Bug#597967: Ignores installed CA; refuses to make SSL connection

[Anthony DeRobertis]

Package: jxplorer
Version: 3.2.1+dfsg-3
Severity: important

It appears that its impossible to use a private CA with jxplorer. I
installed the CA certificate as
/usr/local/share/ca-certificates/MetricsCA.crt. I ran
update-ca-certificates, which added it to the java keystore
/etc/ssl/certs/java/cacerts.

It is definitely present in the keystore:

# keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | grep metrics
metricsca_pem, Sep 16, 2010, trustedCertEntry,

And yet, when I try and connect to our LDAP server:

Error opening connection:
java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. raw error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

and, on the console:
Sep 24, 2010 11:43:35 AM com.ca.directory.jxplorer.broker.JNDIBroker openConnection
WARNING: initial receipt of exception by jndi broker java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. raw error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.naming.CommunicationException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. raw error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. raw error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1992)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:265)
at com.ca.commons.jndi.JNDIOps.exists(JNDIOps.java:633)
at com.ca.directory.jxplorer.broker.JNDIBroker.openConnection(JNDIBroker.java:409)
at com.ca.directory.jxplorer.broker.JNDIBroker.processRequest(JNDIBroker.java:360)
at com.ca.directory.jxplorer.broker.Broker.processQueue(Broker.java:158)
at com.ca.directory.jxplorer.broker.JNDIBroker.processQueue(JNDIBroker.java:829)
at com.ca.directory.jxplorer.broker.Broker.run(Broker.java:124)
at java.lang.Thread.run(Thread.java:636)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. raw error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1639)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:215)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:209)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1033)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:546)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1140)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:764)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:94)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at com.sun.jndi.ldap.Connection.run(Connection.java:820)
... 1 more
Caused by: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. raw error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.ca.commons.security.JXTrustManager.checkServerTrusted(JXTrustManager.java:141)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1025)
... 12 more

I've tried adding it to my user keystore as well. Doesn't help.

openssl's s_client confirms that the server works, and that the CA does
indeed verify the server.

-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages jxplorer depends on:
ii default-jre [java6-runti 1:1.6-40 Standard Java or Java compatible R
ii java-wrappers 0.1.16 wrappers for java executables
ii javahelp2 2.0.05.ds1-4 Java based help system
ii junit 3.8.2-4 Automated testing framework for Ja
ii openjdk-6-jre [java6-run 6b18-1.8.1-1+b1 OpenJDK Java runtime, using Hotspo

jxplorer recommends no packages.

jxplorer suggests no packages.

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org