hhm, I am still confused but at least on a higher level... > I can only think of two possibilities, both remote. One is that for > some reason java is not using the cacerts file you think it's using. How can I check this?
> The other is that for some reason the WiaB/Java Cert code doesn't like > your root ca cert. Hhm, until Rev "82c0fdac92" from 21.11.2010 (Author: Lennard de Rijk) anything worked fine. I did not change my certificates since that time. So, if you do not change anything in the WiaB/Java Cert code I would assume, that my certificates should be still acceptable. The only change that I did in the meantime is to switch from sundjdk to openjdk because this was the only way to get a "Build successful" when using a newer revision (don't know what has changed since revison "a0bb2b9998" from 21.11.2010 (Author: Alex North)...see also my previous comments/ questions here: http://groups.google.com/group/wave-protocol/browse_thread/thread/22991eb120d686ea ) Johannes On 10 Jan., 16:37, Tad Glines <[email protected]> wrote: > I can only think of two possibilities, both remote. One is that for > some reason java is not using the cacerts file you think it's using. > The other is that for some reason the WiaB/Java Cert code doesn't like > your root ca cert. At this point I'd recommend running WiaB under the > debugger and tracing the problem down that way. At the lease, you'll > get a full (instead of truncated) stack trace. > > -Tad > > On Mon, Jan 10, 2011 at 6:34 AM, jowi <[email protected]> wrote: > > Hi Tad > > > thanks for your answer > > > I added again the rootcert.pem to the cacert file using the keytool- > > command (see above). > > In addition I checked the certificates: > > > dave@dave:~/testlab/wave$ openssl verify -CAfile rootcert.pem > > dave.org.crt > > dave.org.crt: OK > > dave@dave:~/testlab/wave$ > > > So, both certificates seems to be ok from my point of view. > > Nevertheless, the error messages at the screen are the same, so the > > above describe problem still exists... > > > Any further ideas to solve the problem? > > > On 5 Jan., 20:11, Tad Glines <[email protected]> wrote: > >> The key part of the error is "Caused by: > >> java.security.cert.CertPathValidatorException: Path does not chain > >> with any of the trust anchors". This means either dave.org.crt wasn't > >> signed by rootcert.pem, or rootcert.pem isn't in the cacerts file. > > >> You can use "openssl verify -CAfile rootcert.pem dave.org.crt" to > >> verify that dave.org.crt was signed by rootcert.pem. > >> You may also want to compare the fingerprints of rootcert.pem and the > >> version in cacerts to make sure they still match. > > >> Because the stack trace is truncated it's not possible to determine if > >> there is some other issue that is causing the cert validation to fail. > > >> -Tad > > >> On Wed, Jan 5, 2011 at 9:26 AM, jowi <[email protected]> wrote: > >> > Hello Tad > > >> > Thanks for your answer. > >> > I do not use startssl certificates. > >> > Because I only want to use/test a wave federation scenario in my > >> > private network, I created (using OpenSSL) my own root CA-certificate > >> > which validates my wave server certificates (e.g. dave.org.crt). So, > >> > the "certificate_files" parameter in the server.federation.config file > >> > looks than: > > >> > certificate_files=dave.org.crt,rootcert.pem > > >> > In a previous revision (approximately 2 month ago) this method worked > >> > well. > >> > In addition, I install the root certificate in the Java keystore > >> > executing the following command: > > >> > sudo keytool -importcert -storetype jks -keystore /etc/java/security/ > >> > cacerts -file rootcert.pem > > >> > I don’t know if this is really needed, but I found a recommendation > >> > somewhere in the internet that this should be done (unfortunately, the > >> > specification about installing of certificates in wave is a little bit > >> > short for my opinion...) > > >> > Johannes > > >> > On 5 Jan., 17:28, Tad Glines <[email protected]> wrote: > >> >> You get this error when there is a configuration or certificate issue. > > >> >> Check to make sure that "certificate_files" contains the complete > >> >> trust chain. If you used startssl then you need to include > >> >> sub.class1.server.ca.pem and ca.pem in the list. > > >> >> -Tad > > >> >> On Wed, Jan 5, 2011 at 6:57 AM, jowi <[email protected]> wrote: > >> >> > Hello everybody > > >> >> > when I execute run-server.sh I always get the following error message > >> >> > (see detailed screen output below): > > >> >> > Failed to add our own signer info to the certificate store > > >> >> > What does it mean, and how can I solve the problem? > >> >> > Any ideas? > >> >> > (I use Ubuntu 10.04, openjdk and the last revision of WiaB. ) > > >> >> > ------------------------ error screen output -------------- > > >> >> > dave@dave:~/testlab/wave$ ./run-server.sh > >> >> > 05.01.2011 14:24:32 > >> >> > org.waveprotocol.box.server.waveserver.WaveServerImpl <init> > >> >> > INFO: Wave Server configured to host local domains: [dave.org] > >> >> > 05.01.2011 14:24:32 > >> >> > org.waveprotocol.box.server.waveserver.WaveServerImpl <init> > >> >> > SCHWERWIEGEND: Failed to add our own signer info to the certificate > >> >> > store > >> >> > org.waveprotocol.wave.crypto.SignatureException: Certificate > >> >> > validation failure > >> >> > at > >> >> > org.waveprotocol.wave.crypto.CachedCertPathValidator.validateNoCache(CachedCertPathValidator.java: > >> >> > 103) > >> >> > at > >> >> > org.waveprotocol.wave.crypto.CachedCertPathValidator.validate(CachedCertPathValidator.java: > >> >> > 65) > >> >> > at > >> >> > org.waveprotocol.wave.crypto.WaveSignatureVerifier.verifySignerInfo(WaveSignatureVerifier.java: > >> >> > 129) > >> >> > at > >> >> > org.waveprotocol.box.server.waveserver.CertificateManagerImpl.storeSignerInfo(CertificateManagerImpl.java: > >> >> > 199) > >> >> > at > >> >> > org.waveprotocol.box.server.waveserver.WaveServerImpl.<init>(WaveServerImpl.java: > >> >> > 363) > >> >> > at org.waveprotocol.box.server.waveserver.WaveServerImpl$ > >> >> > $FastClassByGuice$$3065e839.newInstance(<generated>) > >> >> > at > >> >> > com.google.inject.internal.cglib.reflect.FastConstructor.newInstance(FastConstructor.java: > >> >> > 40) > >> >> > at com.google.inject.internal.DefaultConstructionProxyFactory > >> >> > $1.newInstance(DefaultConstructionProxyFactory.java:59) > >> >> > at > >> >> > com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java: > >> >> > 84) > >> >> > at com.google.inject.internal.ConstructorBindingImpl > >> >> > $Factory.get(ConstructorBindingImpl.java:200) > >> >> > at com.google.inject.internal.ProviderToInternalFactoryAdapter > >> >> > $1.call(ProviderToInternalFactoryAdapter.java:43) > >> >> > at > >> >> > com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java: > >> >> > 878) > >> >> > at > >> >> > com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java: > >> >> > 40) > >> >> > at com.google.inject.Scopes$1$1.get(Scopes.java:64) > >> >> > at > >> >> > com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java: > >> >> > 40) > >> >> > at > >> >> > com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:53) > >> >> > at com.google.inject.internal.ProviderToInternalFactoryAdapter > >> >> > $1.call(ProviderToInternalFactoryAdapter.java:43) > >> >> > at > >> >> > com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java: > >> >> > 878) > >> >> > at > >> >> > com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java: > >> >> > 40) > >> >> > at com.google.inject.Scopes$1$1.get(Scopes.java:64) > >> >> > at > >> >> > com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java: > >> >> > 40) > >> >> > at > >> >> > com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java: > >> >> > 38) > >> >> > at > >> >> > com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java: > >> >> > 62) > >> >> > at > >> >> > com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java: > >> >> > 83) > >> >> > at com.google.inject.internal.ConstructorBindingImpl > >> >> > $Factory.get(ConstructorBindingImpl.java:200) > >> >> > at > >> >> > com.google.inject.internal.InjectorImpl$4$1.call(InjectorImpl.java: > >> >> > 825) > >> >> > at > >> >> > com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java: > >> >> > 871) > >> >> > at > >> >> > com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java: > >> >> > 821) > >> >> > at > >> >> > com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java: > >> >> > 860) > >> >> > at > >> >> > org.waveprotocol.box.server.ServerMain.run(ServerMain.java:130) > >> >> > at > >> >> > org.waveprotocol.box.server.ServerMain.main(ServerMain.java:76) > >> >> > Caused by: java.security.cert.CertPathValidatorException: Path does > >> >> > not chain with any of the trust anchors > >> >> > at > >> >> > sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java: > >> >> > 204) > >> >> > at > >> >> > java.security.cert.CertPathValidator.validate(CertPathValidator.java: > >> >> > 267) > >> >> > at > >> >> > org.waveprotocol.wave.crypto.CachedCertPathValidator.validateNoCache(CachedCertPathValidator.java: > >> >> > 101) > >> >> > ... 30 more > >> >> > 05.01.2011 14:24:33 com.google.gson.ParameterizedTypeHandlerMap > >> >> > register > >> >> > WARNUNG: Overriding the existing type handler for class > >> >> > com.google.wave.api.Element > >> >> > 05.01.2011 14:24:33 com.google.gson.ParameterizedTypeHandlerMap > >> >> > register > >> >> > WARNUNG: Overriding the existing type handler for class > >> >> > com.google.wave.api.Element > >> >> > 05.01.2011 14:24:33 com.google.gson.ParameterizedTypeHandlerMap > >> >> > register > >> >> > WARNUNG: Overriding the existing type handler for class > >> >> > com.google.wave.api.Attachment > >> >> > 05.01.2011 14:24:33 com.google.gson.ParameterizedTypeHandlerMap > >> >> > register > >> >> > WARNUNG: Overriding the existing type handler for class > >> >> > com.google.wave.api.Attachment > >> >> > 05.01.2011 14:24:33 > >> >> > org.waveprotocol.wave.federation.xmpp.ComponentPacketTransport > >> >> > initialize > >> >> > INFO: Initializing with JID: wave.dave.org > >> >> > 05.01.2011 14:24:33 > >> >> > org.waveprotocol.wave.federation.xmpp.ComponentPacketTransport start > >> >> > INFO: Connected to XMPP server with JID: wave.dave.org > >> >> > 05.01.2011 14:24:33 org.waveprotocol.box.server.ServerMain run > >> >> > INFO: Starting server > >> >> > 2011-01-05 14:24:33.649:INFO::jetty-0.3 > >> >> > 2011-01-05 > >> >> > 14:24:33.884:INFO:org.eclipse.jetty.servlets.org.eclipse.jetty.servlets.ProxyServlet > >> >> > $Transparent-14666567:org.eclipse.jetty.servlets.ProxyServlet > > ... > > Erfahren Sie mehr » -- You received this message because you are subscribed to the Google Groups "Wave Protocol" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/wave-protocol?hl=en.
