Re: [josm-dev] SunCertPathBuilderException

[Vincent Privat]

I just have updated the server certificate with a new one from Globalsign.
Cheers,
Vincent

2015-12-15 23:43 GMT+01:00 Vincent Privat :

> Last time we had the problem with StartSSL (because of osm.org switching
> their certificate) I tried to reach them and got no reply at all, they seem
> to just not care about Java and I don't believe there is something to
> expect from them in the future.
>
> At least Let's Encrypt guys were very reactive as they answered my
> questions in a matter of minutes. We'll see if they manage to reach the
> Oracle truststore in the next weeks/months.
>
> 2015-12-15 23:30 GMT+01:00 Dirk Stöcker :
>
>> On Tue, 15 Dec 2015, Stephan Knauss wrote:
>>
>> Dirk Stöcker writes:
>>>
>>> Cert chain is/was complete. It seems Java still does not include
 StartSSL, but Unix versions and browsers use the system certstore. So
 standalone non-Unixes fail. All others work.

>>>
>>> probably you wanted to say WOsign here, but yes, neither that, nor
>>> Startcom nor IdenTrust (for Let's Encrypt) is included in the Java store.
>>>
>>
>> No. Really StartSSL. Wosign main cert is signed by StartSSL and I always
>> supply the whole chain from Intermediate, Wosign main to StartSSL (although
>> e.g. Firefox has all of these 3 already included).
>>
>> Just to have it as a reference in the mailing list archives: In the
>>> support forum Let's Entrypt said they had applied to be included in Oracles
>>> cacert list. So hopefully for the next renewal we'll have a better
>>> alternative.
>>>
>>
>> As far as I know StartSSL also tried and had no success till now and
>> probably gave up.
>>
>> This is the command to dump the contents of the certificate store to see
>>> whether a specific CA is included.
>>>
>>
>> Well I use Linux and here it worked.
>>
>> The last time I used Windows was when I wanted to update my Windows 8 to
>> 10. Took 2 days and the result is a broken OS (at least it booted once) and
>> I will now expand my Linux partition and drop Windows completely. Still
>> have an older Vista in a VM for seldom use. :-)
>>
>> Ciao
>> --
>> http://www.dstoecker.eu/ (PGP key available)
>> ___
>> josm-dev mailing list
>> josm-dev@openstreetmap.org
>> https://lists.openstreetmap.org/listinfo/josm-dev
>>
>
>
___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Stephan Knauss]

Dirk Stöcker writes:

Cert chain is/was complete. It seems Java still does not include StartSSL,  
but Unix versions and browsers use the system certstore. So standalone  
non-Unixes fail. All others work.


probably you wanted to say WOsign here, but yes, neither that, nor Startcom  
nor IdenTrust (for Let's Encrypt) is included in the Java store.


Just to have it as a reference in the mailing list archives: In the support  
forum Let's Entrypt said they had applied to be included in Oracles cacert  
list. So hopefully for the next renewal we'll have a better alternative.


https://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the- 
default-list-in-the-jdk-jre/134/11


This is the command to dump the contents of the certificate store to see  
whether a specific CA is included.


"C:\Program Files (x86)\Java\jre1.8.0_66\bin\keytool.exe" -keystore "c: 
\program files (x86)\java\jre1.8.0_

66\lib\security\cacerts" -storepass changeit -list -v

Stephan

___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Dirk Stöcker]

On Tue, 15 Dec 2015, Stephan Knauss wrote:

I hadn't checked the certificate store yet, but could it be that the server 
has to include an intermediate certificate? So not the complete chain is 
delivered? This would explain the failure.


Cert chain is/was complete. It seems Java still does not include StartSSL, 
but Unix versions and browsers use the system certstore. So standalone 
non-Unixes fail. All others work.


Ciao
--
http://www.dstoecker.eu/ (PGP key available)

___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Vincent Privat]

Last time we had the problem with StartSSL (because of osm.org switching
their certificate) I tried to reach them and got no reply at all, they seem
to just not care about Java and I don't believe there is something to
expect from them in the future.

At least Let's Encrypt guys were very reactive as they answered my
questions in a matter of minutes. We'll see if they manage to reach the
Oracle truststore in the next weeks/months.

2015-12-15 23:30 GMT+01:00 Dirk Stöcker :

> On Tue, 15 Dec 2015, Stephan Knauss wrote:
>
> Dirk Stöcker writes:
>>
>> Cert chain is/was complete. It seems Java still does not include
>>> StartSSL, but Unix versions and browsers use the system certstore. So
>>> standalone non-Unixes fail. All others work.
>>>
>>
>> probably you wanted to say WOsign here, but yes, neither that, nor
>> Startcom nor IdenTrust (for Let's Encrypt) is included in the Java store.
>>
>
> No. Really StartSSL. Wosign main cert is signed by StartSSL and I always
> supply the whole chain from Intermediate, Wosign main to StartSSL (although
> e.g. Firefox has all of these 3 already included).
>
> Just to have it as a reference in the mailing list archives: In the
>> support forum Let's Entrypt said they had applied to be included in Oracles
>> cacert list. So hopefully for the next renewal we'll have a better
>> alternative.
>>
>
> As far as I know StartSSL also tried and had no success till now and
> probably gave up.
>
> This is the command to dump the contents of the certificate store to see
>> whether a specific CA is included.
>>
>
> Well I use Linux and here it worked.
>
> The last time I used Windows was when I wanted to update my Windows 8 to
> 10. Took 2 days and the result is a broken OS (at least it booted once) and
> I will now expand my Linux partition and drop Windows completely. Still
> have an older Vista in a VM for seldom use. :-)
>
> Ciao
> --
> http://www.dstoecker.eu/ (PGP key available)
> ___
> josm-dev mailing list
> josm-dev@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/josm-dev
>
___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Dirk Stöcker]

On Tue, 15 Dec 2015, Stephan Knauss wrote:


Dirk Stöcker writes:

Cert chain is/was complete. It seems Java still does not include StartSSL, 
but Unix versions and browsers use the system certstore. So standalone 
non-Unixes fail. All others work.


probably you wanted to say WOsign here, but yes, neither that, nor Startcom 
nor IdenTrust (for Let's Encrypt) is included in the Java store.


No. Really StartSSL. Wosign main cert is signed by StartSSL and I always 
supply the whole chain from Intermediate, Wosign main to StartSSL 
(although e.g. Firefox has all of these 3 already included).


Just to have it as a reference in the mailing list archives: In the support 
forum Let's Entrypt said they had applied to be included in Oracles cacert 
list. So hopefully for the next renewal we'll have a better alternative.


As far as I know StartSSL also tried and had no success till now and 
probably gave up.


This is the command to dump the contents of the certificate store to see 
whether a specific CA is included.


Well I use Linux and here it worked.

The last time I used Windows was when I wanted to update my Windows 8 to 
10. Took 2 days and the result is a broken OS (at least it booted once) 
and I will now expand my Linux partition and drop Windows completely. 
Still have an older Vista in a VM for seldom use. :-)


Ciao
--
http://www.dstoecker.eu/ (PGP key available)
___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Blake Girardot]

Hi Dirk,

There are 3 or 4 "me too's" now on that talk-us thread.

Some people are providing the info you asked for.

The "me too's" start here:

https://lists.openstreetmap.org/pipermail/talk-us/2015-December/015785.html

and the "next message" link should take you through the rest of the reports.

Cheers,
blake



On 12/14/2015 10:27 PM, Dirk Stöcker wrote:

On Mon, 14 Dec 2015, Blake Girardot wrote:


I am just forwarding this as I saw the note about changing the server
certificate and thought this might be relevant. I realize it is not a
very helpful report, but if it is relevant, we could follow up with
him to get more information.


Yes. Is relevant. I need OS, JOSM version and Java version. Could you
please ask for it?

Ciao


___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Stephan Knauss]

On 15.12.2015 08:20, Dirk Stöcker wrote:

Seems Java with Windows 7 does not work, Java with Windows 7 in browser
works. Then we have to wait until Windows 7 dies to use it and renew
Globalsign.


the last report pointed to a quite recent configuration:
Identification: JOSM/1.5 (9060 en) Windows 10 64-Bit
Java version: 1.8.0_66, Oracle Corporation, Java HotSpot(TM) Client VM

It is the latest java version on the latest version of windows.

I hadn't checked the certificate store yet, but could it be that the 
server has to include an intermediate certificate? So not the complete 
chain is delivered? This would explain the failure.


https://www.wosign.com/English/support/SSLins/Apache_ins.htm


Stephan



___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Dirk Stöcker]

On Tue, 15 Dec 2015, Blake Girardot wrote:


There are 3 or 4 "me too's" now on that talk-us thread.

Some people are providing the info you asked for.

The "me too's" start here:

https://lists.openstreetmap.org/pipermail/talk-us/2015-December/015785.html

and the "next message" link should take you through the rest of the reports.


Switched back to Globalsign for now, but actually I don't see why it 
sometimes works and why sometimes not.


Seems Java with Windows 7 does not work, Java with Windows 7 in browser 
works. Then we have to wait until Windows 7 dies to use it and renew 
Globalsign.


Ciao
--
http://www.dstoecker.eu/ (PGP key available)

___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Dirk Stöcker]

On Mon, 14 Dec 2015, Blake Girardot wrote:

I am just forwarding this as I saw the note about changing the server 
certificate and thought this might be relevant. I realize it is not a very 
helpful report, but if it is relevant, we could follow up with him to get 
more information.


Yes. Is relevant. I need OS, JOSM version and Java version. Could you 
please ask for it?


Ciao
--
http://www.dstoecker.eu/ (PGP key available)

___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Andy Townsend]

On 14/12/2015 21:27, Dirk Stöcker wrote:

On Mon, 14 Dec 2015, Blake Girardot wrote:

I am just forwarding this as I saw the note about changing the server 
certificate and thought this might be relevant. I realize it is not a 
very helpful report, but if it is relevant, we could follow up with 
him to get more information.


Yes. Is relevant. I need OS, JOSM version and Java version. Could you 
please ask for it?


Ciao


Not the OP, but same issue here:

"java -version" (on Windows 7) gives:

java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b18)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b18, mixed mode)

There's no proxy here, and nothing MITMing access to 
josm.openstreetmap.de .  Pointing a web browser (Seamonkey) at 
https://josm.openstreetmap.de/maps sees the "WoSign CA Limited" 
certificate, and is happy with it.


The problem happened before with josm-tested_8969.jar and after updating 
with josm-tested_9060.jar.


Cheers,
Andy


___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev

Re: [josm-dev] SunCertPathBuilderException

[Blake Girardot]

On 12/14/2015 10:27 PM, Dirk Stöcker wrote:

On Mon, 14 Dec 2015, Blake Girardot wrote:


I am just forwarding this as I saw the note about changing the server
certificate and thought this might be relevant. I realize it is not a
very helpful report, but if it is relevant, we could follow up with
him to get more information.


Yes. Is relevant. I need OS, JOSM version and Java version. Could you
please ask for it?

Ciao


Hi Dirk,

Here is the info from Alan on talk-us about his error.


 Forwarded Message 
Subject:Re: [Talk-us] SunCertPathBuilderException
Date:   Mon, 14 Dec 2015 18:07:27 -0500
From:   Alan Bragg 
To: Blake Girardot 



Thanks Blake, Here's the info from the help menu. I included the last
errors/warnings.
Alan
---
URL:http://josm.openstreetmap.de/svn/trunk
Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
Last:Changed Date: 2015-11-24 00:04:12 +0100 (Tue, 24 Nov 2015)
Build-Date:2015-11-23 23:14:21
Revision:9060
Relative:URL: ^/trunk

Identification: JOSM/1.5 (9060 en) Windows 10 64-Bit
Memory Usage: 123 MB / 989 MB (60 MB allocated, but free)
Java version: 1.8.0_66, Oracle Corporation, Java HotSpot(TM) Client VM

Plugins:
- DirectUpload (31772)
- FastDraw (31772)
- Mapillary (31772)
- RoadSigns (31772)
- TombPlugin (46)
- apache-commons (31772)
- apache-http (31772)
- buildings_tools (31772)
- contourmerge (1014)
- editgpx (31772)
- measurement (31772)
- merge-overlap (31772)
- tofix (171)
- turnrestrictions (31772)
- utilsplugin2 (31772)
- wikipedia (31772)

Last errors/warnings:
- W: Failed to load
https://josm.openstreetmap.de/josmfile?page=Styles/Maxspeed=1, use
cached file and retry next time: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
- W: Already here
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
- W: Failed to load
https://josm.openstreetmap.de/josmfile?page=Styles/Traffic_signs=1,
use cached file and retry next time:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
- W: Already here
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
- W: Failed to load
https://josm.openstreetmap.de/josmfile?page=Styles/Maxspeed=1, use
cached file and retry next time: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target





___
josm-dev mailing list
josm-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/josm-dev