Bug#597967: Ignores installed CA; refuses to make SSL connection

Anthony DeRobertis Fri, 24 Sep 2010 09:57:17 -0700

Package: jxplorer
Version: 3.2.1+dfsg-3
Severity: important

It appears that its impossible to use a private CA with jxplorer. I
installed the CA certificate as
/usr/local/share/ca-certificates/MetricsCA.crt. I ran
update-ca-certificates, which added it to the java keystore
/etc/ssl/certs/java/cacerts.


It is definitely present in the keystore:

    # keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | 
grep metrics
    metricsca_pem, Sep 16, 2010, trustedCertEntry,


And yet, when I try and connect to our LDAP server:

    Error opening connection:
    java.security.cert.CertificateException: Invalid Server Certificate: server 
certificate could not be verified, and the CA certificate is missing from the 
certificate chain. raw error: sun.security.validator.ValidatorException: PKIX 
path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

and, on the console:
    Sep 24, 2010 11:43:35 AM com.ca.directory.jxplorer.broker.JNDIBroker 
openConnection
    WARNING: initial receipt of exception by jndi broker 
java.security.cert.CertificateException: Invalid Server Certificate: server 
certificate could not be verified, and the CA certificate is missing from the 
certificate chain. raw error: sun.security.validator.ValidatorException: PKIX 
path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
    javax.naming.CommunicationException: 
java.security.cert.CertificateException: Invalid Server Certificate: server 
certificate could not be verified, and the CA certificate is missing from the 
certificate chain. raw error: sun.security.validator.ValidatorException: PKIX 
path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target [Root exception is 
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
Invalid Server Certificate: server certificate could not be verified, and the 
CA certificate is missing from the certificate chain. raw error: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target]; remaining name ''
            at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1992)
            at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837)
            at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
            at 
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
            at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
            at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
            at 
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:265)
            at com.ca.commons.jndi.JNDIOps.exists(JNDIOps.java:633)
            at 
com.ca.directory.jxplorer.broker.JNDIBroker.openConnection(JNDIBroker.java:409)
            at 
com.ca.directory.jxplorer.broker.JNDIBroker.processRequest(JNDIBroker.java:360)
            at 
com.ca.directory.jxplorer.broker.Broker.processQueue(Broker.java:158)
            at 
com.ca.directory.jxplorer.broker.JNDIBroker.processQueue(JNDIBroker.java:829)
            at com.ca.directory.jxplorer.broker.Broker.run(Broker.java:124)
            at java.lang.Thread.run(Thread.java:636)
    Caused by: javax.net.ssl.SSLHandshakeException: 
java.security.cert.CertificateException: Invalid Server Certificate: server 
certificate could not be verified, and the CA certificate is missing from the 
certificate chain. raw error: sun.security.validator.ValidatorException: PKIX 
path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1639)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:215)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:209)
            at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1033)
            at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:546)
            at sun.security.ssl.Handshaker.process_record(Handshaker.java:482)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
            at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1140)
            at 
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:764)
            at sun.security.ssl.AppInputStream.read(AppInputStream.java:94)
            at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
            at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
            at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
            at com.sun.jndi.ldap.Connection.run(Connection.java:820)
            ... 1 more
    Caused by: java.security.cert.CertificateException: Invalid Server 
Certificate: server certificate could not be verified, and the CA certificate 
is missing from the certificate chain. raw error: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
            at 
com.ca.commons.security.JXTrustManager.checkServerTrusted(JXTrustManager.java:141)
            at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1025)
            ... 12 more

I've tried adding it to my user keystore as well. Doesn't help.

openssl's s_client confirms that the server works, and that the CA does
indeed verify the server.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages jxplorer depends on:
ii  default-jre [java6-runti 1:1.6-40        Standard Java or Java compatible R
ii  java-wrappers            0.1.16          wrappers for java executables
ii  javahelp2                2.0.05.ds1-4    Java based help system
ii  junit                    3.8.2-4         Automated testing framework for Ja
ii  openjdk-6-jre [java6-run 6b18-1.8.1-1+b1 OpenJDK Java runtime, using Hotspo

jxplorer recommends no packages.

jxplorer suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#597967: Ignores installed CA; refuses to make SSL connection

Reply via email to