[fcrepo-user] Change default self-signed certificate
17 views
Skip to first unread message
Enrico Anello (OEKM)
Jan 27, 2012, 10:54:01 AM1/27/12
to fedora-com...@lists.sourceforge.net
Dear all,
I have a fedora installation with embedded tomcat which runs with SSL sharing the default self-signed certificate coming with the installation.
Since I need to change that certificate with another self-signed cert made by myself how can I do it?
I've been digging through and I see that tomcats loads the keystore by those parameters:
-Djavax.net.ssl.trustStore=/var/fedora/server/truststore -Djavax.net.ssl.trustStorePassword=tomcat
I have actually changed that truststore with the one generated by myself but nothing happened; if from the browser I check the certificate it keeps saying that is the default one coming from the original installation!
Any tips?
Thank you and Regards,
Enrico Anello
Food and Agriculture Organization of the United Nations
Via delle terme di Caracalla, 1 - 00100 - Rome (Italy)
I have a fedora installation with embedded tomcat which runs with SSL sharing the default self-signed certificate coming with the installation.
Since I need to change that certificate with another self-signed cert made by myself how can I do it?
I've been digging through and I see that tomcats loads the keystore by those parameters:
-Djavax.net.ssl.trustStore=/var/fedora/server/truststore -Djavax.net.ssl.trustStorePassword=tomcat
I have actually changed that truststore with the one generated by myself but nothing happened; if from the browser I check the certificate it keeps saying that is the default one coming from the original installation!
Any tips?
Thank you and Regards,
Enrico Anello
Food and Agriculture Organization of the United Nations
Via delle terme di Caracalla, 1 - 00100 - Rome (Italy)
Greg Jansen
Jan 27, 2012, 11:33:00 AM1/27/12
to fedora-com...@lists.sourceforge.net
Hey Enrico,
I think you have to change which certificate within the keystore is to be used, in tomcat's server.xml file. The default key for tomcat is the first one found in the keystore, so that's probably the original one. You'll need to add a "keyAlias" attribute that points to your self-signed cert.
See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
Greg
I think you have to change which certificate within the keystore is to be used, in tomcat's server.xml file. The default key for tomcat is the first one found in the keystore, so that's probably the original one. You'll need to add a "keyAlias" attribute that points to your self-signed cert.
See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
Greg
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2_______________________________________________ Fedora-commons-users mailing list Fedora-com...@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
-- ___ Gregory N. Jansen Developer - Carolina Digital Repository UNC Chapel Hill Libraries
Enrico Anello (OEKM)
Jan 27, 2012, 11:48:36 AM1/27/12
to fedora-com...@lists.sourceforge.net
Thanks Greg,
just followed your instructions and it worked smoothly :-)))
Many many thanks and regards,
Enrico
just followed your instructions and it worked smoothly :-)))
Many many thanks and regards,
Enrico
Enrico Anello (OEKM)
Feb 3, 2012, 8:44:08 AM2/3/12
to fedora-com...@lists.sourceforge.net
Hi Greg,
Sorry for bothering again on the same issue.
Since I modified the self-signed certificate I can't make gsearch working anymore.
The exception throw is always:
Fedora Object xxxxxxxxxx not found at DemoAtDtu; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
I have configured tomcat to load the keystore where the self-signed certificate is in and to load a custom truststore where I trusted that certificate. I have also ran tomcat with ssl debug options and here is the result:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-8443-1, setSoTimeout(60000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 67, 138, 70, 121, 118, 92, 54, 158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245, 198, 200, 96, 231, 127, 90, 242, 78, 197 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
http-8080-4, WRITE: TLSv1 Handshake, length = 75
http-8080-4, WRITE: SSLv2 client hello message, length = 101
http-8443-1, READ: SSL v2, contentType = Handshake, translated length = 75
*** ClientHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 67, 138, 70, 121, 118, 92, 54, 158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245, 198, 200, 96, 231, 127, 90, 242, 78, 197 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
%% Created: [Session-16, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 47, 120, 37, 197, 62, 247, 95, 232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9, 89, 159, 191, 149, 137, 73, 59, 122, 65 }
Session ID: {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112, 152, 100, 250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142, 185, 238, 215, 99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
public exponent: 65537
Validity: [From: Fri Jan 27 17:37:34 CET 2012,
To: Sat Jan 26 17:37:34 CET 2013]
Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
SerialNumber: [ 4f22d2ce]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D 40 00 D7 8F F5 A4 85 F2 1B 72 AF C3 BC DE 8D -@........r.....
0010: E5 50 9E 0D 63 CC D2 D6 4B C3 D0 55 B1 A8 76 12 .P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3 3F C1 2B 23 B7 19 10 97 <.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F 2C 87 BB B9 02 D4 A7 8D S...G..,.......
0040: 63 30 29 17 8B CA 71 6B 2B 56 7C 7D A7 B5 C4 90 c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01 49 6E 98 BF 2D C1 36 4E .J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8 44 79 ED 8B BE E0 52 46 ...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E 3A 3F 1B 47 01 C8 75 8A .s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45 59 B5 D6 14 5E 1E 92 6A .....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45 95 DB BE D3 D8 25 0F 5B .g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14 82 E8 C7 60 84 3E 54 94 ../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2 55 3F AA D3 5D 37 28 35 ........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD 4C BF 2C 13 EA AD 65 36 IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E 34 16 75 BF 9B 45 7E 30 .....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16 2F 67 B0 20 2D ED 22 35 &-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2 92 85 6A E2 2E 0D 84 43 .3.ES....j....C
]
***
*** ServerHelloDone
http-8443-1, WRITE: TLSv1 Handshake, length = 932
http-8080-4, READ: TLSv1 Handshake, length = 932
*** ServerHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 47, 120, 37, 197, 62, 247, 95, 232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9, 89, 159, 191, 149, 137, 73, 59, 122, 65 }
Session ID: {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112, 152, 100, 250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142, 185, 238, 215, 99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created: [Session-17, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
public exponent: 65537
Validity: [From: Fri Jan 27 17:37:34 CET 2012,
To: Sat Jan 26 17:37:34 CET 2013]
Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
SerialNumber: [ 4f22d2ce]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D 40 00 D7 8F F5 A4 85 F2 1B 72 AF C3 BC DE 8D -@........r.....
0010: E5 50 9E 0D 63 CC D2 D6 4B C3 D0 55 B1 A8 76 12 .P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3 3F C1 2B 23 B7 19 10 97 <.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F 2C 87 BB B9 02 D4 A7 8D S...G..,.......
0040: 63 30 29 17 8B CA 71 6B 2B 56 7C 7D A7 B5 C4 90 c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01 49 6E 98 BF 2D C1 36 4E .J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8 44 79 ED 8B BE E0 52 46 ...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E 3A 3F 1B 47 01 C8 75 8A .s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45 59 B5 D6 14 5E 1E 92 6A .....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45 95 DB BE D3 D8 25 0F 5B .g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14 82 E8 C7 60 84 3E 54 94 ../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2 55 3F AA D3 5D 37 28 35 ........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD 4C BF 2C 13 EA AD 65 36 IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E 34 16 75 BF 9B 45 7E 30 .....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16 2F 67 B0 20 2D ED 22 35 &-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2 92 85 6A E2 2E 0D 84 43 .3.ES....j....C
]
***
http-8080-4, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-8080-4, WRITE: TLSv1 Alert, length = 2
http-8080-4, called closeSocket()
http-8443-1, READ: TLSv1 Alert, length = 2
http-8443-1, RECV TLSv1 ALERT: fatal, certificate_unknown
http-8080-4, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
http-8443-1, called closeSocket()
http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
http-8443-1, called close()
http-8443-1, called closeInternal(true)
dk.defxws.fedoragsearch.server.errors.FedoraObjectNotFoundException: Fedora Object eims-document:418565 not found at DemoAtDtu; nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:340)
at dk.defxws.fgssolr.OperationsImpl.fromPid(OperationsImpl.java:389)
at dk.defxws.fgssolr.OperationsImpl.updateIndex(OperationsImpl.java:241)
at dk.defxws.fedoragsearch.server.GenericOperationsImpl.updateIndex(GenericOperationsImpl.java:308)
at dk.defxws.fedoragsearch.server.RESTImpl.updateIndex(RESTImpl.java:261)
at dk.defxws.fedoragsearch.server.RESTImpl.doGet(RESTImpl.java:114)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at fedora.server.management.FedoraAPIMBindingSOAPHTTPStub.export(FedoraAPIMBindingSOAPHTTPStub.java:639)
at dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:338)
... 20 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 31 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:184)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 42 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
... 49 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 53 more
Finalizer, called close()
Finalizer, called closeInternal(true)
I'm sorry, but I feel really stuck on this...
Sorry for bothering again on the same issue.
Since I modified the self-signed certificate I can't make gsearch working anymore.
The exception throw is always:
Fedora Object xxxxxxxxxx not found at DemoAtDtu; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
I have configured tomcat to load the keystore where the self-signed certificate is in and to load a custom truststore where I trusted that certificate. I have also ran tomcat with ssl debug options and here is the result:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-8443-1, setSoTimeout(60000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 67, 138, 70, 121, 118, 92, 54, 158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245, 198, 200, 96, 231, 127, 90, 242, 78, 197 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
http-8080-4, WRITE: TLSv1 Handshake, length = 75
http-8080-4, WRITE: SSLv2 client hello message, length = 101
http-8443-1, READ: SSL v2, contentType = Handshake, translated length = 75
*** ClientHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 67, 138, 70, 121, 118, 92, 54, 158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245, 198, 200, 96, 231, 127, 90, 242, 78, 197 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
%% Created: [Session-16, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 47, 120, 37, 197, 62, 247, 95, 232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9, 89, 159, 191, 149, 137, 73, 59, 122, 65 }
Session ID: {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112, 152, 100, 250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142, 185, 238, 215, 99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
public exponent: 65537
Validity: [From: Fri Jan 27 17:37:34 CET 2012,
To: Sat Jan 26 17:37:34 CET 2013]
Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
SerialNumber: [ 4f22d2ce]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D 40 00 D7 8F F5 A4 85 F2 1B 72 AF C3 BC DE 8D -@........r.....
0010: E5 50 9E 0D 63 CC D2 D6 4B C3 D0 55 B1 A8 76 12 .P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3 3F C1 2B 23 B7 19 10 97 <.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F 2C 87 BB B9 02 D4 A7 8D S...G..,.......
0040: 63 30 29 17 8B CA 71 6B 2B 56 7C 7D A7 B5 C4 90 c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01 49 6E 98 BF 2D C1 36 4E .J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8 44 79 ED 8B BE E0 52 46 ...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E 3A 3F 1B 47 01 C8 75 8A .s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45 59 B5 D6 14 5E 1E 92 6A .....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45 95 DB BE D3 D8 25 0F 5B .g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14 82 E8 C7 60 84 3E 54 94 ../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2 55 3F AA D3 5D 37 28 35 ........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD 4C BF 2C 13 EA AD 65 36 IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E 34 16 75 BF 9B 45 7E 30 .....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16 2F 67 B0 20 2D ED 22 35 &-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2 92 85 6A E2 2E 0D 84 43 .3.ES....j....C
]
***
*** ServerHelloDone
http-8443-1, WRITE: TLSv1 Handshake, length = 932
http-8080-4, READ: TLSv1 Handshake, length = 932
*** ServerHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 47, 120, 37, 197, 62, 247, 95, 232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9, 89, 159, 191, 149, 137, 73, 59, 122, 65 }
Session ID: {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112, 152, 100, 250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142, 185, 238, 215, 99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created: [Session-17, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
public exponent: 65537
Validity: [From: Fri Jan 27 17:37:34 CET 2012,
To: Sat Jan 26 17:37:34 CET 2013]
Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
SerialNumber: [ 4f22d2ce]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D 40 00 D7 8F F5 A4 85 F2 1B 72 AF C3 BC DE 8D -@........r.....
0010: E5 50 9E 0D 63 CC D2 D6 4B C3 D0 55 B1 A8 76 12 .P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3 3F C1 2B 23 B7 19 10 97 <.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F 2C 87 BB B9 02 D4 A7 8D S...G..,.......
0040: 63 30 29 17 8B CA 71 6B 2B 56 7C 7D A7 B5 C4 90 c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01 49 6E 98 BF 2D C1 36 4E .J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8 44 79 ED 8B BE E0 52 46 ...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E 3A 3F 1B 47 01 C8 75 8A .s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45 59 B5 D6 14 5E 1E 92 6A .....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45 95 DB BE D3 D8 25 0F 5B .g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14 82 E8 C7 60 84 3E 54 94 ../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2 55 3F AA D3 5D 37 28 35 ........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD 4C BF 2C 13 EA AD 65 36 IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E 34 16 75 BF 9B 45 7E 30 .....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16 2F 67 B0 20 2D ED 22 35 &-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2 92 85 6A E2 2E 0D 84 43 .3.ES....j....C
]
***
http-8080-4, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-8080-4, WRITE: TLSv1 Alert, length = 2
http-8080-4, called closeSocket()
http-8443-1, READ: TLSv1 Alert, length = 2
http-8443-1, RECV TLSv1 ALERT: fatal, certificate_unknown
http-8080-4, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
http-8443-1, called closeSocket()
http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
http-8443-1, called close()
http-8443-1, called closeInternal(true)
dk.defxws.fedoragsearch.server.errors.FedoraObjectNotFoundException: Fedora Object eims-document:418565 not found at DemoAtDtu; nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:340)
at dk.defxws.fgssolr.OperationsImpl.fromPid(OperationsImpl.java:389)
at dk.defxws.fgssolr.OperationsImpl.updateIndex(OperationsImpl.java:241)
at dk.defxws.fedoragsearch.server.GenericOperationsImpl.updateIndex(GenericOperationsImpl.java:308)
at dk.defxws.fedoragsearch.server.RESTImpl.updateIndex(RESTImpl.java:261)
at dk.defxws.fedoragsearch.server.RESTImpl.doGet(RESTImpl.java:114)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at fedora.server.management.FedoraAPIMBindingSOAPHTTPStub.export(FedoraAPIMBindingSOAPHTTPStub.java:639)
at dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:338)
... 20 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 31 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:184)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 42 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
... 49 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 53 more
Finalizer, called close()
Finalizer, called closeInternal(true)
I'm sorry, but I feel really stuck on this...
Enrico
On 01/27/2012 05:33 PM, Greg Jansen wrote:
Greg Jansen
Feb 3, 2012, 9:25:22 AM2/3/12
to fedora-com...@lists.sourceforge.net
If I recall correctly, Fedora has two trust stores of it's own. One
is in fedora/server and the other is in fedora/client. I suspect
that this will work once you add the certificate to the client
truststore, since gsearch is probably using the web APIs to build
the index.
Greg
Greg
Enrico Anello (OEKM)
Feb 6, 2012, 5:53:04 AM2/6/12
to fedora-com...@lists.sourceforge.net
Hi Greg,
thanks a lot for the info. I've added the new self-signed certificate on $FEDORA_HOME/client/truststore but I'm still having the same problem. I was wondering if there is any way to debug the SSL handshake on client side.
I've enabled the debug on tomcat so I can see the handshake of the server and I see which certificate is using. Eventually it ends-up with the exception throws by the client (the one below) but I can't see the actual validation of the certificate sent by the server.
Enrico
thanks a lot for the info. I've added the new self-signed certificate on $FEDORA_HOME/client/truststore but I'm still having the same problem. I was wondering if there is any way to debug the SSL handshake on client side.
I've enabled the debug on tomcat so I can see the handshake of the server and I see which certificate is using. Eventually it ends-up with the exception throws by the client (the one below) but I can't see the actual validation of the certificate sent by the server.
Enrico
Reply all
Reply to author
Forward
0 new messages