Hi,
We're using CAS 4.1.0 and we're having some sporadic issues with our
certs. This is the exception:
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at
sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1451)
... 55 more
Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 61 more
I've read this [1], but in our case we don't use self-signed certs,
but real Geotrust certs.
Our scenario is the following:
1) We have an Nginx which proxies requests back to Tomcat7 (via
proxy_pass). SSL certs are configured here, for two sites, whose SSL
certs are different.
1.1) Our /cas site has a dedicated certificate (
cas.whatever.com).
This works quite well so far.
1.2) Our /cas-management site has a wildcard certificate
(*.
whatever.com). This one's throwing the exception, but only on one
of our nodes (we have 2 exactly equal with the very same
configuration).
2) We imported both public keys into the system Keystore located in
/etc/ssl/certs/java/cacerts with Keytool (Ubuntu 14.04).
3) Tomcat is using its own Keystore (/etc/tomcat7/keystore.jks)
My questions are:
a) Should this configuration be enough to avoid the exception above?
If yes, why are we getting an exception on point 1.2?
b) Is point 3 relevant?
c) In case this gets painful, is there a non-intrusive way to
disable SSL checking in the CAS-Management webapp?
Thanks.
Nicolás
[1]:
https://wiki.jasig.org/display/casum/ssl+troubleshooting+and+reference+guide
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user