Hi Greg,
Sorry for bothering again on the same issue.
Since I modified the self-signed certificate I can't make gsearch
working anymore.
The exception throw is always:
Fedora Object xxxxxxxxxx not found at DemoAtDtu; nested exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
I have configured tomcat to load the keystore where the self-signed
certificate is in and to load a custom truststore where I trusted that
certificate. I have also ran tomcat with ssl debug options and here is
the result:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-8443-1, setSoTimeout(60000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 67, 138, 70, 121, 118, 92, 54,
158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245, 198, 200, 96,
231, 127, 90, 242, 78, 197 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
http-8080-4, WRITE: TLSv1 Handshake, length = 75
http-8080-4, WRITE: SSLv2 client hello message, length = 101
http-8443-1, READ: SSL v2, contentType = Handshake, translated length = 75
*** ClientHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 67, 138, 70, 121, 118, 92, 54,
158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245, 198, 200, 96,
231, 127, 90, 242, 78, 197 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
%% Created: [Session-16, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 47, 120, 37, 197, 62, 247, 95,
232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9, 89, 159, 191,
149, 137, 73, 59, 122, 65 }
Session ID: {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112, 152, 100,
250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142, 185, 238, 215,
99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus:
17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
public exponent: 65537
Validity: [From: Fri Jan 27 17:37:34 CET 2012,
To: Sat Jan 26 17:37:34 CET 2013]
Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
SerialNumber: [ 4f22d2ce]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D 40 00 D7 8F F5 A4 85 F2 1B 72 AF C3 BC DE 8D -@........r.....
0010: E5 50 9E 0D 63 CC D2 D6 4B C3 D0 55 B1 A8 76 12 .P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3 3F C1 2B 23 B7 19 10 97 <.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F 2C 87 BB B9 02 D4 A7 8D S...G..,.......
0040: 63 30 29 17 8B CA 71 6B 2B 56 7C 7D A7 B5 C4 90 c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01 49 6E 98 BF 2D C1 36 4E .J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8 44 79 ED 8B BE E0 52 46 ...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E 3A 3F 1B 47 01 C8 75 8A .s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45 59 B5 D6 14 5E 1E 92 6A .....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45 95 DB BE D3 D8 25 0F 5B .g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14 82 E8 C7 60 84 3E 54 94 ../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2 55 3F AA D3 5D 37 28 35 ........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD 4C BF 2C 13 EA AD 65 36 IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E 34 16 75 BF 9B 45 7E 30 .....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16 2F 67 B0 20 2D ED 22 35 &-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2 92 85 6A E2 2E 0D 84 43 .3.ES....j....C
]
***
*** ServerHelloDone
http-8443-1, WRITE: TLSv1 Handshake, length = 932
http-8080-4, READ: TLSv1 Handshake, length = 932
*** ServerHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 47, 120, 37, 197, 62, 247, 95,
232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9, 89, 159, 191,
149, 137, 73, 59, 122, 65 }
Session ID: {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112, 152, 100,
250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142, 185, 238, 215,
99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created: [Session-17, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus:
17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
public exponent: 65537
Validity: [From: Fri Jan 27 17:37:34 CET 2012,
To: Sat Jan 26 17:37:34 CET 2013]
Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
SerialNumber: [ 4f22d2ce]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D 40 00 D7 8F F5 A4 85 F2 1B 72 AF C3 BC DE 8D -@........r.....
0010: E5 50 9E 0D 63 CC D2 D6 4B C3 D0 55 B1 A8 76 12 .P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3 3F C1 2B 23 B7 19 10 97 <.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F 2C 87 BB B9 02 D4 A7 8D S...G..,.......
0040: 63 30 29 17 8B CA 71 6B 2B 56 7C 7D A7 B5 C4 90 c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01 49 6E 98 BF 2D C1 36 4E .J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8 44 79 ED 8B BE E0 52 46 ...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E 3A 3F 1B 47 01 C8 75 8A .s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45 59 B5 D6 14 5E 1E 92 6A .....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45 95 DB BE D3 D8 25 0F 5B .g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14 82 E8 C7 60 84 3E 54 94 ../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2 55 3F AA D3 5D 37 28 35 ........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD 4C BF 2C 13 EA AD 65 36 IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E 34 16 75 BF 9B 45 7E 30 .....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16 2F 67 B0 20 2D ED 22 35 &-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2 92 85 6A E2 2E 0D 84 43 .3.ES....j....C
]
***
http-8080-4, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-8080-4, WRITE: TLSv1 Alert, length = 2
http-8080-4, called closeSocket()
http-8443-1, READ: TLSv1 Alert, length = 2
http-8443-1, RECV TLSv1 ALERT: fatal, certificate_unknown
http-8080-4, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
http-8443-1, called closeSocket()
http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown
http-8443-1, called close()
http-8443-1, called closeInternal(true)
dk.defxws.fedoragsearch.server.errors.FedoraObjectNotFoundException:
Fedora Object eims-document:418565 not found at DemoAtDtu; nested
exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
at
dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:340)
at dk.defxws.fgssolr.OperationsImpl.fromPid(OperationsImpl.java:389)
at
dk.defxws.fgssolr.OperationsImpl.updateIndex(OperationsImpl.java:241)
at
dk.defxws.fedoragsearch.server.GenericOperationsImpl.updateIndex(GenericOperationsImpl.java:308)
at
dk.defxws.fedoragsearch.server.RESTImpl.updateIndex(RESTImpl.java:261)
at dk.defxws.fedoragsearch.server.RESTImpl.doGet(RESTImpl.java:114)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at
org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at
fedora.server.management.FedoraAPIMBindingSOAPHTTPStub.export(FedoraAPIMBindingSOAPHTTPStub.java:639)
at
dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:338)
... 20 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at
org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at
org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at
org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at
org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 31 more
Caused by: sun.security.validator.ValidatorException: PKIX path
validation failed: java.security.cert.CertPathValidatorException:
signature check failed
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:184)
at sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 42 more
Caused by: java.security.cert.CertPathValidatorException: signature
check failed
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at
java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
... 49 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
at
sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
at
sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 53 more
Finalizer, called close()
Finalizer, called closeInternal(true)
I'm sorry, but I feel really stuck on this...
Enrico
On 01/27/2012 05:33 PM, Greg Jansen wrote:
Hey Enrico,
I think you have to change which certificate within the keystore is to
be used, in tomcat's server.xml file. The default key for tomcat is
the first one found in the keystore, so that's probably the original
one. You'll need to add a "keyAlias" attribute that points to your
self-signed cert.
See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
Greg
On 01/27/2012 10:54 AM, Enrico Anello (OEKM) wrote:
Dear all,
I have a fedora installation with embedded tomcat which runs with SSL
sharing the default self-signed certificate coming with the installation.
Since I need to change that certificate with another self-signed cert
made by myself how can I do it?
I've been digging through and I see that tomcats loads the keystore
by those parameters:
-Djavax.net.ssl.trustStore=/var/fedora/server/truststore
-Djavax.net.ssl.trustStorePassword=tomcat
I have actually changed that truststore with the one generated by
myself but nothing happened; if from the browser I check the
certificate it keeps saying that is the default one coming from the
original installation!
Any tips?
Thank you and Regards,
Enrico Anello
Food and Agriculture Organization of the United Nations
Via delle terme di Caracalla, 1 - 00100 - Rome (Italy)
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
--
___
Gregory N. Jansen
Developer - Carolina Digital Repository
UNC Chapel Hill Libraries
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
