Reputation: 866
Java SSL Error: Unable to retrieve certificate chain
I am working with a product called hermes which is an ebXML messaging gateway. In this particular installation, Hermes needs to sign an outgoing message using a server certificate which we downloaded via IE in p12 format (.pfx) from the partner with whose platform we're integrating.
I have verified that the password is correct and I also specified the correct alias.
This certificate was also installed in Tomcat. I then ran a test on the certificate via a tool in SSLShopper.com. The issue reported by the tool were that the common name in the certificate does not match the domain name for the server. I am not sure if this may be the cause. Actually, there was no place to specify a common name when applying for the certificate. They asked for first name and last name, etc.
I should note that based on the SSLShopper test, my certificate chain is:
MyServer --> MyPartner
where MyPartner is not a CA (meaning it's not one of those listed in FF's certificated dialog).
I hope someone out there know what may be tripping me up.
Hermes Configuration:
<component id="keystore-manager-for-signature" name="Key Store Manager for Digital Signature">
<class>hk.hku.cecid.piazza.commons.security.KeyStoreManager</class>
<parameter name="keystore-location" value="/opt/mycompany/certs/MyCert.pfx"/>
<parameter name="keystore-password" value="12345678"/>
<parameter name="key-alias" value="e38a429e10666c"/>
<parameter name="key-password" value="12345678"/>
<parameter name="keystore-type" value="PKCS12"/>
<parameter name="keystore-provider" value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
</component>
Hermes Error:
2012-01-16 08:02:47 [Thread-28 ] <ERROR> <cecid.ebms.spa> <Cannot send the message>
hk.hku.cecid.piazza.commons.net.ConnectionException: Unable to send HTTP SOAP request
by javax.net.ssl.SSLException: java.lang.RuntimeException: Unable to retrieve certificate chain
by java.lang.RuntimeException: Unable to retrieve certificate chain
by java.lang.NullPointerException
at hk.hku.cecid.piazza.commons.soap.SOAPHttpConnector.send(SOAPHttpConnector.java:112)
at hk.hku.cecid.ebms.spa.task.OutboxTask.sendMsgByHttp(OutboxTask.java:574)
at hk.hku.cecid.ebms.spa.task.OutboxTask.execute(OutboxTask.java:444)
at hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:90)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unable to retrieve certificate chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1586)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1569)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1154)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at hk.hku.cecid.piazza.commons.soap.SOAPHttpConnector.send(SOAPHttpConnector.java:84)
... 4 more
Upvotes: 0
Views: 5370
Answers (2)
Reputation: 866
This may not be a solution to the above issue, but our partner sent us new p12 keystore which I then configured in Tomcat and Hermes, afterwhich, everything was working as expected.
Upvotes: 1
Reputation: 35580
SSL certs are a giant minefield of potential problems and misconfiguration: Without seeing which certificates are being delivered by the server --remember there may be, or need to be, more than one--, this is impossible to diagnose.
One very likely cause is that the server is not delivering a set of certificates that allow a full trust chain to be established. Alternatively, the root certificate that the trust path leads to may not be in Java's root certificate store.
Make sure you check out these config issues first, before looking in your code.
You cannot check trust chains easily with a browser, as they cache intermediate certificates, allowing you to miss the fact that the server should be delivering it, but isn't. IE may also silently look for missing intermediates at Windows Update.
Check first that a virgin Firefox can validate the full trust path: Install a fresh Firefox Portable, or delete the intermediate certificate cache store in your Firefox profile file cert8.db (when Firefox isn't running).
If this fresh-out-of-the-box Firefox does accept the cert, check that the root cert is in the Java cert store.
Only after all this, would i start picking apart the code.
If anyone wants to dig much deeper into SSL and its problems, there's some Related talk slides [pdf] from chapter meeting of OWASP Manchester, UK
Upvotes: 1
Related Questions
- SSLHandshakeException: null cert chain
- SSL Bad Certificate error
- Java HTTPS connection with SSL certificate Error
- javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate- Java Error
- Unable to load certificate chain to java keystore
- Java error, how do I know which is the missing certificate? "unable to find valid certification path to requested target"
- SSL Certificate Chain Incomplete
- certificate_unknown exception in ssl
- SSL chain validation failed with intermediate cert
- java giving error on https request