Anil, Has anyone checked to see if the cert we are using is repected by the Oracle JDK?
Because I can trivially reproduce this issue with the Oracle JDK that comes as stock on the Mac (where many of our developers work). The SSL rating you mentioned is basically meaningless for this problem... all that matters is: a) Is the cert respected by OpenJDK and b) Is the cert respected by Oracle JDK What I see from my experiment is that the answer to #b is *no*, and so we must get a cert from a cert authority that *is*. Ed On Mon, Mar 27, 2017 at 4:59 PM, Anil Belur <[email protected]> wrote: > > > On Thursday 16 March 2017 03:01 AM, Andrew Grimberg wrote: > > On 03/13/2017 04:56 PM, Andrew Grimberg wrote: > > On 03/13/2017 03:15 PM, Andrew Grimberg wrote: > > Greetings folks, > > Google release Chrome 57 last week and if you happen to have updated you > may find you can't access portions of OpenDaylight. LF is aware of this > and will have a fix in place in by EOD today. > > -Andy- > > > Greetings, > > The initial phase of this work is now done. All certificates except for > Nexus have been switched over to Let's Encrypt certificates. We will be > moving Nexus over tomorrow but as it's late in the day and we understand > that Java can be touchy about the certs we don't want to make the change > late in the business day even though we're certain it will work. > > Greetings folks, > > I know I said that the cert change for nexus would happen yesterday. > However, given the issues that Jenkins was having with SNI it didn't > happen. I have just now completed switching Nexus over to a Let's > Encrypt (LE) certificate as well. > > I do not anticipate any issues given that the LE's CA is cross-signed by > a CA that is in the Oracle JDK trust store but just in case folks using > that JDK suddenly can't do local builds anymore, please let us know! > > -Andy- > > > > > _______________________________________________ > release mailing > [email protected]https://lists.opendaylight.org/mailman/listinfo/release > > > Hi all, > > Just letting everyone know, I had a chat with Andy on the issue seen by > few people. The recent certificate changes to nexus repository as seen on > SSL report in [1.] shows A+ grade and no issues, therefore would not > require to import the cert chain manually. Going forward, for those who are > still seeing the issue, we recommend sharing a dump of the CA's certs > installed, using the following command: > > --[cut]-- > <JAVA_HOME>/bin/keytool -list -v -keystore > <JAVA_HOME>/jre/lib/security/cacerts > > cacerts.txt > --[/cut]-- > > [1.] https://www.ssllabs.com/ssltest/analyze.html?d=nexus. > opendaylight.org&s=72.3.167.142 > > Thanks, > Anil > > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.opendaylight.org/mailman/listinfo/discuss > >
_______________________________________________ Discuss mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/discuss
