RE: SSL error [EXTERNAL]

[Beard, Shawn M.]

I was able to resolve this. I used keytool to create a new keystore/trust 
store, then imported the previous truststore that had all the CA certs in it. 
That seemed to work. So even though the previous truststore had the certs in it 
and was not empty, it must have had some kind of linking problem maybe?



Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528

-Original Message-
From: john.e.gr...@wellsfargo.com.INVALID 
Sent: Friday, June 26, 2020 1:32 PM
To: users@tomcat.apache.org
Subject: RE: SSL error [EXTERNAL]

** CAUTION: External message


Shawn,


-Original Message-
From: Beard, Shawn M. 
Sent: Friday, June 26, 2020 11:57 AM
To: Tomcat Users List 
Subject: RE: SSL error [EXTERNAL]

The code is calling a new webservice. It has godaddy as its ca signer. It was 
getting the error before I added those java options. Those java options were my 
attempt to resolve it. Ive also tried adding the godaddy ca certs to java's 
cacert file without those java options. Same result.



Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528

-Original Message-
From: calder 
Sent: Friday, June 26, 2020 11:45 AM
To: Tomcat Users List 
Subject: Re: SSL error [EXTERNAL]

** CAUTION: External message


In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. 
wrote:

> We are running tomcat-7.0.52(old I know) and java 1.7.0_80.
>

yea, BOTH are very old.

When the app makes calls to an external webservice. It keeps throwing this
> error:
>
> javax.net.ssl.SSLException : javax.net.ssl.SSLException:
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
[1]

> I have this in the java options and have confirmed the proper CA certs
> for this webservice is in the truststore. Any ideas?
>
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks
> -Djavax.net.ssl.trustStorePassword=
> -Djavax.net.ssl.trustStoreType=jks
>

Did this runtime EVER work?

If yes, "what" changed?



[1]
https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.
B CB  [  
X  ܚX KK[XZ[  \ \  ][  X  ܚX P X ]  \X K ܙ B  ܈Y][ۘ[  [X[  
K[XZ[  \ \  Z[ X ]  \X K ܙ B

That error message comes from PKIXParameters.setTrustAnchors().  I was able to 
reproduce the problem with an empty trust store.  I also tried a trust store 
with the wrong certs but got a different error.

With -Djavax.net.debug=ssl, you should see output like this:

trustStore is: /path/to/trust.jks
trustStore type is: jks
trustStore provider is:
the last modified time is: Fri Jun 26 13:27:52 CDT 2020 Reload the trust store 
Reload trust certs Reloaded 1 trust certs adding as trusted cert:

Followed by a list of certs found in the store.

Is that what's happening in your case?

John

Т ХF  V 
7V'67&  R   â W6W'2 V 7V'67&  F  6B 6 R  Фf "FF F    6    G2 
R   â W6W'2ֆV  F  6B 6 R  Р

RE: SSL error [EXTERNAL]

[John.E.Gregg]

Shawn,


-Original Message-
From: Beard, Shawn M.  
Sent: Friday, June 26, 2020 11:57 AM
To: Tomcat Users List 
Subject: RE: SSL error [EXTERNAL]

The code is calling a new webservice. It has godaddy as its ca signer. It was 
getting the error before I added those java options. Those java options were my 
attempt to resolve it. Ive also tried adding the godaddy ca certs to java's 
cacert file without those java options. Same result.



Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528

-Original Message-
From: calder 
Sent: Friday, June 26, 2020 11:45 AM
To: Tomcat Users List 
Subject: Re: SSL error [EXTERNAL]

** CAUTION: External message


In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. 
wrote:

> We are running tomcat-7.0.52(old I know) and java 1.7.0_80.
>

yea, BOTH are very old.

When the app makes calls to an external webservice. It keeps throwing this
> error:
>
> javax.net.ssl.SSLException : javax.net.ssl.SSLException:
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors 
> parameter must be non-empty
>
[1]

> I have this in the java options and have confirmed the proper CA certs 
> for this webservice is in the truststore. Any ideas?
>
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks
> -Djavax.net.ssl.trustStorePassword=
> -Djavax.net.ssl.trustStoreType=jks
>

Did this runtime EVER work?

If yes, "what" changed?



[1]
https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.
B CB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B 

That error message comes from PKIXParameters.setTrustAnchors().  I was able to 
reproduce the problem with an empty trust store.  I also tried a trust store 
with the wrong certs but got a different error.

With -Djavax.net.debug=ssl, you should see output like this:

trustStore is: /path/to/trust.jks
trustStore type is: jks
trustStore provider is: 
the last modified time is: Fri Jun 26 13:27:52 CDT 2020
Reload the trust store
Reload trust certs
Reloaded 1 trust certs
adding as trusted cert:

Followed by a list of certs found in the store.

Is that what's happening in your case?

John

RE: SSL error [EXTERNAL]

[Beard, Shawn M.]

The code is calling a new webservice. It has godaddy as its ca signer. It was 
getting the error before I added those java options. Those java options were my 
attempt to resolve it. Ive also tried adding the godaddy ca certs to java's 
cacert file without those java options. Same result.



Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528

-Original Message-
From: calder 
Sent: Friday, June 26, 2020 11:45 AM
To: Tomcat Users List 
Subject: Re: SSL error [EXTERNAL]

** CAUTION: External message


In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. 
wrote:

> We are running tomcat-7.0.52(old I know) and java 1.7.0_80.
>

yea, BOTH are very old.

When the app makes calls to an external webservice. It keeps throwing this
> error:
>
> javax.net.ssl.SSLException : javax.net.ssl.SSLException:
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
[1]

> I have this in the java options and have confirmed the proper CA certs
> for this webservice is in the truststore. Any ideas?
>
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks
> -Djavax.net.ssl.trustStorePassword=
> -Djavax.net.ssl.trustStoreType=jks
>

Did this runtime EVER work?

If yes, "what" changed?



[1]
https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

Re: SSL error

[calder]

In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. 
wrote:

> We are running tomcat-7.0.52(old I know) and java 1.7.0_80.
>

yea, BOTH are very old.

When the app makes calls to an external webservice. It keeps throwing this
> error:
>
> javax.net.ssl.SSLException : javax.net.ssl.SSLException:
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
[1]

> I have this in the java options and have confirmed the proper CA certs for
> this webservice is in the truststore. Any ideas?
>
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks
> -Djavax.net.ssl.trustStorePassword=
> -Djavax.net.ssl.trustStoreType=jks
>

Did this runtime EVER work?

If yes, "what" changed?



[1]
https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty

Re: SSL error certificate question

[Mark Thomas]

BJ Selman wrote:
 First of all, is there a specific extension required for SSL certificates on 
 an Apache/Tomcat server?  i.e. Does it have to be a crt or a cert or ?  
 Seems like I read that it needs to be PEM-encoded - that's about all I 
 could find.
 
 Also, my error log is showing the below... Where should I start looking for 
 the problem?  (Trying to 'rewrite' a certain page to httpS - it never gets 
 redirected... if I manually add the s, the browser tells me its trying to 
 connect to SSL, but when I 'proceed' through the security warning, the s 
 disappears from the URL)

That looks like an httpd log, not a Tomcat one. You'll have more luck on
the httpd users list.

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL error when invoking web service

[Rizwan Merchant]

Thanks for the response.
The client can be any one who wants to post an XML message to this URL. 
So you could create an xml message and post the request using https.
Not sure why the client would need to 'add' this certificate. We have 
written code to connect to many such web services and we never need to 
add certificates from the server we are connecting to? For example, if 
we need to use Fedex's API service, we need to send the request using 
https, but we have never added any certificates from them on our server.




Bill Barker wrote:
Rizwan Merchant [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
  

Hi,

We have a web based application running on Tomcat 6. The server.xml file
is configured so that the application can handle incoming https requests
on port 443 (default). When a user hits the URL http://www.mydomain.com,
it automatically redirects to https://www.mydomain.com (due to security
constraint set up in web.xml).

We also have a web service running which is invoked by posting the
request message to http://www.mydomain.com/rpc2
I am trying to enforce ssl on this service as well, but when a message
is posted to https://www.mydomain.com/rpc2 (secure using https
protocol), the client is seeing the following error:
(Posting the message to http://www.mydomain.com/rpc2 works fine)

*Error 60:SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed*




You didn't say what the client is so I can't offer much on how to fix it. 
But the error is saying that the client couldn't find the CA certificate 
that signed your Tomcat server certificate in it's list of trusted CAs.  As 
a result, the client correctly desides not to trust your Tomcat server.


You need to add the CA certificate to the client's trusted certificate list, 
as explained in the documentation for the client (but probably cacerts.pem).


  

Basically, the https is working fine on the website, but not for the web
service (which, from what I understand, is being handled by a separate
servlet, rpc2).

Any ideas please?

Thanks,
-Rizwan Merchant.











  

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 






-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL error when invoking web service

[Bill Barker]

Rizwan Merchant [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]

 Thanks for the response.
 The client can be any one who wants to post an XML message to this URL.
 So you could create an xml message and post the request using https.
 Not sure why the client would need to 'add' this certificate. We have
 written code to connect to many such web services and we never need to
 add certificates from the server we are connecting to? For example, if
 we need to use Fedex's API service, we need to send the request using
 https, but we have never added any certificates from them on our server.



Without looking, Fedex almost certainly uses one of the big commercial CAs 
(e.g. Verisign, Thwate).  Their CA certs ship with almost all SSL enabled 
clients, and so the client will be able to verify the certificate chain up 
to a trusted CA.  This is pretty much the only way to go if anyone can 
post to the URL.  If you're using your own CA (or, worse, a self-signed 
cert), then the server's certificate won't be trusted without adding the CA 
cert (and in the case of self-signed, may not be trusted in any case).  SSL 
certificates work sort of like the mafia:  If someone I trust will sign for 
you, then I'll trust you ;).


 Bill Barker wrote:
 Rizwan Merchant [EMAIL PROTECTED] wrote in message
 news:[EMAIL PROTECTED]

 Hi,

 We have a web based application running on Tomcat 6. The server.xml file
 is configured so that the application can handle incoming https requests
 on port 443 (default). When a user hits the URL http://www.mydomain.com,
 it automatically redirects to https://www.mydomain.com (due to security
 constraint set up in web.xml).

 We also have a web service running which is invoked by posting the
 request message to http://www.mydomain.com/rpc2
 I am trying to enforce ssl on this service as well, but when a message
 is posted to https://www.mydomain.com/rpc2 (secure using https
 protocol), the client is seeing the following error:
 (Posting the message to http://www.mydomain.com/rpc2 works fine)

 *Error 60:SSL certificate problem, verify that the CA cert is OK.
 Details: error:14090086:SSL
 routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed*



 You didn't say what the client is so I can't offer much on how to fix it.
 But the error is saying that the client couldn't find the CA certificate
 that signed your Tomcat server certificate in it's list of trusted CAs. 
 As
 a result, the client correctly desides not to trust your Tomcat server.

 You need to add the CA certificate to the client's trusted certificate 
 list,
 as explained in the documentation for the client (but probably 
 cacerts.pem).


 Basically, the https is working fine on the website, but not for the web
 service (which, from what I understand, is being handled by a separate
 servlet, rpc2).

 Any ideas please?

 Thanks,
 -Rizwan Merchant.







 



 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]





 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]










 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED] 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL error when invoking web service

[Bill Barker]

Rizwan Merchant [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]

 Hi,

 We have a web based application running on Tomcat 6. The server.xml file
 is configured so that the application can handle incoming https requests
 on port 443 (default). When a user hits the URL http://www.mydomain.com,
 it automatically redirects to https://www.mydomain.com (due to security
 constraint set up in web.xml).

 We also have a web service running which is invoked by posting the
 request message to http://www.mydomain.com/rpc2
 I am trying to enforce ssl on this service as well, but when a message
 is posted to https://www.mydomain.com/rpc2 (secure using https
 protocol), the client is seeing the following error:
 (Posting the message to http://www.mydomain.com/rpc2 works fine)

 *Error 60:SSL certificate problem, verify that the CA cert is OK.
 Details: error:14090086:SSL
 routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed*


You didn't say what the client is so I can't offer much on how to fix it. 
But the error is saying that the client couldn't find the CA certificate 
that signed your Tomcat server certificate in it's list of trusted CAs.  As 
a result, the client correctly desides not to trust your Tomcat server.

You need to add the CA certificate to the client's trusted certificate list, 
as explained in the documentation for the client (but probably cacerts.pem).

 Basically, the https is working fine on the website, but not for the web
 service (which, from what I understand, is being handled by a separate
 servlet, rpc2).

 Any ideas please?

 Thanks,
 -Rizwan Merchant.









 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED] 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: SSL Error : Please HELP

[Longson, Robert]

You want to put this in the Java tab under Java Options.

Best regards

Robert.

-Original Message-
From: James Rome [mailto:[EMAIL PROTECTED]
Sent: 17 October 2005 16:00
To: tomcat-user@jakarta.apache.org
Subject: SSL Error : Please HELP


I tried putting 
start -Djavax.net.debug=ssl:handshake
in the Windows 5.5 GUI startup tab under arguments and Tomcat will not start

How does one get this to work?

Jim
-
You can pass the option '-Djavax.net.debug=ssl:handshake' to the Tomcat 
startup, (either set JAVA_OPTS to it if you are using startup.bat, or add it 
via the tomcat5w.exe GUI if you are using the service).  It will give you 
tons of information about the SSL negotiations from the Tomcat side.  If the 
problem doesn't pop out at you, post the results to the list, and maybe 
another set of eyes will see something.

Iannis' answer below is the most likely answer to your problem, without 
knowing more about it.

Lalit Batra [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
yes it was typing mistake. I use https://localhost:8443/ Netcape 7.0 works,
IE 6.x Works but Mozilla and Netscape 8.0 fails.

Thanks,
Lalit


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 
  

 
The information contained in this message is intended only for the recipient, 
and may be a confidential attorney-client communication or may otherwise be 
privileged and confidential and protected from disclosure. If the reader of 
this message is not the intended recipient, or an employee or agent responsible 
for delivering this message to the intended recipient, please be aware that any 
dissemination or copying of this communication is strictly prohibited. If you 
have received this communication in error, please immediately notify us by 
replying to the message and deleting it from your computer. 

 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]