I have seen similar questions about this topic before, but I must confess I really don't understand it still. I have never had to work with certificates, so please pardon my ignorance.
I have a J2EE app connection from JBoss to a third party system using SSL. The third party certificate recently expired, and they updated it. However, I am still getting the same message:
javax.net.ssl.SSLException: untrusted server cert chain at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA6275) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275) at java.io.OutputStream.write(OutputStream.java:56) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
Because I am not intimately familiar with this inherited application, I am slowly trying to find out what I can do. As this worked for years, I am confident it is not in the code. What I am not sure about, or even how to proceed is how to re-establish the trust between the two users.
I looked for a java version on the server and it is "/usr/bin/java" so there isn't a JRE/lib/security/ directory. Don't I need to have a copy of the new certificate and then some how use the keystore tool to sign it? If that is the case, I would really appreciate any pointers on how to do that. I am trying to find an old certifcate now, because I believe there must be one somewhere.
If someone has any advice or direction on this, I would love to hear it, or be pointed to a good *beginner* tutorial on how to make this work again.
"untrusted server cert chain" means that one of the certificates in the chain can not be verified as being trusted. Either the actual certificate is signed by an authority that is not trusted, or the signing authority's own certificate (one level higher up in the chain) is signed by an authority that's not trusted, and so on, all the way to the root authority. I think it's rare that a Java client app would check the complete hierarchy, though (although that can probably be anabled somehow), so the problem is likely with the actual certificate being presented. What does a/any browser think about the certificate if you enter the URL by hand?
When I enter the URL into a browser, nothing happens. It seems to connect and that's it - no errors or messages. The url ends in a .php, which apparently is their service that receives the XML that is being passed to them via the socket. If it makes a difference, here is the code that sends the request:
URL source = new URL(Constants.getProperty("https://www.blahblahblah/api.php)); URLConnection conn = source.openConnection(); conn.setDoInput(true); conn.setDoOutput(true); PrintWriter out = new PrintWriter(conn.getOutputStream()); out.println("xml_query=" + xmlString); out.close();
subject: javax.net.ssl.SSLException: untrusted server cert chain