CODEWITHSUNDEEP
javasslspark-java
Eamon Bauman
Eamon Bauman

Reputation: 51

Spark app not sending intermediate / chain certificates

I've got an app written using the Spark Java framework, with TLS enabled.

See:

Service https = ignite()
  .port(8443)
  .secure(keystorePath, keystorePass, truststorePath, truststorePass);

This is being served on port 443 via an iptables rule that redirects incoming 443 to 8443.

The problem I am having is that when using the Qualys ssl labs test (https://www.ssllabs.com/ssltest/) the server is not providing the intermediate certificates that have been configured in my truststore.

Similar results occur when I use openssl s_client:

Verify return code: 21 (unable to verify the first certificate)

Along with

depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=21:unable to verify the first certificate
verify return:1

From what I can tell, it appears that the server (spark java app, or embedded Jetty I suppose) is not serving up the intermediate certificates for chain validation.

Browsers see the site as secure, but I believe that's because the browsers are downloading the necessary intermediate certificates on their own.

The reason that this is a problem is that I am trying to use Stripe payment webhooks, and they have strict regulations in terms of the TLS cert chain being valid.

I am not sure where to begin on figuring out why these intermediate certs are not being served by my app. Could anyone offer some advice?

Upvotes: 1

Views: 364

Answers (1)

Morkus
Morkus

Reputation: 597

I have more or less the same exact problem. I followed the instructions at the Java Spark website (sparse that they are) and only get a Server Error for my efforts.

I imported a third-party certificate in my keystore file. I generated the CSR externally to the java keytool.

I moved the keystone file on the server where the "mydomain.com" exists.

I have the same basic code to do a test "secureHello" (per their documentation), passing the path to the keystore.jks file as the first parameter, and the password as the second.

RESULT: SERVER ERROR.

Not sure what I can try next. Clearly, I'm missing something.

4 hours banging my head on the desk so far (today)...

Upvotes: 1

Related Questions