Re: [josm-dev] SunCertPathBuilderException
I just have updated the server certificate with a new one from Globalsign. Cheers, Vincent 2015-12-15 23:43 GMT+01:00 Vincent Privat: > Last time we had the problem with StartSSL (because of osm.org switching > their certificate) I tried to reach them and got no reply at all, they seem > to just not care about Java and I don't believe there is something to > expect from them in the future. > > At least Let's Encrypt guys were very reactive as they answered my > questions in a matter of minutes. We'll see if they manage to reach the > Oracle truststore in the next weeks/months. > > 2015-12-15 23:30 GMT+01:00 Dirk Stöcker : > >> On Tue, 15 Dec 2015, Stephan Knauss wrote: >> >> Dirk Stöcker writes: >>> >>> Cert chain is/was complete. It seems Java still does not include StartSSL, but Unix versions and browsers use the system certstore. So standalone non-Unixes fail. All others work. >>> >>> probably you wanted to say WOsign here, but yes, neither that, nor >>> Startcom nor IdenTrust (for Let's Encrypt) is included in the Java store. >>> >> >> No. Really StartSSL. Wosign main cert is signed by StartSSL and I always >> supply the whole chain from Intermediate, Wosign main to StartSSL (although >> e.g. Firefox has all of these 3 already included). >> >> Just to have it as a reference in the mailing list archives: In the >>> support forum Let's Entrypt said they had applied to be included in Oracles >>> cacert list. So hopefully for the next renewal we'll have a better >>> alternative. >>> >> >> As far as I know StartSSL also tried and had no success till now and >> probably gave up. >> >> This is the command to dump the contents of the certificate store to see >>> whether a specific CA is included. >>> >> >> Well I use Linux and here it worked. >> >> The last time I used Windows was when I wanted to update my Windows 8 to >> 10. Took 2 days and the result is a broken OS (at least it booted once) and >> I will now expand my Linux partition and drop Windows completely. Still >> have an older Vista in a VM for seldom use. :-) >> >> Ciao >> -- >> http://www.dstoecker.eu/ (PGP key available) >> ___ >> josm-dev mailing list >> josm-dev@openstreetmap.org >> https://lists.openstreetmap.org/listinfo/josm-dev >> > > ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
Dirk Stöcker writes: Cert chain is/was complete. It seems Java still does not include StartSSL, but Unix versions and browsers use the system certstore. So standalone non-Unixes fail. All others work. probably you wanted to say WOsign here, but yes, neither that, nor Startcom nor IdenTrust (for Let's Encrypt) is included in the Java store. Just to have it as a reference in the mailing list archives: In the support forum Let's Entrypt said they had applied to be included in Oracles cacert list. So hopefully for the next renewal we'll have a better alternative. https://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the- default-list-in-the-jdk-jre/134/11 This is the command to dump the contents of the certificate store to see whether a specific CA is included. "C:\Program Files (x86)\Java\jre1.8.0_66\bin\keytool.exe" -keystore "c: \program files (x86)\java\jre1.8.0_ 66\lib\security\cacerts" -storepass changeit -list -v Stephan ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
On Tue, 15 Dec 2015, Stephan Knauss wrote: I hadn't checked the certificate store yet, but could it be that the server has to include an intermediate certificate? So not the complete chain is delivered? This would explain the failure. Cert chain is/was complete. It seems Java still does not include StartSSL, but Unix versions and browsers use the system certstore. So standalone non-Unixes fail. All others work. Ciao -- http://www.dstoecker.eu/ (PGP key available) ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
Last time we had the problem with StartSSL (because of osm.org switching their certificate) I tried to reach them and got no reply at all, they seem to just not care about Java and I don't believe there is something to expect from them in the future. At least Let's Encrypt guys were very reactive as they answered my questions in a matter of minutes. We'll see if they manage to reach the Oracle truststore in the next weeks/months. 2015-12-15 23:30 GMT+01:00 Dirk Stöcker: > On Tue, 15 Dec 2015, Stephan Knauss wrote: > > Dirk Stöcker writes: >> >> Cert chain is/was complete. It seems Java still does not include >>> StartSSL, but Unix versions and browsers use the system certstore. So >>> standalone non-Unixes fail. All others work. >>> >> >> probably you wanted to say WOsign here, but yes, neither that, nor >> Startcom nor IdenTrust (for Let's Encrypt) is included in the Java store. >> > > No. Really StartSSL. Wosign main cert is signed by StartSSL and I always > supply the whole chain from Intermediate, Wosign main to StartSSL (although > e.g. Firefox has all of these 3 already included). > > Just to have it as a reference in the mailing list archives: In the >> support forum Let's Entrypt said they had applied to be included in Oracles >> cacert list. So hopefully for the next renewal we'll have a better >> alternative. >> > > As far as I know StartSSL also tried and had no success till now and > probably gave up. > > This is the command to dump the contents of the certificate store to see >> whether a specific CA is included. >> > > Well I use Linux and here it worked. > > The last time I used Windows was when I wanted to update my Windows 8 to > 10. Took 2 days and the result is a broken OS (at least it booted once) and > I will now expand my Linux partition and drop Windows completely. Still > have an older Vista in a VM for seldom use. :-) > > Ciao > -- > http://www.dstoecker.eu/ (PGP key available) > ___ > josm-dev mailing list > josm-dev@openstreetmap.org > https://lists.openstreetmap.org/listinfo/josm-dev > ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
On Tue, 15 Dec 2015, Stephan Knauss wrote: Dirk Stöcker writes: Cert chain is/was complete. It seems Java still does not include StartSSL, but Unix versions and browsers use the system certstore. So standalone non-Unixes fail. All others work. probably you wanted to say WOsign here, but yes, neither that, nor Startcom nor IdenTrust (for Let's Encrypt) is included in the Java store. No. Really StartSSL. Wosign main cert is signed by StartSSL and I always supply the whole chain from Intermediate, Wosign main to StartSSL (although e.g. Firefox has all of these 3 already included). Just to have it as a reference in the mailing list archives: In the support forum Let's Entrypt said they had applied to be included in Oracles cacert list. So hopefully for the next renewal we'll have a better alternative. As far as I know StartSSL also tried and had no success till now and probably gave up. This is the command to dump the contents of the certificate store to see whether a specific CA is included. Well I use Linux and here it worked. The last time I used Windows was when I wanted to update my Windows 8 to 10. Took 2 days and the result is a broken OS (at least it booted once) and I will now expand my Linux partition and drop Windows completely. Still have an older Vista in a VM for seldom use. :-) Ciao -- http://www.dstoecker.eu/ (PGP key available) ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
Hi Dirk, There are 3 or 4 "me too's" now on that talk-us thread. Some people are providing the info you asked for. The "me too's" start here: https://lists.openstreetmap.org/pipermail/talk-us/2015-December/015785.html and the "next message" link should take you through the rest of the reports. Cheers, blake On 12/14/2015 10:27 PM, Dirk Stöcker wrote: On Mon, 14 Dec 2015, Blake Girardot wrote: I am just forwarding this as I saw the note about changing the server certificate and thought this might be relevant. I realize it is not a very helpful report, but if it is relevant, we could follow up with him to get more information. Yes. Is relevant. I need OS, JOSM version and Java version. Could you please ask for it? Ciao ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
On 15.12.2015 08:20, Dirk Stöcker wrote: Seems Java with Windows 7 does not work, Java with Windows 7 in browser works. Then we have to wait until Windows 7 dies to use it and renew Globalsign. the last report pointed to a quite recent configuration: Identification: JOSM/1.5 (9060 en) Windows 10 64-Bit Java version: 1.8.0_66, Oracle Corporation, Java HotSpot(TM) Client VM It is the latest java version on the latest version of windows. I hadn't checked the certificate store yet, but could it be that the server has to include an intermediate certificate? So not the complete chain is delivered? This would explain the failure. https://www.wosign.com/English/support/SSLins/Apache_ins.htm Stephan ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
On Tue, 15 Dec 2015, Blake Girardot wrote: There are 3 or 4 "me too's" now on that talk-us thread. Some people are providing the info you asked for. The "me too's" start here: https://lists.openstreetmap.org/pipermail/talk-us/2015-December/015785.html and the "next message" link should take you through the rest of the reports. Switched back to Globalsign for now, but actually I don't see why it sometimes works and why sometimes not. Seems Java with Windows 7 does not work, Java with Windows 7 in browser works. Then we have to wait until Windows 7 dies to use it and renew Globalsign. Ciao -- http://www.dstoecker.eu/ (PGP key available) ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
On Mon, 14 Dec 2015, Blake Girardot wrote: I am just forwarding this as I saw the note about changing the server certificate and thought this might be relevant. I realize it is not a very helpful report, but if it is relevant, we could follow up with him to get more information. Yes. Is relevant. I need OS, JOSM version and Java version. Could you please ask for it? Ciao -- http://www.dstoecker.eu/ (PGP key available) ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
On 14/12/2015 21:27, Dirk Stöcker wrote: On Mon, 14 Dec 2015, Blake Girardot wrote: I am just forwarding this as I saw the note about changing the server certificate and thought this might be relevant. I realize it is not a very helpful report, but if it is relevant, we could follow up with him to get more information. Yes. Is relevant. I need OS, JOSM version and Java version. Could you please ask for it? Ciao Not the OP, but same issue here: "java -version" (on Windows 7) gives: java version "1.8.0_66" Java(TM) SE Runtime Environment (build 1.8.0_66-b18) Java HotSpot(TM) 64-Bit Server VM (build 25.66-b18, mixed mode) There's no proxy here, and nothing MITMing access to josm.openstreetmap.de . Pointing a web browser (Seamonkey) at https://josm.openstreetmap.de/maps sees the "WoSign CA Limited" certificate, and is happy with it. The problem happened before with josm-tested_8969.jar and after updating with josm-tested_9060.jar. Cheers, Andy ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev
Re: [josm-dev] SunCertPathBuilderException
On 12/14/2015 10:27 PM, Dirk Stöcker wrote: On Mon, 14 Dec 2015, Blake Girardot wrote: I am just forwarding this as I saw the note about changing the server certificate and thought this might be relevant. I realize it is not a very helpful report, but if it is relevant, we could follow up with him to get more information. Yes. Is relevant. I need OS, JOSM version and Java version. Could you please ask for it? Ciao Hi Dirk, Here is the info from Alan on talk-us about his error. Forwarded Message Subject:Re: [Talk-us] SunCertPathBuilderException Date: Mon, 14 Dec 2015 18:07:27 -0500 From: Alan BraggTo: Blake Girardot Thanks Blake, Here's the info from the help menu. I included the last errors/warnings. Alan --- URL:http://josm.openstreetmap.de/svn/trunk Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b Last:Changed Date: 2015-11-24 00:04:12 +0100 (Tue, 24 Nov 2015) Build-Date:2015-11-23 23:14:21 Revision:9060 Relative:URL: ^/trunk Identification: JOSM/1.5 (9060 en) Windows 10 64-Bit Memory Usage: 123 MB / 989 MB (60 MB allocated, but free) Java version: 1.8.0_66, Oracle Corporation, Java HotSpot(TM) Client VM Plugins: - DirectUpload (31772) - FastDraw (31772) - Mapillary (31772) - RoadSigns (31772) - TombPlugin (46) - apache-commons (31772) - apache-http (31772) - buildings_tools (31772) - contourmerge (1014) - editgpx (31772) - measurement (31772) - merge-overlap (31772) - tofix (171) - turnrestrictions (31772) - utilsplugin2 (31772) - wikipedia (31772) Last errors/warnings: - W: Failed to load https://josm.openstreetmap.de/josmfile?page=Styles/Maxspeed=1, use cached file and retry next time: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - W: Failed to load https://josm.openstreetmap.de/josmfile?page=Styles/Traffic_signs=1, use cached file and retry next time: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - W: Already here sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - W: Failed to load https://josm.openstreetmap.de/josmfile?page=Styles/Maxspeed=1, use cached file and retry next time: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ___ josm-dev mailing list josm-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/josm-dev