error_sslhandshakeexception_con_java_y_startssl
Java + StartSSL unable to find valid certification path to requested target
Problema. La máquina virtual de Java no tiene los certificados raiz de StartSSL. Cualquier petición https a dominios con una firma de certificado de dicha CA devuelven un error como el siguiente.
ExceptionConverter: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) at com.lowagie.text.pdf.TSAClientBouncyCastle.getTSAResponse(Unknown Source) at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source) at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source) at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(Unknown Source) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:387) at net.sf.jsignpdf.Signer.signFiles(Signer.java:242) at net.sf.jsignpdf.Signer.main(Signer.java:137) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105) at net.sf.jsignpdf.ssl.DynamicX509TrustManager.checkServerTrusted(DynamicX509TrustManager.java:111) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) ... 19 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 27 more INFO Finished: Creating of signature failed.
Solución: Importar a la JVM (cacerts / jssecacerts) los certificados StartSSL CA en Java.
- StartSSL_java.sh
#!/bin/sh # # Downloads and installs the startssl CA certs into the global java keystore # Author: Klaus Reimer <k@ailis.de> # # Check if JAVA_HOME is set if [ "$JAVA_HOME" = "" ] then echo "ERROR: JAVA_HOME must be set." exit 1 fi # Check if cacerts file is present if [ ! -f $JAVA_HOME/jre/lib/security/cacerts ] then echo "ERROR: \$JAVA_HOME/jre/lib/security/cacerts not found. JAVA_HOME set correctly?" exit 1 fi # Download the startssl certs echo "Downloading certs..." wget --quiet --continue http://www.startssl.com/certs/ca.crt wget --quiet --continue http://www.startssl.com/certs/sub.class1.server.ca.crt wget --quiet --continue http://www.startssl.com/certs/sub.class2.server.ca.crt wget --quiet --continue http://www.startssl.com/certs/sub.class3.server.ca.crt wget --quiet --continue http://www.startssl.com/certs/sub.class4.server.ca.crt # Install certs into global keystore echo "Adding certs to cacerts keystore (sudo password required)..." keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt # If jsse is installed then also put the certs into jssecacerts keystore if [ -f $JAVA_HOME/jre/lib/security/jssecacerts ] then echo "Adding certs to jssecacerts keystore (sudo password required)..." keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt fi # Remove downloaded certs rm -f ca.crt sub.class1.server.ca.crt sub.class2.server.ca.crt sub.class3.server.ca.crt sub.class4.server.ca.crt
NOTA: Requiere wget y el usuario root.
error_sslhandshakeexception_con_java_y_startssl.txt · Last modified: 2020/12/25 22:57 by 127.0.0.1