On Tuesday 28 March 2017 10:29 AM, Ed Warnicke wrote: > Anil, > > The issue is that we are using a LetsEncrypt cert for nexus.opendaylight.org, > and that's not a cert that is trusted by the OracleJDK. > We need a cert from one of the trusted CA listed below: > > keytool -list -v -keystore > /Library/Java/JavaVirtualMachines/jdk1.8.0_77.jdk/Contents/Home/jre//lib/security/cacerts > | grep Issuer: > Enter keystore password: > > ***************** WARNING WARNING WARNING ***************** > * The integrity of the information stored in your keystore * > * has NOT been verified! In order to verify its integrity, * > * you must provide your keystore password. * > ***************** WARNING WARNING WARNING ***************** > > Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert > Inc, C=US > Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, > L=Salford, ST=Greater Manchester, C=GB > Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server > CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape > Town, ST=Western Cape, C=ZA > Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH > Issuer: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH > Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US > Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US > Issuer: CN=UTN-USERFirst-Client Authentication and Email, OU= > http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, > C=US > Issuer: CN=AffirmTrust Networking, O=AffirmTrust, C=US > Issuer: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, > Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, > Inc.", C=US > Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The > USERTRUST Network, L=Salt Lake City, ST=UT, C=US > Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5 > Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 > Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL > Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust > AB, C=SE > Issuer: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, > Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, > O="Entrust, Inc.", C=US > Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US > Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM > Issuer: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM > Issuer: CN=Swisscom Root CA 2, OU=Digital Certificate Services, O=Swisscom, > C=ch > Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, > O=DigiCert Inc, C=US > Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US > Issuer: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US > Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, > Inc.", C=US > Issuer: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For > authorized use only", OU=Certification Services Division, O="thawte, Inc.", > C=US > Issuer: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For > authorized use only", O="thawte, Inc.", C=US > Issuer: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, > O=Deutsche Telekom AG, C=DE > Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO > Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The > USERTRUST Network, L=Salt Lake City, ST=UT, C=US > Issuer: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US > Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO > Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, > O=Baltimore, C=IE > Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, > Inc.", C=US > Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE > Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield > Technologies, Inc.", C=US > Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, > L=Milan, C=IT > Issuer: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC > Camerfirma SA CIF A82743287, C=EU > Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, > O=T-Systems Enterprise Services GmbH, C=DE > Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, > OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > Network, O="VeriSign, Inc.", C=US > Issuer: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, > O=T-Systems Enterprise Services GmbH, C=DE > Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4, > OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > Network, O="VeriSign, Inc.", C=US > Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, > OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > Network, O="VeriSign, Inc.", C=US > Issuer: CN=XRamp Global Certification Authority, O=XRamp Security Services > Inc, OU=www.xrampsecurity.com, C=US > Issuer: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 > Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, > O="Entrust, Inc.", C=US > Issuer: CN=Class 3P Primary CA, O=Certplus, C=FR > Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority, > O=Unizeto Technologies S.A., C=PL > Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For > authorized use only", OU=Class 3 Public Primary Certification Authority - > G2, O="VeriSign, Inc.", C=US > Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 > Issuer: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The USERTRUST > Network, L=Salt Lake City, ST=UT, C=US > Issuer: OU=Security Communication RootCA2, O="SECOM Trust Systems > CO.,LTD.", C=JP > Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", > O=GTE Corporation, C=US > Issuer: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP > Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US > Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 > VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, > O="VeriSign, Inc.", C=US > Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 > Issuer: CN=Class 2 Primary CA, O=Certplus, C=FR > Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, > C=US > Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE > Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For > authorized use only", OU=Certification Services Division, O="thawte, Inc.", > C=US > Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield > Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US > Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US > Issuer: CN=Sonera Class2 CA, O=Sonera, C=FI > Issuer: CN=Swisscom Root EV CA 2, OU=Digital Certificate Services, > O=Swisscom, C=ch > Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, > L=Durbanville, ST=Western Cape, C=ZA > Issuer: CN=Sonera Class1 CA, O=Sonera, C=FI > Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification > Authority, O=QuoVadis Limited, C=BM > Issuer: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US > Issuer: CN=Starfield Services Root Certificate Authority - G2, O="Starfield > Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US > Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, > ST=Greater Manchester, C=GB > Issuer: CN=America Online Root Certification Authority 2, O=America Online > Inc., C=US > Issuer: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust > AB, C=SE > Issuer: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR > Issuer: CN=America Online Root Certification Authority 1, O=America Online > Inc., C=US > Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, > OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > Network, O="VeriSign, Inc.", C=US > Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, > O=AddTrust AB, C=SE > Issuer: CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU > Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For > authorized use only", OU=Class 2 Public Primary Certification Authority - > G2, O="VeriSign, Inc.", C=US > Issuer: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 > GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US > Issuer: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 > GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US > Issuer: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH > Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 > Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits > liab.), O=Entrust.net > Issuer: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., > Ltd.", C=TW > Issuer: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., > SERIALNUMBER=A82743287, L=Madrid (see current address at > www.camerfirma.com/address), C=EU > Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., > SERIALNUMBER=A82743287, L=Madrid (see current address at > www.camerfirma.com/address), C=EU > Issuer: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, > L=Jersey City, ST=New Jersey, C=US > Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, > Inc.", C=US > Issuer: CN=AffirmTrust Premium, O=AffirmTrust, C=US > Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, > L=Jersey City, ST=New Jersey, C=US > Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3, > OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > Network, O="VeriSign, Inc.", C=US > Issuer: OU=Security Communication EV RootCA1, O="SECOM Trust Systems > CO.,LTD.", C=JP > Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For > authorized use only", OU=Class 1 Public Primary Certification Authority - > G2, O="VeriSign, Inc.", C=US > Issuer: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, > L=Salford, ST=Greater Manchester, C=GB > Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", > L=Scottsdale, ST=Arizona, C=US > > > On Mon, Mar 27, 2017 at 5:12 PM, Ed Warnicke <hagb...@gmail.com> wrote: > >> Oh, and for reference: >> >> mvn -v >> Java HotSpot(TM) 64-Bit Server VM warning: ignoring option >> MaxPermSize=256m; support was removed in 8.0 >> Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; >> 2015-11-10T09:41:47-07:00) >> Maven home: /Users/hagbard/build/apache-maven-3.3.9 >> Java version: 1.8.0_77, vendor: Oracle Corporation >> Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_ >> 77.jdk/Contents/Home/jre >> Default locale: en_US, platform encoding: UTF-8 >> OS name: "mac os x", version: "10.12.3", arch: "x86_64", family: "mac" >> >> Ed >> >> On Mon, Mar 27, 2017 at 5:11 PM, Ed Warnicke <hagb...@gmail.com> wrote: >> >>> Anil, >>> >>> Has anyone checked to see if the cert we are using is repected by the >>> Oracle JDK? >>> >>> Because I can trivially reproduce this issue with the Oracle JDK that >>> comes as stock on the Mac (where many of our developers work). >>> The SSL rating you mentioned is basically meaningless for this problem... >>> all that matters is: >>> >>> a) Is the cert respected by OpenJDK >>> and >>> b) Is the cert respected by Oracle JDK >>> >>> What I see from my experiment is that the answer to #b is *no*, and so we >>> must get a cert from a cert authority that *is*. >>> >>> Ed >>> >>> On Mon, Mar 27, 2017 at 4:59 PM, Anil Belur <abe...@linuxfoundation.org> >>> wrote: >>> >>>> >>>> On Thursday 16 March 2017 03:01 AM, Andrew Grimberg wrote: >>>> >>>> On 03/13/2017 04:56 PM, Andrew Grimberg wrote: >>>> >>>> On 03/13/2017 03:15 PM, Andrew Grimberg wrote: >>>> >>>> Greetings folks, >>>> >>>> Google release Chrome 57 last week and if you happen to have updated you >>>> may find you can't access portions of OpenDaylight. LF is aware of this >>>> and will have a fix in place in by EOD today. >>>> >>>> -Andy- >>>> >>>> Greetings, >>>> >>>> The initial phase of this work is now done. All certificates except for >>>> Nexus have been switched over to Let's Encrypt certificates. We will be >>>> moving Nexus over tomorrow but as it's late in the day and we understand >>>> that Java can be touchy about the certs we don't want to make the change >>>> late in the business day even though we're certain it will work. >>>> >>>> Greetings folks, >>>> >>>> I know I said that the cert change for nexus would happen yesterday. >>>> However, given the issues that Jenkins was having with SNI it didn't >>>> happen. I have just now completed switching Nexus over to a Let's >>>> Encrypt (LE) certificate as well. >>>> >>>> I do not anticipate any issues given that the LE's CA is cross-signed by >>>> a CA that is in the Oracle JDK trust store but just in case folks using >>>> that JDK suddenly can't do local builds anymore, please let us know! >>>> >>>> -Andy- >>>> >>>>
Hello Ed, With a more recent version of JDK shows IdenTrust is available which is intermediate CA being used is available in [1.]. # keytool -list -v -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/lib/security/cacerts | grep 'Issuer:' | grep 'CN=IdenTrust' ... Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US Issuer: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. We would recommend updating the more latest version of JDK, and let us know if this resolves the issue. [1.] https://bugs.openjdk.java.net/browse/JDK-8161008 Thanks, Anil
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Discuss mailing list Discuss@lists.opendaylight.org https://lists.opendaylight.org/mailman/listinfo/discuss