SSLHandshakeException: Received fatal alert: certificate_unknown

211 views
Skip to first unread message

sudes...@gmail.com

unread,
Dec 22, 2019, 4:22:01 PM12/22/19
to membrane-monitor
Greetings

Working on two way ssl, where the keys returned by sever should exist in trustore. My current configuration has keystore.jks ( which gets sent to the server and server trusts this ) and trustore.jks ( contains key of the server with an alias name, to be trusted ). Trustore contains many keys from different server with different alias. 

<serviceProxy name="sendDetails" port="12222" >
<ssl>
<keystore location="/tmp/keystore.jks" password="changeit" keyPassword="changeit" />
<truststore location="/tmp/truststore.jks" password="changeit"  />
</ssl>


<target host="remote.host.com" port="15555"/>
</serviceProxy>

Enabled the logging and could see below error

[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 2E                                              ..
RouterThread /xxxxxx:60224, READ: TLSv1.2 Alert, length = 2
RouterThread /xxxxxx:60224, RECV TLSv1.2 ALERT:  fatal, certificate_unknown
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
RouterThread /xxxxxx:60224, called closeSocket()
RouterThread /xxxxxx:60224, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
12:13:45,537 ERROR HttpServerHandler:146 -
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown


Am not finding the configuration to ask membrane to look for the particular alias in truststore. Any pointer will be of great help. 

sudes...@gmail.com

unread,
Dec 23, 2019, 11:35:22 AM12/23/19
to membrane-monitor

Integration is as follows localhost -> membrane -> server

Observed that,membrane returns back the client certificate ( keystore ) instead of server certificate to localhost. How can I make membrane to return the server certificate instead ? 

Sudesh Acharya

unread,
Dec 25, 2019, 1:29:56 PM12/25/19
to membrane-monitor
More details, what I observed was the membrane returns the key that was present in the keystore.jks instead of the actual server key. This is the issue in this case, but not able to find any work around to overcome this one. Can we get some help please ?
Reply all
Reply to author
Forward
0 new messages