"Certificate chaining error" on startup?
5 views
Skip to first unread message
Steve Kauffman
Dec 22, 2022, 11:25:00 AM12/22/22
to xnat_discussion
Hello, I'm a software engineer with Philips Ultrasound. I'm exploring XNAT for possible use in an internal tool for sorting through internally collected images to create "synthetic" studies containing a sort of "highlights reel" of example images for our clinical application specialists.
I'll probably have some future questions about that - but right now, I'm just trying to launch XNAT for the first time, per instructions at
I get a "Certificate chaining error" related to the Cisco root authority certificate (which does exist on my machine). Details below.
Brief searching seems to indicate that this means there are intermediate certificates that are expected, but do not exist at the moment on my machine. Are there additional configuration steps that I'm missing and are documented somewhere?
Thanks,
Steve
A:\dev\DemoDisk\xnat-docker-compose [features/dependency-mgmt ≡]> ./gradlew composeBuild composeUp
Downloading https://services.gradle.org/distributions/gradle-7.6-all.zip
Exception in thread "main" javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Cisco Umbrella Root CA, O=Cisco is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.k.a(k.java:42)
at com.ibm.jsse2.av.a(av.java:688)
at com.ibm.jsse2.D.a(D.java:495)
at com.ibm.jsse2.D.a(D.java:534)
at com.ibm.jsse2.E.a(E.java:151)
at com.ibm.jsse2.E.a(E.java:401)
at com.ibm.jsse2.D.r(D.java:444)
at com.ibm.jsse2.D.a(D.java:399)
at com.ibm.jsse2.av.a(av.java:1006)
at com.ibm.jsse2.av.i(av.java:574)
at com.ibm.jsse2.av.a(av.java:280)
at com.ibm.jsse2.av.startHandshake(av.java:431)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:167)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:62)
at sun.net.www.protocol.http.HttpURLConnection.followRedirect0(HttpURLConnection.java:2741)
at sun.net.www.protocol.http.HttpURLConnection.followRedirect(HttpURLConnection.java:2653)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1836)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1504)
at com.ibm.net.ssl.www2.protocol.https.b.getInputStream(b.java:91)
at org.gradle.wrapper.Download.downloadInternal(Download.java:109)
at org.gradle.wrapper.Download.download(Download.java:89)
at org.gradle.wrapper.Install$1.call(Install.java:83)
at org.gradle.wrapper.Install$1.call(Install.java:63)
at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
at org.gradle.wrapper.Install.createDist(Install.java:63)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:109)
at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:66)
Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Cisco Umbrella Root CA, O=Cisco is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.f.a(f.java:156)
at com.ibm.jsse2.util.f.b(f.java:89)
at com.ibm.jsse2.util.e.a(e.java:17)
at com.ibm.jsse2.aD.a(aD.java:90)
at com.ibm.jsse2.aD.a(aD.java:74)
at com.ibm.jsse2.aD.checkServerTrusted(aD.java:117)
at com.ibm.jsse2.E.a(E.java:757)
... 22 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Cisco Umbrella Root CA, O=Cisco is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at com.ibm.jsse2.util.f.a(f.java:54)
... 28 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=Cisco Umbrella Root CA, O=Cisco is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:220)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
... 30 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
... 36 more
Downloading https://services.gradle.org/distributions/gradle-7.6-all.zip
Exception in thread "main" javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Cisco Umbrella Root CA, O=Cisco is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.k.a(k.java:42)
at com.ibm.jsse2.av.a(av.java:688)
at com.ibm.jsse2.D.a(D.java:495)
at com.ibm.jsse2.D.a(D.java:534)
at com.ibm.jsse2.E.a(E.java:151)
at com.ibm.jsse2.E.a(E.java:401)
at com.ibm.jsse2.D.r(D.java:444)
at com.ibm.jsse2.D.a(D.java:399)
at com.ibm.jsse2.av.a(av.java:1006)
at com.ibm.jsse2.av.i(av.java:574)
at com.ibm.jsse2.av.a(av.java:280)
at com.ibm.jsse2.av.startHandshake(av.java:431)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:167)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:62)
at sun.net.www.protocol.http.HttpURLConnection.followRedirect0(HttpURLConnection.java:2741)
at sun.net.www.protocol.http.HttpURLConnection.followRedirect(HttpURLConnection.java:2653)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1836)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1504)
at com.ibm.net.ssl.www2.protocol.https.b.getInputStream(b.java:91)
at org.gradle.wrapper.Download.downloadInternal(Download.java:109)
at org.gradle.wrapper.Download.download(Download.java:89)
at org.gradle.wrapper.Install$1.call(Install.java:83)
at org.gradle.wrapper.Install$1.call(Install.java:63)
at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
at org.gradle.wrapper.Install.createDist(Install.java:63)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:109)
at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:66)
Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Cisco Umbrella Root CA, O=Cisco is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.f.a(f.java:156)
at com.ibm.jsse2.util.f.b(f.java:89)
at com.ibm.jsse2.util.e.a(e.java:17)
at com.ibm.jsse2.aD.a(aD.java:90)
at com.ibm.jsse2.aD.a(aD.java:74)
at com.ibm.jsse2.aD.checkServerTrusted(aD.java:117)
at com.ibm.jsse2.E.a(E.java:757)
... 22 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Cisco Umbrella Root CA, O=Cisco is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at com.ibm.jsse2.util.f.a(f.java:54)
... 28 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=Cisco Umbrella Root CA, O=Cisco is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:220)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
... 30 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
... 36 more
Rick Herrick
Dec 22, 2022, 2:20:22 PM12/22/22
to xnat_di...@googlegroups.com
Hey Steve,
This is an issue somewhere between your workstation and services.gradle.org and isn't related to Docker or the XNAT container or anything. The gradlew script works by downloading an archive containing the version of Gradle specified in gradle/wrapper/gradle.properties (gradle-7.6-all.zip in this case). You’re not even getting past that part, so it’s never even starting the Docker part of the process. The problem is almost certainly a firewall or proxy somewhere between you and the Gradle download server, because the SSL cert chain for that site doesn’t include anything from Cisco (the only occurrences of “cisco” in the chain is as part of San Francisco). The cert chain for the site goes:
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = gradle.org
verify return:1
A last-ditch attempt to work around this would be to try downloading that zip file directly, either by pasting the URL (https://services.gradle.org/distributions/gradle-7.6-all.zip) in a browser or using curl or something similar. If that does happen to work, you could unzip that file directly:
unzip gradle-7.6-all.zip -d ~/.gradle/wrapper/dists/gradle-7.6-all/9f832ih6bniajn45pbmqhk2cw
You’d need to make the destination folder first, of course, and I’m not sure that downloading the file will work but...
Another possibility might be that you have a old version of Java, something that hasn’t been updated in a while and so its certificate store hasn’t been updated either. Somewhere in your JDK/JRE is a file named cacerts. Since Gradle runs under Java and Java uses its own certificate store, that could be out of date. I don’t think this is the issue, simply because there are no Cisco certs in any of the various JDKs I inspected, but who knows, maybe another cert is failing and that’s making the Cisco one fail? Probably not, but maybe.
You’ll need to get whatever’s going wrong here fixed before you can move onto the actual Docker and XNAT part of the fun.
Rick Herrick
Senior Software Developer
------ Original Message ------
From "Steve Kauffman" <st...@kauffmans.name>
To "xnat_discussion" <xnat_di...@googlegroups.com>
Date 12/21/2022 6:06:31 PM
Subject [XNAT Discussion] "Certificate chaining error" on startup?
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/b1bccbdb-812a-44b2-b3a5-9e6a88c2e80fn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages