Re: The dropwizard app suddenly fails to validate the server cert (that used to work for a long time)

[Evan Meagher]

Hello Lifeng. The dropwizard-user@ mailing list is the best place to ask these sorts of questions.

On Fri, Nov 4, 2016 at 11:09 PM, Lifeng Sang <lifen...@airbnb.com> wrote:

Hi Evan,

  Sorry to bother you again. I just had a weird issue, not sure if you have experienced in the past.

I have a testing server cert (that's signed by an intermediate cert, which is signed by a self-signed root cert). The intermediate cert and root cert are included in a truststore file. Everything worked for a long time, but today when I tried to start the dropwizard application, it suddenly complained with the following exception and the server failed to start. Things I'm 100% sure are

• The keystore file and truststore file (configured in the dropwizard application) haven't been changed
• None of the server cert, intermediate cert or root cert is expired
• The dropwizard version is the same

Do you know if there is any environment variable (or system configurations) that could change the behavior of how the server cert is validated in dropwizard?

Thank you!

Lifeng

keyStorePath: src/main/resources/dev/test.keystore.jks
keyStorePassword: testingxxxxxx
trustStorePath: src/main/resources/dev/test.truststore.jks
trustStorePassword: testingxxxxxx
crlPath: src/main/resources/dev/test.crl.pem
wantClientAuth: true
enableCRLDP: false
enableOCSP: false
supportedProtocols: [TLSv1.2]

WARN  [2016-11-05 05:41:31,900] -main- org.eclipse.jetty.util.component.AbstractLifeCycle: FAILED SslContextFactory@15f8701f(src/main/resources/dev/test.keystore.jks,src/main/resources/dev/test.truststore.jks): java.security.cert.CertificateException: Unable to validate certificate: unable to find valid certification path to requested target ! sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

! at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[na:1.8.0_51]

! at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_51]

! at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_51]

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:248) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! ... 15 common frames omitted

! Causing: java.security.cert.CertificateException: Unable to validate certificate: unable to find valid certification path to requested target

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:256) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:189) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:293) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69) [jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:118) [jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.Server.start(Server.java:342) [jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:100) [jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60) [jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.Server.doStart(Server.java:290) [jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69) [jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at io.dropwizard.cli.ServerCommand.run(ServerCommand.java:43) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:43) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:76) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.Cli.run(Cli.java:70) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.Application.run(Application.java:72) [dropwizard-core-0.7.1.jar:0.7.1]

WARN  [2016-11-05 05:41:31,901] -main- org.eclipse.jetty.util.component.AbstractLifeCycle: FAILED org.eclipse.jetty.server.Server@53a5e217: java.security.cert.CertificateException: Unable to validate certificate: unable to find valid certification path to requested target ! sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

! at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[na:1.8.0_51]

! at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_51]

! at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_51]

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:248) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! ... 15 common frames omitted

! Causing: java.security.cert.CertificateException: Unable to validate certificate: unable to find valid certification path to requested target

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:256) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:189) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:293) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:118) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.Server.start(Server.java:342) ~[jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:100) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60) ~[jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.Server.doStart(Server.java:290) ~[jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at io.dropwizard.cli.ServerCommand.run(ServerCommand.java:43) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:43) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:76) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.Cli.run(Cli.java:70) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.Application.run(Application.java:72) [dropwizard-core-0.7.1.jar:0.7.1]

ERROR [2016-11-05 05:41:31,901] -main- io.dropwizard.cli.ServerCommand: Unable to start server, shutting down ! sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

! at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[na:1.8.0_51]

! at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_51]

! at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_51]

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:248) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! ... 15 common frames omitted

! Causing: java.security.cert.CertificateException: Unable to validate certificate: unable to find valid certification path to requested target

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:256) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:189) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:293) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:118) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.Server.start(Server.java:342) ~[jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:100) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60) ~[jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.server.Server.doStart(Server.java:290) ~[jetty-server-9.0.7.v20131107.jar:9.0.7.v20131107]

! at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69) ~[jetty-util-9.0.7.v20131107.jar:9.0.7.v20131107]

! at io.dropwizard.cli.ServerCommand.run(ServerCommand.java:43) ~[dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:43) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:76) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.cli.Cli.run(Cli.java:70) [dropwizard-core-0.7.1.jar:0.7.1]

! at io.dropwizard.Application.run(Application.java:72) [dropwizard-core-0.7.1.jar:0.7.1]

--

Evan Meagher