RE: SSL error [EXTERNAL]
I was able to resolve this. I used keytool to create a new keystore/trust store, then imported the previous truststore that had all the CA certs in it. That seemed to work. So even though the previous truststore had the certs in it and was not empty, it must have had some kind of linking problem maybe? Shawn Beard Sr. Systems Engineer BTS +1-515-564-2528 -Original Message- From: john.e.gr...@wellsfargo.com.INVALID Sent: Friday, June 26, 2020 1:32 PM To: users@tomcat.apache.org Subject: RE: SSL error [EXTERNAL] ** CAUTION: External message Shawn, -Original Message- From: Beard, Shawn M. Sent: Friday, June 26, 2020 11:57 AM To: Tomcat Users List Subject: RE: SSL error [EXTERNAL] The code is calling a new webservice. It has godaddy as its ca signer. It was getting the error before I added those java options. Those java options were my attempt to resolve it. Ive also tried adding the godaddy ca certs to java's cacert file without those java options. Same result. Shawn Beard Sr. Systems Engineer BTS +1-515-564-2528 -Original Message- From: calder Sent: Friday, June 26, 2020 11:45 AM To: Tomcat Users List Subject: Re: SSL error [EXTERNAL] ** CAUTION: External message In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. wrote: > We are running tomcat-7.0.52(old I know) and java 1.7.0_80. > yea, BOTH are very old. When the app makes calls to an external webservice. It keeps throwing this > error: > > javax.net.ssl.SSLException : javax.net.ssl.SSLException: > java.lang.RuntimeException: Unexpected error: > java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter must be non-empty > [1] > I have this in the java options and have confirmed the proper CA certs > for this webservice is in the truststore. Any ideas? > -Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks > -Djavax.net.ssl.trustStorePassword= > -Djavax.net.ssl.trustStoreType=jks > Did this runtime EVER work? If yes, "what" changed? [1] https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$ CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted. B CB [ X ܚX KK[XZ[ \ \ ][ X ܚX P X ] \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ \ \ Z[ X ] \X K ܙ B That error message comes from PKIXParameters.setTrustAnchors(). I was able to reproduce the problem with an empty trust store. I also tried a trust store with the wrong certs but got a different error. With -Djavax.net.debug=ssl, you should see output like this: trustStore is: /path/to/trust.jks trustStore type is: jks trustStore provider is: the last modified time is: Fri Jun 26 13:27:52 CDT 2020 Reload the trust store Reload trust certs Reloaded 1 trust certs adding as trusted cert: Followed by a list of certs found in the store. Is that what's happening in your case? John Т ХF V 7V'67& R â W6W'2 V 7V'67& F 6B 6 R Фf "FF F 6 G2 R â W6W'2ֆV F 6B 6 R Р
RE: SSL error [EXTERNAL]
Shawn, -Original Message- From: Beard, Shawn M. Sent: Friday, June 26, 2020 11:57 AM To: Tomcat Users List Subject: RE: SSL error [EXTERNAL] The code is calling a new webservice. It has godaddy as its ca signer. It was getting the error before I added those java options. Those java options were my attempt to resolve it. Ive also tried adding the godaddy ca certs to java's cacert file without those java options. Same result. Shawn Beard Sr. Systems Engineer BTS +1-515-564-2528 -Original Message- From: calder Sent: Friday, June 26, 2020 11:45 AM To: Tomcat Users List Subject: Re: SSL error [EXTERNAL] ** CAUTION: External message In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. wrote: > We are running tomcat-7.0.52(old I know) and java 1.7.0_80. > yea, BOTH are very old. When the app makes calls to an external webservice. It keeps throwing this > error: > > javax.net.ssl.SSLException : javax.net.ssl.SSLException: > java.lang.RuntimeException: Unexpected error: > java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter must be non-empty > [1] > I have this in the java options and have confirmed the proper CA certs > for this webservice is in the truststore. Any ideas? > -Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks > -Djavax.net.ssl.trustStorePassword= > -Djavax.net.ssl.trustStoreType=jks > Did this runtime EVER work? If yes, "what" changed? [1] https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$ CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted. B CB [ X ܚX KK[XZ[ \ \ ][ X ܚX P X ] \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ \ \ Z[ X ] \X K ܙ B That error message comes from PKIXParameters.setTrustAnchors(). I was able to reproduce the problem with an empty trust store. I also tried a trust store with the wrong certs but got a different error. With -Djavax.net.debug=ssl, you should see output like this: trustStore is: /path/to/trust.jks trustStore type is: jks trustStore provider is: the last modified time is: Fri Jun 26 13:27:52 CDT 2020 Reload the trust store Reload trust certs Reloaded 1 trust certs adding as trusted cert: Followed by a list of certs found in the store. Is that what's happening in your case? John
RE: SSL error [EXTERNAL]
The code is calling a new webservice. It has godaddy as its ca signer. It was getting the error before I added those java options. Those java options were my attempt to resolve it. Ive also tried adding the godaddy ca certs to java's cacert file without those java options. Same result. Shawn Beard Sr. Systems Engineer BTS +1-515-564-2528 -Original Message- From: calder Sent: Friday, June 26, 2020 11:45 AM To: Tomcat Users List Subject: Re: SSL error [EXTERNAL] ** CAUTION: External message In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. wrote: > We are running tomcat-7.0.52(old I know) and java 1.7.0_80. > yea, BOTH are very old. When the app makes calls to an external webservice. It keeps throwing this > error: > > javax.net.ssl.SSLException : javax.net.ssl.SSLException: > java.lang.RuntimeException: Unexpected error: > java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter must be non-empty > [1] > I have this in the java options and have confirmed the proper CA certs > for this webservice is in the truststore. Any ideas? > -Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks > -Djavax.net.ssl.trustStorePassword= > -Djavax.net.ssl.trustStoreType=jks > Did this runtime EVER work? If yes, "what" changed? [1] https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$ CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
Re: SSL error
In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. wrote: > We are running tomcat-7.0.52(old I know) and java 1.7.0_80. > yea, BOTH are very old. When the app makes calls to an external webservice. It keeps throwing this > error: > > javax.net.ssl.SSLException : javax.net.ssl.SSLException: > java.lang.RuntimeException: Unexpected error: > java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter must be non-empty > [1] > I have this in the java options and have confirmed the proper CA certs for > this webservice is in the truststore. Any ideas? > -Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks > -Djavax.net.ssl.trustStorePassword= > -Djavax.net.ssl.trustStoreType=jks > Did this runtime EVER work? If yes, "what" changed? [1] https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty
Re: SSL error certificate question
BJ Selman wrote: First of all, is there a specific extension required for SSL certificates on an Apache/Tomcat server? i.e. Does it have to be a crt or a cert or ? Seems like I read that it needs to be PEM-encoded - that's about all I could find. Also, my error log is showing the below... Where should I start looking for the problem? (Trying to 'rewrite' a certain page to httpS - it never gets redirected... if I manually add the s, the browser tells me its trying to connect to SSL, but when I 'proceed' through the security warning, the s disappears from the URL) That looks like an httpd log, not a Tomcat one. You'll have more luck on the httpd users list. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL error when invoking web service
Thanks for the response. The client can be any one who wants to post an XML message to this URL. So you could create an xml message and post the request using https. Not sure why the client would need to 'add' this certificate. We have written code to connect to many such web services and we never need to add certificates from the server we are connecting to? For example, if we need to use Fedex's API service, we need to send the request using https, but we have never added any certificates from them on our server. Bill Barker wrote: Rizwan Merchant [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, We have a web based application running on Tomcat 6. The server.xml file is configured so that the application can handle incoming https requests on port 443 (default). When a user hits the URL http://www.mydomain.com, it automatically redirects to https://www.mydomain.com (due to security constraint set up in web.xml). We also have a web service running which is invoked by posting the request message to http://www.mydomain.com/rpc2 I am trying to enforce ssl on this service as well, but when a message is posted to https://www.mydomain.com/rpc2 (secure using https protocol), the client is seeing the following error: (Posting the message to http://www.mydomain.com/rpc2 works fine) *Error 60:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed* You didn't say what the client is so I can't offer much on how to fix it. But the error is saying that the client couldn't find the CA certificate that signed your Tomcat server certificate in it's list of trusted CAs. As a result, the client correctly desides not to trust your Tomcat server. You need to add the CA certificate to the client's trusted certificate list, as explained in the documentation for the client (but probably cacerts.pem). Basically, the https is working fine on the website, but not for the web service (which, from what I understand, is being handled by a separate servlet, rpc2). Any ideas please? Thanks, -Rizwan Merchant. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL error when invoking web service
Rizwan Merchant [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks for the response. The client can be any one who wants to post an XML message to this URL. So you could create an xml message and post the request using https. Not sure why the client would need to 'add' this certificate. We have written code to connect to many such web services and we never need to add certificates from the server we are connecting to? For example, if we need to use Fedex's API service, we need to send the request using https, but we have never added any certificates from them on our server. Without looking, Fedex almost certainly uses one of the big commercial CAs (e.g. Verisign, Thwate). Their CA certs ship with almost all SSL enabled clients, and so the client will be able to verify the certificate chain up to a trusted CA. This is pretty much the only way to go if anyone can post to the URL. If you're using your own CA (or, worse, a self-signed cert), then the server's certificate won't be trusted without adding the CA cert (and in the case of self-signed, may not be trusted in any case). SSL certificates work sort of like the mafia: If someone I trust will sign for you, then I'll trust you ;). Bill Barker wrote: Rizwan Merchant [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, We have a web based application running on Tomcat 6. The server.xml file is configured so that the application can handle incoming https requests on port 443 (default). When a user hits the URL http://www.mydomain.com, it automatically redirects to https://www.mydomain.com (due to security constraint set up in web.xml). We also have a web service running which is invoked by posting the request message to http://www.mydomain.com/rpc2 I am trying to enforce ssl on this service as well, but when a message is posted to https://www.mydomain.com/rpc2 (secure using https protocol), the client is seeing the following error: (Posting the message to http://www.mydomain.com/rpc2 works fine) *Error 60:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed* You didn't say what the client is so I can't offer much on how to fix it. But the error is saying that the client couldn't find the CA certificate that signed your Tomcat server certificate in it's list of trusted CAs. As a result, the client correctly desides not to trust your Tomcat server. You need to add the CA certificate to the client's trusted certificate list, as explained in the documentation for the client (but probably cacerts.pem). Basically, the https is working fine on the website, but not for the web service (which, from what I understand, is being handled by a separate servlet, rpc2). Any ideas please? Thanks, -Rizwan Merchant. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL error when invoking web service
Rizwan Merchant [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, We have a web based application running on Tomcat 6. The server.xml file is configured so that the application can handle incoming https requests on port 443 (default). When a user hits the URL http://www.mydomain.com, it automatically redirects to https://www.mydomain.com (due to security constraint set up in web.xml). We also have a web service running which is invoked by posting the request message to http://www.mydomain.com/rpc2 I am trying to enforce ssl on this service as well, but when a message is posted to https://www.mydomain.com/rpc2 (secure using https protocol), the client is seeing the following error: (Posting the message to http://www.mydomain.com/rpc2 works fine) *Error 60:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed* You didn't say what the client is so I can't offer much on how to fix it. But the error is saying that the client couldn't find the CA certificate that signed your Tomcat server certificate in it's list of trusted CAs. As a result, the client correctly desides not to trust your Tomcat server. You need to add the CA certificate to the client's trusted certificate list, as explained in the documentation for the client (but probably cacerts.pem). Basically, the https is working fine on the website, but not for the web service (which, from what I understand, is being handled by a separate servlet, rpc2). Any ideas please? Thanks, -Rizwan Merchant. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Error : Please HELP
You want to put this in the Java tab under Java Options. Best regards Robert. -Original Message- From: James Rome [mailto:[EMAIL PROTECTED] Sent: 17 October 2005 16:00 To: tomcat-user@jakarta.apache.org Subject: SSL Error : Please HELP I tried putting start -Djavax.net.debug=ssl:handshake in the Windows 5.5 GUI startup tab under arguments and Tomcat will not start How does one get this to work? Jim - You can pass the option '-Djavax.net.debug=ssl:handshake' to the Tomcat startup, (either set JAVA_OPTS to it if you are using startup.bat, or add it via the tomcat5w.exe GUI if you are using the service). It will give you tons of information about the SSL negotiations from the Tomcat side. If the problem doesn't pop out at you, post the results to the list, and maybe another set of eyes will see something. Iannis' answer below is the most likely answer to your problem, without knowing more about it. Lalit Batra [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] yes it was typing mistake. I use https://localhost:8443/ Netcape 7.0 works, IE 6.x Works but Mozilla and Netscape 8.0 fails. Thanks, Lalit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]