Apache HTTP Client javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Okay, I got it working!
Although thawte is a well known CA it seems that Java SSL did have some problems with it.
After downloading the ssl Certificate via openssl
:
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
and saving it into an pem file, I did the manual import into the java keystore:
keytool -import -alias myAlias -file theCert.pem -keystore lib/security/cacerts
I have no idea why java ssl was not able to validate the thawte certificate properly.
Listing the keystore showed me, that there are 7 thawte trusted certificates in the standard keystore but bizarrely it did not work until I manually imported the pem file
Comments
-
Alexander almost 4 years
We are developing an application using tomcat and jersey.
Within this webapplication we need to connect to ahttps Website
with avalid
, not expiredcertificate
. If I do connect to this website locally via my chrome browser, everything works fine! Unfortunately the tomcat server with our webapp throws an exception. We are using theApache HttpClient (4.0)
to connect to the https site:javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
The server certificate is absolutely valid and from
thawte
. Three different online tools validated the certificate successfully.
Openssl
has an issue, too and showing me three certificates but throwing a simple error:Verify return code: 20 (unable to get local issuer certificate)
The problem with openssl seems to be that it uses the wrong path
/usr/lib/ssl
instead of/etc/ssl/certs
. If I use the CApath argument pointing to the proper path, openssl works fine so may this be an issue with the httpClient?So our code for the default client is quite simple:
client = new DefaultHttpClient(); response = client.execute(url); //this throws the exception EntityUtils.consume(response.getEntity());
It's not an option to allow any certificates by implementing a custom TrustedManager! Futher I read, that some CA's are not part of the JDK/JRE and so it's certificates should be imported manually into the
keystore
or use a custom one, but thawte is a well known CA and shouldn't it work on default?EDIT
I did set the javax.debug properties in catalina.sh so that I have further information about the problem:
http-bio-8080-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path
I would appreciate any help! Thanks in advance!
-
Alexander about 11 yearsAlmost correct. We developed a webapp for another company. This webapp needs to connect to a https website also provided by the company. Further the website is using a certificate by thawte - valid and not expired, but our apache HttpClient is throwing the exception named above. Locally, on my browser (chrome) I can access this website properly, but on the server though, there is this error. Is it necessary to install the certificate on the tomcat server? If yes, how do I do this? I tried exporting it from my keychain (mac) and installing it via keytool but without effort...
-
souser about 11 yearsHmm, it works via chrome but not via HttpClient. I have not used HttpClient before. Does it run in a java container ? If so, you will need to verify that Thwate is trusted by the java container. Use keytool command to list the certs in "cacerts" file of the java install.
-
Alexander about 11 yearsI've edited my anser, there is an issue with openssl pointing to the wrong directory. Could this be an issue, too?