Problems putting to a secure DAV

[Anthony Shortland]

I was having trouble putting files to a secure DAV using ControlTier:

[jboss@linux1 ~]$ ctl -p GEDI -m davutil -c put -- -file /tmp/crap -url https://linux1.gedi.dtosolutions.com/dav/crap -username default -password default -overwrite

Uploading to: https://linux1.gedi.dtosolutions.com/dav/crap

Error: The following error occurred while executing this line:

/opt/ctier/ctl/modules/davutil/commands/put.xml:34: Put error! (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

Searching the Internet I found: http://blogs.sun.com/andreas/entry/no_more_unable_to_find .. which indicated that:

"this usually means is that the server is using a test certificate (possibly generated using keytool) rather than a certificate from a well known commercial Certification Authority such as Verisign or GoDaddy. Web browsers display warning dialogs in this case, but since JSSE cannot assume an interactive user is present it just throws an exception by default."

Following the instructions:

Anthonys-MacBook-Pro-2:Desktop anthony$ javac InstallCert.java 

Anthonys-MacBook-Pro-2:Desktop anthony$ java InstallCert releases.gedi.pt

Loading KeyStore /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts...

Opening connection to releases.gedi.pt:443...

Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)

        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)

        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)

        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)

        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)

        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)

        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)

        at InstallCert.main(InstallCert.java:87)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)

        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)

        at sun.security.validator.Validator.validate(Validator.java:218)

        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)

        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)

        at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:182)

        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1198)

        ... 8 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)

        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)

        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)

        ... 14 more

Server sent 1 certificate(s):

 1 Subject EMAILADDRESS=ro...@linux1.gedi.dtosolutions.com, CN=linux1.gedi.dtosolutions.com, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--

   Issuer  EMAILADDRESS=ro...@linux1.gedi.dtosolutions.com, CN=linux1.gedi.dtosolutions.com, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--

   sha1    87 f4 ab 83 98 a1 39 37 09 ac ba a9 b5 a5 52 61 2b 59 f4 16 

   md5     4c 9b 0b f1 31 13 ff c2 97 93 09 e7 8d 59 51 c6 

Enter certificate to add to trusted keystore or 'q' to quit: [1]

[

[

  Version: V3

  Subject: EMAILADDRESS=ro...@linux1.gedi.dtosolutions.com, CN=linux1.gedi.dtosolutions.com, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits

  modulus: 105936929022002263569337935880217704298400677870752536465454239904176419014215214942459259246958756564934896629116664469696989175216958494786097634534234174319658524697107777411037415147632834189433931691799376280593253789808365849817718473174012022760952744669160625943118542149650761253434896120382074548793

  public exponent: 65537

  Validity: [From: Thu Jan 06 11:44:58 PST 2011,

               To: Fri Jan 06 11:44:58 PST 2012]

  Issuer: EMAILADDRESS=ro...@linux1.gedi.dtosolutions.com, CN=linux1.gedi.dtosolutions.com, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--

  SerialNumber: [    1058]

Certificate Extensions: 3

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 56 B8 BA B0 25 82 D7 FA   19 93 77 B0 3C 5C 5A 29  V...%.....w.<\Z)

0010: 76 9C 55 CB                                        v.U.

]

]

[2]: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 56 B8 BA B0 25 82 D7 FA   19 93 77 B0 3C 5C 5A 29  V...%.....w.<\Z)

0010: 76 9C 55 CB                                        v.U.

]

[EMAILADDRESS=ro...@linux1.gedi.dtosolutions.com, CN=linux1.gedi.dtosolutions.com, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=--]

SerialNumber: [    1058]

]

[3]: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 26 3B 6B EA 68 90 5D 03   41 77 17 DE A2 3C 6B 6E  &;k.h.].Aw...<kn

0010: D6 F9 75 2F 17 C8 63 0C   3C 7D 91 79 1D 01 63 F4  ..u/..c.<..y..c.

0020: 2D 71 AF 89 19 92 73 D5   DB 9B 2E 4F 42 6D 5F 0C  -q....s....OBm_.

0030: 9F F6 0D 17 16 31 D5 3C   0D 39 C1 57 8F 75 91 71  .....1.<.9.W.u.q

0040: ED C9 76 34 81 29 C6 0D   D9 CD 1A 75 D9 FB 50 09  ..v4.).....u..P.

0050: 48 EC F9 F0 CD 09 F9 AF   D1 42 50 42 86 81 04 8B  H........BPB....

0060: 3A C3 7D 5E 1D C2 F5 26   0F B5 3F 4E 05 50 76 7E  :..^...&..?N.Pv.

0070: 5A 13 6F 2E 6F DE F5 C4   A6 1E 88 6E 84 2E 45 7B  Z.o.o......n..E.

]

Added certificate to keystore 'jssecacerts' using alias 'releases.gedi.pt-1'

Anthonys-MacBook-Pro-2:Desktop anthony$ sudo cp jssecacerts /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home/lib/security/

Password:

... fixed the problem, allowing me to put files into the DAV over a secure connection:

Anthonys-MacBook-Pro-2:Desktop anthony$  ctl -p SIAG -m davutil -c put -- -file /tmp/crap -url https://releases.gedi.pt/dav/crap -username default -password default -overwrite

Uploading to: https://releases.gedi.pt/dav/crap

Uploading: crap

Puted 1 file to https://releases.gedi.pt/dav/crap

Anthony.