ssl - Java refusing certificate that browser accepts


Keywords:java 


Question: 

I'm having trouble configuring a valid certificate (not self-signed!) in Wildfly 9. I have configured the HTTPS connector in Wildfly:

            <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" />

Security realm:

        <security-realm name="UndertowRealm">
          <server-identities>
            <ssl>
              <keystore path="domain.p12" relative-to="jboss.server.config.dir" keystore-password="password"
                alias="appcert"  />
            </ssl>
          </server-identities>
        </security-realm>

And generated the keystore with this command:

openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.p12 -name appcert -CAfile cafile.crt -caname root

Now, when I open the application in the browser everything works fine. The browser recognizes the certificate as a valid certificate without prompting for an exception as it would in a self-signed certificate.

However, when I try to connect to the very same URL through SSLPoke.java, I get the following exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
    at SSLPoke.main(SSLPoke.java:26)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 15 more

If I import the certificate in the client this error goes away, but I think I should not have to do this, since this is a valid certificate.

The test code is the following:

import java.io.InputStream;
import java.io.OutputStream;

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
    public static void main(String[] args) {

                if (args.length != 2) {
                        System.out.println("Usage: "+SSLPoke.class.getName()+"  ");
                        System.exit(1);
                }
                try {
                        SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
                        SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

                        InputStream in = sslsocket.getInputStream();
                        OutputStream out = sslsocket.getOutputStream();

                        // Write a test byte to get a reaction :)
                        out.write(1);

                        while (in.available() > 0) {
                                System.out.print(in.read());
                        }
                        System.out.println("Successfully connected");

                } catch (Exception exception) {
                        exception.printStackTrace();
                }
        }
}

Why is this happening, and what is the correct way to setup the SSL certificate?


2 Answers: 

It's happening because none of the certificates in the chain is trusted by the Java truststore.

The most general solution would be to import the top certificate (the last in the chain, the topmost signer) into the JRE's lib/security/cacerts file.

 

The problem here is that Java by default comes with a very limited set of root CA certificates. It "accepts" far fewer CAs than a typical browser. The simplest way to solve the problem is to export a set of CA certificates from a browser like Chrome or Firefox and import them into Java's keystore using keytool.