Hi Greg,
Sorry for bothering again on the same issue.
Since I modified the self-signed certificate I can't make gsearch
working anymore.
The exception throw is always:
Fedora Object xxxxxxxxxx not found at DemoAtDtu;
nested exception is: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: signature
check failed
I have configured tomcat to load the keystore where the
self-signed certificate is in and to load a custom truststore where
I trusted that certificate. I have also ran tomcat with ssl debug
options and here is the result:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-8443-1, setSoTimeout(60000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 67, 138, 70, 121, 118,
92, 54, 158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245,
198, 200, 96, 231, 127, 90, 242, 78, 197 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
http-8080-4, WRITE: TLSv1 Handshake, length = 75
http-8080-4, WRITE: SSLv2 client hello message, length = 101
http-8443-1, READ: SSL v2, contentType = Handshake, translated
length = 75
*** ClientHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 67, 138, 70, 121, 118,
92, 54, 158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245,
198, 200, 96, 231, 127, 90, 242, 78, 197 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
%% Created: [Session-16, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 47, 120, 37, 197, 62,
247, 95, 232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9,
89, 159, 191, 149, 137, 73, 59, 122, 65 }
Session ID: {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112,
152, 100, 250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142,
185, 238, 215, 99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection:
<empty>
***
Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome,
ST=Italy, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus:
17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
public exponent: 65537
Validity: [From: Fri Jan 27 17:37:34 CET 2012,
To: Sat Jan 26 17:37:34 CET 2013]
Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome,
ST=Italy, C=IT
SerialNumber: [ 4f22d2ce]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D 40 00 D7 8F F5 A4 85 F2 1B 72 AF C3 BC DE 8D
-@........r.....
0010: E5 50 9E 0D 63 CC D2 D6 4B C3 D0 55 B1 A8 76 12
.P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3 3F C1 2B 23 B7 19 10 97
<.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F 2C 87 BB B9 02 D4 A7 8D
S...G..,.......
0040: 63 30 29 17 8B CA 71 6B 2B 56 7C 7D A7 B5 C4 90
c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01 49 6E 98 BF 2D C1 36 4E
.J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8 44 79 ED 8B BE E0 52 46
...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E 3A 3F 1B 47 01 C8 75 8A
.s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45 59 B5 D6 14 5E 1E 92 6A
.....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45 95 DB BE D3 D8 25 0F 5B
.g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14 82 E8 C7 60 84 3E 54 94
../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2 55 3F AA D3 5D 37 28 35
........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD 4C BF 2C 13 EA AD 65 36
IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E 34 16 75 BF 9B 45 7E 30
.....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16 2F 67 B0 20 2D ED 22 35
&-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2 92 85 6A E2 2E 0D 84 43
.3.ES....j....C
]
***
*** ServerHelloDone
http-8443-1, WRITE: TLSv1 Handshake, length = 932
http-8080-4, READ: TLSv1 Handshake, length = 932
*** ServerHello, TLSv1
RandomCookie: GMT: 1328210885 bytes = { 47, 120, 37, 197, 62,
247, 95, 232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9,
89, 159, 191, 149, 137, 73, 59, 122, 65 }
Session ID: {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112,
152, 100, 250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142,
185, 238, 215, 99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection:
<empty>
***
%% Created: [Session-17, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome,
ST=Italy, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus:
17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
public exponent: 65537
Validity: [From: Fri Jan 27 17:37:34 CET 2012,
To: Sat Jan 26 17:37:34 CET 2013]
Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome,
ST=Italy, C=IT
SerialNumber: [ 4f22d2ce]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D 40 00 D7 8F F5 A4 85 F2 1B 72 AF C3 BC DE 8D
-@........r.....
0010: E5 50 9E 0D 63 CC D2 D6 4B C3 D0 55 B1 A8 76 12
.P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3 3F C1 2B 23 B7 19 10 97
<.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F 2C 87 BB B9 02 D4 A7 8D
S...G..,.......
0040: 63 30 29 17 8B CA 71 6B 2B 56 7C 7D A7 B5 C4 90
c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01 49 6E 98 BF 2D C1 36 4E
.J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8 44 79 ED 8B BE E0 52 46
...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E 3A 3F 1B 47 01 C8 75 8A
.s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45 59 B5 D6 14 5E 1E 92 6A
.....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45 95 DB BE D3 D8 25 0F 5B
.g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14 82 E8 C7 60 84 3E 54 94
../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2 55 3F AA D3 5D 37 28 35
........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD 4C BF 2C 13 EA AD 65 36
IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E 34 16 75 BF 9B 45 7E 30
.....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16 2F 67 B0 20 2D ED 22 35
&-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2 92 85 6A E2 2E 0D 84 43
.3.ES....j....C
]
***
http-8080-4, SEND TLSv1 ALERT: fatal, description =
certificate_unknown
http-8080-4, WRITE: TLSv1 Alert, length = 2
http-8080-4, called closeSocket()
http-8443-1, READ: TLSv1 Alert, length = 2
http-8443-1, RECV TLSv1 ALERT: fatal, certificate_unknown
http-8080-4, handling exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: signature
check failed
http-8443-1, called closeSocket()
http-8443-1, handling exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert:
certificate_unknown
http-8443-1, called close()
http-8443-1, called closeInternal(true)
dk.defxws.fedoragsearch.server.errors.FedoraObjectNotFoundException:
Fedora Object eims-document:418565 not found at DemoAtDtu;
nested exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: signature
check failed
at
dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:340)
at
dk.defxws.fgssolr.OperationsImpl.fromPid(OperationsImpl.java:389)
at
dk.defxws.fgssolr.OperationsImpl.updateIndex(OperationsImpl.java:241)
at
dk.defxws.fedoragsearch.server.GenericOperationsImpl.updateIndex(GenericOperationsImpl.java:308)
at
dk.defxws.fedoragsearch.server.RESTImpl.updateIndex(RESTImpl.java:261)
at
dk.defxws.fedoragsearch.server.RESTImpl.doGet(RESTImpl.java:114)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: signature
check failed
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at
org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at
org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at
org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at
fedora.server.management.FedoraAPIMBindingSOAPHTTPStub.export(FedoraAPIMBindingSOAPHTTPStub.java:639)
at
dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:338)
... 20 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: signature
check failed
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at
org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at
org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at
org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at
org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 31 more
Caused by: sun.security.validator.ValidatorException: PKIX path
validation failed:
java.security.cert.CertPathValidatorException: signature check
failed
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:184)
at
sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 42 more
Caused by: java.security.cert.CertPathValidatorException:
signature check failed
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at
java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
... 49 more
Caused by: java.security.SignatureException: Signature does not
match.
at
sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
at
sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
at
sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 53 more
Finalizer, called close()
Finalizer, called closeInternal(true)
I'm sorry, but I feel really stuck on this...