Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] jetty SSL outgoing connections: unable to find valid certification path to requested target

Hi jetty-users,

(sorry for the long post)
I'm using exist-db with jetty as HTTP, HTTPS handler.
I've added the server certificates to a jks truststore but can't get a
live connection where my side is SSL-client and the other is
SSL-server.

Version: jetty-8.1.9.v20130131

The error I receive is:
<httpclient:response statusCode="500"
xmlns:httpclient="http://exist-db.org/xquery/httpclient";><httpclient:body
type="text" encoding="URLEncoded">sun.security.validator.ValidatorException%3A+PKIX+path+building+failed%3A+sun.security.provider.certpath.SunCertPathBuilderException%3A+unable+to+find+valid+certification+path+to+requested+target</httpclient:body></httpclient:response>

In my logging:
ERROR (BaseHTTPClientFunction.java [doRequest]:211) - sun
.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath
.SunCertPathBuilderException: unable to find valid certification path
to requested target
...
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
        at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506)
        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
        at org.exist.xquery.modules.httpclient.BaseHTTPClientFunction.doRequest(BaseHTTPClientFunction.java:202)
        at org.exist.xquery.modules.httpclient.POSTFunction.eval(POSTFunction.java:191)
        at org.exist.xquery.BasicFunction.eval(BasicFunction.java:70)
        at org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:55)
        at org.exist.xquery.LetExpr.eval(LetExpr.java:142)
...
        at java.lang.Thread.run(Thread.java:744)
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
        ... 109 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
        ... 115 more

In my jetty.xml config I have:
/usr/local/exist/tools/jetty/etc/jetty.xml
....

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
        <Set name="host"><SystemProperty name="jetty.host"/></Set>
        <Set name="port"><SystemProperty name="jetty.port"
default="8877"/></Set>
        <Set name="maxIdleTime">300000</Set>
        <Set name="Acceptors">2</Set>
        <Set name="statsOn">false</Set>
        <Set name="confidentialPort"><SystemProperty
name="jetty.port.ssl" default="8477"/></Set>
        <Set name="lowResourcesConnections">20000</Set>
        <Set name="lowResourcesMaxIdleTime">5000</Set>
      </New>
    </Arg>
  </Call>

<Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Set name="Port">8477</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="Acceptors">2</Set>
        <Set name="AcceptQueueSize">100</Set>
        <Set name="Keystore"><SystemProperty name="jetty.home"
default="."/>/etc/s_01.jks</Set>
        <Set name="Password">....</Set>
        <Set name="KeyPassword">.....</Set>
        <Set name="truststore"><SystemProperty name="jetty.home"
default="."/>/etc/t_01.jks</Set>
        <Set name="trustPassword">....</Set>
      </New>
    </Arg>
  </Call>

1) Is this the correct place in jetty config to point to my jks
truststore for outgoing connections? (it seems to me this is more for
incoming? Since it lists the receiving port?)
If it is the correct place:
2) How can I disable server certificate validation?
So that my client does not validate the others certificate?

Thanks for any pointers!
Maarten


Back to the top