Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

CertificateException: The certificate chain from the server is not trusted

 
David McWilliams
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I have a have a application that contacts a web service to do some processing. The cotact has been mostly working fine but now I ma getting the error message below:

I have the application deployed on Sun Java System Application Server 9.1.

Have any of you seen this error?

Thanks,
David
 
Rob Spoor
Sheriff
Pie
Posts: 20510
54
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The domain on the certificate probably doesn't match the URL. It's probably for yy.xx.com with yy being different from xx (usually it's www).
 
David McWilliams
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Prime wrote:The domain on the certificate probably doesn't match the URL. It's probably for yy.xx.com with yy being different from xx (usually it's www).


Thanks for your reply Rob but that is not the issue. I have put the URL + wsdl into my browser and I can reach the wsdl.
 
Soumyajit Hazra
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I also face the similar problem when working with my web app. I solved it by writing a small piece of code that signs the certificates by itself. I don't know whether it will help you but still you can take a look at the link.
 
James Sabre
Ranch Hand
Posts: 781
Java Netbeans IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Soumyajit Hazra wrote:I also face the similar problem when working with my web app. I solved it by writing a small piece of code that signs the certificates by itself. I don't know whether it will help you but still you can take a look at the link.


As far as I can see you haven't solved anything. You have just suppressed all authentication which defeats about half of he point of SSL/TLS ! The result is very secure communication between parties with neither side knowing for sure who they are talking to.

I don't know what the cause of the original problem is but I would make sure that all certificates in the chain are in date and not on a revocation list and make sure the root certificate is in the trust store.
 
Alex Hurtt
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My guess is, to put it as simply as possible, the servers SSL certificate is signed by a certificate authority (CA) about which your application does not know because it cannot find a root certificate for that CA in the trust store your application is using. This would be solved by importing the CA's root certificate into your trust store using a utility like keytool or something. Another possibility is that the servers certificate is self-signed which is often the case in test environments in which case there is no trusted root certificate you can import. I don't really know the specifics of your environment or your scenario so it's hard to say exactly but most likely you are missing the proper CA signed trusted root certificate from your trust store.
 
Alex Hurtt
Ranch Hand
Posts: 98
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Soumyajit Hazra wrote:I also face the similar problem when working with my web app. I solved it by writing a small piece of code that signs the certificates by itself. I don't know whether it will help you but still you can take a look at the link.


And if you deployed this 'solution' to a production environment then you are in big trouble. This should be used for purposes of testing solutions using self-signed certificates only...or in the event that you really do want to communicate securely with whoever might be impersonating the intended server and you really don't care whether or not you're talking to the server that you think you are. I doubt that's the case. This code just blindly accepts all https connections without verifying the certificate of the server.
 
David McWilliams
Ranch Hand
Posts: 77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In downloaded the PEM for the site I'm trying to contact. I then ran this command to import the PEM. It now works.

Thanks for all the input.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic