Anil, That's OpenJDK. The cert has to be recognized by Oracle JDK as well. It is not.
Ed On Mon, Mar 27, 2017 at 6:29 PM, Anil Belur <abe...@linuxfoundation.org> wrote: > > > On Tuesday 28 March 2017 10:29 AM, Ed Warnicke wrote: > > Anil, > > > > The issue is that we are using a LetsEncrypt cert for > nexus.opendaylight.org, > > and that's not a cert that is trusted by the OracleJDK. > > We need a cert from one of the trusted CA listed below: > > > > keytool -list -v -keystore > > /Library/Java/JavaVirtualMachines/jdk1.8.0_ > 77.jdk/Contents/Home/jre//lib/security/cacerts > > | grep Issuer: > > Enter keystore password: > > > > ***************** WARNING WARNING WARNING ***************** > > * The integrity of the information stored in your keystore * > > * has NOT been verified! In order to verify its integrity, * > > * you must provide your keystore password. * > > ***************** WARNING WARNING WARNING ***************** > > > > Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert > > Inc, C=US > > Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, > > L=Salford, ST=Greater Manchester, C=GB > > Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server > > CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape > > Town, ST=Western Cape, C=ZA > > Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH > > Issuer: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH > > Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US > > Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US > > Issuer: CN=UTN-USERFirst-Client Authentication and Email, OU= > > http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, > ST=UT, > > C=US > > Issuer: CN=AffirmTrust Networking, O=AffirmTrust, C=US > > Issuer: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, > > Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, > > Inc.", C=US > > Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The > > USERTRUST Network, L=Salt Lake City, ST=UT, C=US > > Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5 > > Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 > > Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL > > Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust > > AB, C=SE > > Issuer: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 > Entrust, > > Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, > > O="Entrust, Inc.", C=US > > Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US > > Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM > > Issuer: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM > > Issuer: CN=Swisscom Root CA 2, OU=Digital Certificate Services, > O=Swisscom, > > C=ch > > Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, > > O=DigiCert Inc, C=US > > Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., > C=US > > Issuer: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US > > Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, > > Inc.", C=US > > Issuer: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For > > authorized use only", OU=Certification Services Division, O="thawte, > Inc.", > > C=US > > Issuer: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For > > authorized use only", O="thawte, Inc.", C=US > > Issuer: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, > > O=Deutsche Telekom AG, C=DE > > Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO > > Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The > > USERTRUST Network, L=Salt Lake City, ST=UT, C=US > > Issuer: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., > C=US > > Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO > > Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, > > O=Baltimore, C=IE > > Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, > > Inc.", C=US > > Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE > > Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield > > Technologies, Inc.", C=US > > Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, > > L=Milan, C=IT > > Issuer: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, > O=AC > > Camerfirma SA CIF A82743287, C=EU > > Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, > > O=T-Systems Enterprise Services GmbH, C=DE > > Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, > > OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > > Network, O="VeriSign, Inc.", C=US > > Issuer: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, > > O=T-Systems Enterprise Services GmbH, C=DE > > Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4, > > OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > > Network, O="VeriSign, Inc.", C=US > > Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, > > OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > > Network, O="VeriSign, Inc.", C=US > > Issuer: CN=XRamp Global Certification Authority, O=XRamp Security > Services > > Inc, OU=www.xrampsecurity.com, C=US > > Issuer: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 > > Entrust, Inc. - for authorized use only", OU=See > www.entrust.net/legal-terms, > > O="Entrust, Inc.", C=US > > Issuer: CN=Class 3P Primary CA, O=Certplus, C=FR > > Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority, > > O=Unizeto Technologies S.A., C=PL > > Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For > > authorized use only", OU=Class 3 Public Primary Certification Authority - > > G2, O="VeriSign, Inc.", C=US > > Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3 > > Issuer: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The > USERTRUST > > Network, L=Salt Lake City, ST=UT, C=US > > Issuer: OU=Security Communication RootCA2, O="SECOM Trust Systems > > CO.,LTD.", C=JP > > Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, > Inc.", > > O=GTE Corporation, C=US > > Issuer: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP > > Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US > > Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 > > VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, > > O="VeriSign, Inc.", C=US > > Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 > > Issuer: CN=Class 2 Primary CA, O=Certplus, C=FR > > Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, > > C=US > > Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE > > Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For > > authorized use only", OU=Certification Services Division, O="thawte, > Inc.", > > C=US > > Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield > > Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US > > Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US > > Issuer: CN=Sonera Class2 CA, O=Sonera, C=FI > > Issuer: CN=Swisscom Root EV CA 2, OU=Digital Certificate Services, > > O=Swisscom, C=ch > > Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, > > L=Durbanville, ST=Western Cape, C=ZA > > Issuer: CN=Sonera Class1 CA, O=Sonera, C=FI > > Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification > > Authority, O=QuoVadis Limited, C=BM > > Issuer: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US > > Issuer: CN=Starfield Services Root Certificate Authority - G2, > O="Starfield > > Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US > > Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, > > ST=Greater Manchester, C=GB > > Issuer: CN=America Online Root Certification Authority 2, O=America > Online > > Inc., C=US > > Issuer: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, > O=AddTrust > > AB, C=SE > > Issuer: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR > > Issuer: CN=America Online Root Certification Authority 1, O=America > Online > > Inc., C=US > > Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, > > OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > > Network, O="VeriSign, Inc.", C=US > > Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, > > O=AddTrust AB, C=SE > > Issuer: CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU > > Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For > > authorized use only", OU=Class 2 Public Primary Certification Authority - > > G2, O="VeriSign, Inc.", C=US > > Issuer: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 > > GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US > > Issuer: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 > > GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US > > Issuer: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH > > Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 > > Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits > > liab.), O=Entrust.net > > Issuer: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., > > Ltd.", C=TW > > Issuer: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., > > SERIALNUMBER=A82743287, L=Madrid (see current address at > > www.camerfirma.com/address), C=EU > > Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., > > SERIALNUMBER=A82743287, L=Madrid (see current address at > > www.camerfirma.com/address), C=EU > > Issuer: CN=USERTrust ECC Certification Authority, O=The USERTRUST > Network, > > L=Jersey City, ST=New Jersey, C=US > > Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy > Group, > > Inc.", C=US > > Issuer: CN=AffirmTrust Premium, O=AffirmTrust, C=US > > Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST > Network, > > L=Jersey City, ST=New Jersey, C=US > > Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3, > > OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust > > Network, O="VeriSign, Inc.", C=US > > Issuer: OU=Security Communication EV RootCA1, O="SECOM Trust Systems > > CO.,LTD.", C=JP > > Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For > > authorized use only", OU=Class 1 Public Primary Certification Authority - > > G2, O="VeriSign, Inc.", C=US > > Issuer: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, > > L=Salford, ST=Greater Manchester, C=GB > > Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, > Inc.", > > L=Scottsdale, ST=Arizona, C=US > > > > > > On Mon, Mar 27, 2017 at 5:12 PM, Ed Warnicke <hagb...@gmail.com> wrote: > > > >> Oh, and for reference: > >> > >> mvn -v > >> Java HotSpot(TM) 64-Bit Server VM warning: ignoring option > >> MaxPermSize=256m; support was removed in 8.0 > >> Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; > >> 2015-11-10T09:41:47-07:00) > >> Maven home: /Users/hagbard/build/apache-maven-3.3.9 > >> Java version: 1.8.0_77, vendor: Oracle Corporation > >> Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_ > >> 77.jdk/Contents/Home/jre > >> Default locale: en_US, platform encoding: UTF-8 > >> OS name: "mac os x", version: "10.12.3", arch: "x86_64", family: "mac" > >> > >> Ed > >> > >> On Mon, Mar 27, 2017 at 5:11 PM, Ed Warnicke <hagb...@gmail.com> wrote: > >> > >>> Anil, > >>> > >>> Has anyone checked to see if the cert we are using is repected by the > >>> Oracle JDK? > >>> > >>> Because I can trivially reproduce this issue with the Oracle JDK that > >>> comes as stock on the Mac (where many of our developers work). > >>> The SSL rating you mentioned is basically meaningless for this > problem... > >>> all that matters is: > >>> > >>> a) Is the cert respected by OpenJDK > >>> and > >>> b) Is the cert respected by Oracle JDK > >>> > >>> What I see from my experiment is that the answer to #b is *no*, and so > we > >>> must get a cert from a cert authority that *is*. > >>> > >>> Ed > >>> > >>> On Mon, Mar 27, 2017 at 4:59 PM, Anil Belur < > abe...@linuxfoundation.org> > >>> wrote: > >>> > >>>> > >>>> On Thursday 16 March 2017 03:01 AM, Andrew Grimberg wrote: > >>>> > >>>> On 03/13/2017 04:56 PM, Andrew Grimberg wrote: > >>>> > >>>> On 03/13/2017 03:15 PM, Andrew Grimberg wrote: > >>>> > >>>> Greetings folks, > >>>> > >>>> Google release Chrome 57 last week and if you happen to have updated > you > >>>> may find you can't access portions of OpenDaylight. LF is aware of > this > >>>> and will have a fix in place in by EOD today. > >>>> > >>>> -Andy- > >>>> > >>>> Greetings, > >>>> > >>>> The initial phase of this work is now done. All certificates except > for > >>>> Nexus have been switched over to Let's Encrypt certificates. We will > be > >>>> moving Nexus over tomorrow but as it's late in the day and we > understand > >>>> that Java can be touchy about the certs we don't want to make the > change > >>>> late in the business day even though we're certain it will work. > >>>> > >>>> Greetings folks, > >>>> > >>>> I know I said that the cert change for nexus would happen yesterday. > >>>> However, given the issues that Jenkins was having with SNI it didn't > >>>> happen. I have just now completed switching Nexus over to a Let's > >>>> Encrypt (LE) certificate as well. > >>>> > >>>> I do not anticipate any issues given that the LE's CA is cross-signed > by > >>>> a CA that is in the Oracle JDK trust store but just in case folks > using > >>>> that JDK suddenly can't do local builds anymore, please let us know! > >>>> > >>>> -Andy- > >>>> > >>>> > > Hello Ed, > > With a more recent version of JDK shows IdenTrust is available which is > intermediate CA being used is available in [1.]. > > # keytool -list -v -keystore > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3. > x86_64/jre/lib/security/cacerts > | grep 'Issuer:' | grep 'CN=IdenTrust' > ... > Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US > Issuer: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US > Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. > > We would recommend updating the more latest version of JDK, and let us > know if this resolves the issue. > > [1.] https://bugs.openjdk.java.net/browse/JDK-8161008 > > Thanks, > Anil > >
_______________________________________________ infrastructure mailing list infrastructure@lists.opendaylight.org https://lists.opendaylight.org/mailman/listinfo/infrastructure
