Problem with security : NET::ERR_CERT_AUTHORITY_INVALID

[theirman]

Hello, 

I have a problem accessing my admin console. Firefox runs without ever reaching the page, Chrome displays a message indicating an error "NET::ERR_CERT_AUTHORITY_INVALID" (see below) and Edge (God forgive me) displays the error codes "DLG_FLAGS_INVALID_CA" and "DLG_FLAGS_SEC_CERT_CN_INVALID" (see below)

In all of this, I understand that my certificate is not valid and that this is probably due to the host name that differs from the one of the created certificate. However, the host name of my machine (sicpa-interop) is the same as the one I declared when I created the certificate ("CN=sicpa-interop,O=INRA,L=Jouy-En-Josas,S=France,C=FR")

Does anyone have any idea what the problem is?

Thanking you in advance

Thierry

[theirman]

Any idea ?

[Rudy De Busscher]

Hi,

Is this a self-signed certificate? the ERR_CERT_AUTHORITY_INVALID suggest this. Self Signed certificates are never accepted by the browser. (and you need to define an exception if you do want to proceed to the actual page)

If not self-signed, can you also try to put the hostname and IP address in the hosts file and access the Payara Server through https://sicpa-interop:4848?

Regards

Rudy

[theirman]

Hello Rudy, thank you for your help.

It is indeed a self-signed certificate. I am used to allowing such certificates, in the development or testing phase, in my browser by adding an exception. However, this time, adding an exception does not work. It runs for a while (about thirty seconds) then it puts me back on the same page.

Therefore, I have just requested an official certificate for this test machine. 

Thanks again for your help

Thierry

[theirman]

Hello,

Since last time, I have applied for and obtained an official certificate through my employer. 

I installed it by methodically following the procedure given by Ondrej Mihalyi on the Payara blog (https://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate).

But I still have problems after enabling security (enable-secure-admin) with the CLI :

bash-4.2$ java -version

openjdk version "1.8.0_202"

OpenJDK Runtime Environment (Zulu 8.36.0.1-CA-linux64) (build 1.8.0_202-b05)

OpenJDK 64-Bit Server VM (Zulu 8.36.0.1-CA-linux64) (build 25.202-b05, mixed mode)


bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} start-domain ${DOMAIN_NAME}
Waiting for production to start ......
Successfully started the domain : production
domain  Location: /data/apps/payara/appserver/glassfish/domains/production
Log File: /data/apps/payara/appserver/glassfish/domains/production/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.


bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} list-domain
NCLS-ADMIN-00010
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Command list-domain failed.

bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} stop-domain ${DOMAIN_NAME}
NCLS-ADMIN-00010
NCLS-ADMIN-00010
NCLS-ADMIN-00010
CLI306: Warning - The server located at /data/apps/payara/appserver/glassfish/domains/production is not running.
No domains are currently running.
Command stop-domain failed.

What should I do now ?

[Rudy De Busscher]

Hi,

Anything useful in the server log?

[Rudy De Busscher]

You can find the server.log file in the directory <payara-home>/glassfish/domains/<domain-name>/log.

Rudy

[theirman]

Thanks Rudy,

Indeed, the server.log file repeatedly mentions the error below: 

[2019-05-09T16:48:11.856+0200] [Payara 5.191] [WARNING] [] [org.glassfish.grizzly.filterchain.DefaultFilterChain] [tid: _ThreadID=46 _ThreadName=admin-thread-pool::admin-listener(1)] [timeMillis: 1557413291856] [levelValue: 900] [[

  GRIZZLY0013: Exception during FilterChain execution

java.lang.RuntimeException: Could not generate dummy secret

        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1550)

        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:544)

        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:818)

        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:782)

        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

        at org.glassfish.grizzly.ssl.SSLUtils.sslEngineUnwrap(SSLUtils.java:441)

        at org.glassfish.grizzly.ssl.SSLConnectionContext.unwrap(SSLConnectionContext.java:170)

        at org.glassfish.grizzly.ssl.SSLUtils.handshakeUnwrap(SSLUtils.java:268)

        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:649)

        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:598)

        at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:310)

        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95)

        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)

        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)

        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)

        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)

        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)

        at org.glassfish.grizzly.portunif.PUFilter.handleRead(PUFilter.java:208)

        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95)

        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)

        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)

        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)

        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)

        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)

        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524)

        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)

        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)

        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$0(WorkerThreadIOStrategy.java:90)

        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)

        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)

        at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)

        at java.lang.Thread.run(Thread.java:748)

Caused by: java.lang.RuntimeException: Could not generate dummy secret

        at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:200)

        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:265)

        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1062)

        at sun.security.ssl.Handshaker$1.run(Handshaker.java:995)

        at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)

        at java.security.AccessController.doPrivileged(Native Method)

        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1490)

        at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:250)

        at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:683)

        ... 23 more

Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/PKCS1Padding

        at javax.crypto.Cipher.getInstance(Cipher.java:539)

        at sun.security.ssl.JsseJce.getCipher(JsseJce.java:208)

        at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:143)

        ... 31 more

]]

[theirman]

Bonjour

Après avoir cherché un moment de quoi peut provenir cette erreur (GRIZZLY0013: Exception during FilterChain execution), je ne vois vraiment pas. 

Comme suggéré par Rudy de Busscher, j'ai demandé un certificat officiel, j'ai suivi la procédure de Ondrej Mihalyi ici : https://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate mais j'ai toujours ces erreurs qui m'empèchent de démarrer Payara Server

Une idée lumineuse ?

[theirman]

Hello

After looking for a time to find out what this error may be (GRIZZZLY0013: Exception during FilterChain execution), I really don't see. 

As suggested by Rudy de Busscher, I requested an official certificate, I followed Ondrej Mihalyi's procedure here: https://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate but I still have these errors that prevent me from starting Payara Server

Any bright ideas?

Le mardi 14 mai 2019 12:07:17 UTC+2, theirman a écrit :

[Håkon Herskedal]

What version of Payara, and what version of JDK are you using?

This is an issue between Glassfish/Payara and JAVA.

[theirman]

payara

version 5.191

java -version

openjdk version "1.8.0_202"

OpenJDK Runtime Environment (Zulu 8.36.0.1-CA-linux64) (build 1.8.0_202-b05)

OpenJDK 64-Bit Server VM (Zulu 8.36.0.1-CA-linux64) (build 25.202-b05, mixed mode)

[Håkon Herskedal]

OK. Not sure about OpenJDK.

Some has had issues with Payara using JRE instead of JDK. Can be specified in domain.xml "AS_JAVA=....."

Several had issues with Oracle JDK versions around 8.161 and upwards.
Could be that openJDK inherited some issues?

[Rudy De Busscher]

Not sure why Java can't find the Cipher (should be available)

You can test it outside of Payara with the following statement

Cipher.getInstance("RSA/ECB/PKCS1Padding");

Did you alter the java.security config file and defined another JCE Provider?

Rudy

[theirman]

I don't find a java.security file in the payara folders.

I don't change anything in java.security

but I finally found the problem I've been having for a long time : the JAVA_HOME was misinformed... instead of telling him "/usr/lib/jvm/zulu-8', I said "/usr/lib/jvm/zulu-8/bin' as JAVA_HOME

A beginner's mistake (beginner that I am)

Thanks Hakon and thanks Rudy