File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Java in General and the fly likes CertificateException: The certificate chain from the server is not trusted Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "CertificateException: The certificate chain from the server is not trusted" Watch "CertificateException: The certificate chain from the server is not trusted" New topic
Author

CertificateException: The certificate chain from the server is not trusted

David McWilliams
Ranch Hand

Joined: Mar 14, 2009
Posts: 73
Hi all,

I have a have a application that contacts a web service to do some processing. The cotact has been mostly working fine but now I ma getting the error message below:

I have the application deployed on Sun Java System Application Server 9.1.

Have any of you seen this error?

Thanks,
David
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19785
    
  20

The domain on the certificate probably doesn't match the URL. It's probably for yy.xx.com with yy being different from xx (usually it's www).


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
David McWilliams
Ranch Hand

Joined: Mar 14, 2009
Posts: 73
Rob Prime wrote:The domain on the certificate probably doesn't match the URL. It's probably for yy.xx.com with yy being different from xx (usually it's www).


Thanks for your reply Rob but that is not the issue. I have put the URL + wsdl into my browser and I can reach the wsdl.
Soumyajit Hazra
Ranch Hand

Joined: Jun 26, 2007
Posts: 136
I also face the similar problem when working with my web app. I solved it by writing a small piece of code that signs the certificates by itself. I don't know whether it will help you but still you can take a look at the link.


Java Programmer | SCJP 1.5 | SCWCD 1.4
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Soumyajit Hazra wrote:I also face the similar problem when working with my web app. I solved it by writing a small piece of code that signs the certificates by itself. I don't know whether it will help you but still you can take a look at the link.


As far as I can see you haven't solved anything. You have just suppressed all authentication which defeats about half of he point of SSL/TLS ! The result is very secure communication between parties with neither side knowing for sure who they are talking to.

I don't know what the cause of the original problem is but I would make sure that all certificates in the chain are in date and not on a revocation list and make sure the root certificate is in the trust store.


Retired horse trader.
 Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Alex Hurtt
Ranch Hand

Joined: Oct 26, 2010
Posts: 98
My guess is, to put it as simply as possible, the servers SSL certificate is signed by a certificate authority (CA) about which your application does not know because it cannot find a root certificate for that CA in the trust store your application is using. This would be solved by importing the CA's root certificate into your trust store using a utility like keytool or something. Another possibility is that the servers certificate is self-signed which is often the case in test environments in which case there is no trusted root certificate you can import. I don't really know the specifics of your environment or your scenario so it's hard to say exactly but most likely you are missing the proper CA signed trusted root certificate from your trust store.
Alex Hurtt
Ranch Hand

Joined: Oct 26, 2010
Posts: 98
Soumyajit Hazra wrote:I also face the similar problem when working with my web app. I solved it by writing a small piece of code that signs the certificates by itself. I don't know whether it will help you but still you can take a look at the link.


And if you deployed this 'solution' to a production environment then you are in big trouble. This should be used for purposes of testing solutions using self-signed certificates only...or in the event that you really do want to communicate securely with whoever might be impersonating the intended server and you really don't care whether or not you're talking to the server that you think you are. I doubt that's the case. This code just blindly accepts all https connections without verifying the certificate of the server.
David McWilliams
Ranch Hand

Joined: Mar 14, 2009
Posts: 73
In downloaded the PEM for the site I'm trying to contact. I then ran this command to import the PEM. It now works.

Thanks for all the input.

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: CertificateException: The certificate chain from the server is not trusted