’m sorry about that I know it’s frustrating to get stuck on a technical hurdle.
OK, so the issue is resolved. I’ll give the answer here just so you know, but if this works for anyone else on the planet, I’ll be surprised.
The old certificate had a key stored under the /jdk1.3/jre/lib/secruity/cacerts. The new certificate was CA signed and apparently not compatible. So, I took a cacerts from under a 1.4 JDK and copied it under the production used 1.3 folder. I restarted the app and *prestoo*.
I can only attribute this to different JDK handling of SSL with CA and non-CA (which I assume thr original was).
Bizarre…
