Unable to find valid certification path to requested target while CAS authentication

ssl tomcat authentication java apache-2.4

20,098

The issue was resolved by adding certificate to trustStore instead of keyStore. I converted pem certificate to der format and added it to Java truststore ($JAVA_HOME/jre/lib/security/cacerts) using keytool. Then I changed keyStore parameters to corresponding trustStore parameters in CATALINA_OPTS. After restart of Tomcat service, everything works.

20,098

Dmitriy Sukharev

Updated on September 18, 2022

Comments

Dmitriy Sukharev over 1 year

I'm trying to configure CAS authentication. It requires both CAS and client application to use HTTPS protocol. Unfortunately we should use self-signed certificate (with CN that doesn't have anything in common with our server). Also the server is behind firewall and we have only two ports (ssh and https) visible. As far as there're several application that should be visible externally, we use Apache for ajp reverse proxying requests to these applications. Secure connections are managed by Apache, and all Tomcat are not configured to work with SSL. But I obtained exception while authentication, therefore desided to set keystore in CATALINA_OPTS:

export CATALINA_OPTS="-Djavax.net.ssl.keyStore=/path/to/tomcat/ssl/cert.pfx -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyAlias=alias -Djavax.net.debug=ssl"

cert.pfx was obtained from certificate and key that are used by Apache HTTP Server:

$ openssl pkcs12 -export -out /path/to/tomcat/ssl/cert.pfx -inkey /path/to/apache2/ssl/server-key.pem -in /path/to/apache2/ssl/server-cert.pem

When I try to authenticate a user I obtain the following exception:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) ~[na:1.6.0_32]
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) ~[na:1.6.0_32]
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318) ~[na:1.6.0_32]

Meanwhile I can see in catalina.out that Tomcat see certificate in cert.pfx and it's the same as the one that is used while authentication:

09:11:38.886 [http-bio-8080-exec-2] DEBUG o.j.c.c.v.Cas20ProxyTicketValidator - Constructing validation url: https://external-ip/cas/proxyValidate?pgtUrl=https%3A%2F%2Fexternal-ip%2Fclient%2Fj_spring_cas_security_proxyreceptor&ticket=ST-17-PN26WtdsZqNmpUBS59RC-cas&service=https%3A%2F%2Fexternal-ip%2Fclient%2Fj_spring_cas_security_check
09:11:38.886 [http-bio-8080-exec-2] DEBUG o.j.c.c.v.Cas20ProxyTicketValidator - Retrieving response from server.
keyStore is : /path/to/tomcat/ssl/cert.pfx
keyStore type is : PKCS12
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : 1
chain [0] = [
[
  Version: V1
  Subject: CN=wrong.domain.name, O=Our organization, L=Location, ST=State, C=Country
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 13??a lot of digits here??19
  public exponent: ????7
  Validity: [From: Tue Apr 24 16:32:18 CEST 2012,
               To: Wed Apr 24 16:32:18 CEST 2013]
  Issuer: CN=wrong.domain.name, O=Our organization, L=Location, ST=State, C=Country
  SerialNumber: [    d??????? ????????]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 65 


            Signature is here
0070:                                                96                 .

]
***
trustStore is: /jdk-home-folder/jre/lib/security/cacerts
Here is a lot of trusted CAs. Here is nothing related to our certicate or our (not trusted) CA.

...

09:11:39.731 [http-bio-8080-exec-4] DEBUG o.j.c.c.v.Cas20ProxyTicketValidator - Retrieving response from server.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1347433643 bytes = { 63, 239, 180, 32, 103, 140, 83, 7, 109, 149, 177, 80, 223, 79, 243, 244, 60, 191, 124, 139, 108, 5, 122, 238, 146, 1, 54, 218 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
http-bio-8080-exec-4, WRITE: TLSv1 Handshake, length = 75
http-bio-8080-exec-4, WRITE: SSLv2 client hello message, length = 101
http-bio-8080-exec-4, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie:  GMT: 1347433643 bytes = { 145, 237, 232, 63, 240, 104, 234, 201, 148, 235, 12, 222, 60, 75, 174, 0, 103, 38, 196, 181, 27, 226, 243, 61, 34, 7, 107, 72 }
Session ID:  {79, 202, 117, 79, 130, 216, 168, 38, 68, 29, 182, 82, 16, 25, 251, 66, 93, 108, 49, 133, 92, 108, 198, 23, 120, 120, 135, 151, 15, 13, 199, 87}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created:  [Session-2, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
http-bio-8080-exec-4, READ: TLSv1 Handshake, length = 609
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: CN=wrong.domain.name, O=Our organization, L=Location, ST=State, C=Country
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 13??a lot of digits here??19
  public exponent: ????7
  Validity: [From: Tue Apr 24 16:32:18 CEST 2012,
               To: Wed Apr 24 16:32:18 CEST 2013]
  Issuer: CN=wrong.domain.name, O=Our organization, L=Location, ST=State, C=Country
  SerialNumber: [    d??????? ????????]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 65


            Signature is here
0070:                                                96                 .

]
***
http-bio-8080-exec-4, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
http-bio-8080-exec-4, WRITE: TLSv1 Alert, length = 2
http-bio-8080-exec-4, called closeSocket()
http-bio-8080-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I tried to convert our pem certificate to der format and imported it to trustedKeyStore (cacerts) (without private key), but it didn't change anything. But I'm not confident that I did it rigth.

Also I must inform you that I don't know passphrase for our servier-key.pem file, and probably it differs from password for keystore created by me.

OS: CentOS 6.2
Architecture: x64
Tomcat version: 7
Apache HTTP Server version: 2.4

Is there any way to make Tomcat accepts our certificate?