Discussion:
OpenJDK lacks popular root certificates?
Eric Jain
2013-11-20 06:49:08 UTC
Permalink
I've noticed that I'm unable to establish HTTPS connections to sites
that use certificates issued by GeoTrust and StartCom
(javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: Certificate chaining
error).

This is only from Linux machines (Ubuntu 12.04.3 LTS) with OpenJDK
(openjdk-7-jre-headless; 1.7.0_25); no problem on Windows machines
with Oracle's JDK (1.7.0_45).

So who's to blame? OpenJDK? Oracle? Ubuntu? GeoTrust? Myself?

I've tried adding e.g. the "GeoTrust Global CA" certificate from
http://www.geotrust.com/resources/root-certificates/ to
/etc/ssl/certs/java/cacerts (using the `keytool` command), but that
doesn't appear to help... Wrong cacert file? Wrong certificate?
--
Eric Jain
zenobase.com -- What do you want to track today?


------------------------------------

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/seajug/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/seajug/join
(Yahoo! ID required)

<*> To change settings via email:
seajug-digest-***@public.gmane.org
seajug-fullfeatured-***@public.gmane.org

<*> To unsubscribe from this group, send an email to:
seajug-unsubscribe-***@public.gmane.org

<*> Your use of Yahoo Groups is subject to:
http://info.yahoo.com/legal/us/yahoo/utos/terms/
Eric Jain
2013-11-20 20:07:09 UTC
Permalink
Post by Eric Jain
So who's to blame? OpenJDK? Oracle? Ubuntu? GeoTrust? Myself?
http://stackoverflow.com/questions/20105834/openjdk-has-certificate-chaining-errors-for-many-servers


------------------------------------

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/seajug/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/seajug/join
(Yahoo! ID required)

<*> To change settings via email:
seajug-digest-***@public.gmane.org
seajug-fullfeatured-***@public.gmane.org

<*> To unsubscribe from this group, send an email to:
seajug-unsubscribe-***@public.gmane.org

<*> Your use of Yahoo Groups is subject to:
http://info.yahoo.com/legal/us/yahoo/utos/terms/
Stan Dyck
2013-11-20 21:10:35 UTC
Permalink
Post by Eric Jain
Post by Eric Jain
So who's to blame? OpenJDK? Oracle? Ubuntu? GeoTrust? Myself?
http://stackoverflow.com/questions/20105834/openjdk-has-certificate-chaining-errors-for-many-servers
Might be a longshot, but have you tried running update-ca-certificates on the machine? You might have to update
/etc/ca-certificates.conf. I know that /etc/ssl/certs directory has a bunch of symlinks in it so it might not like it if
you just copy files directly in there. It seems a little more complex than it needs to be.

http://manpages.ubuntu.com/manpages/lucid/man8/update-ca-certificates.8.html

StanD.



------------------------------------

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/seajug/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/seajug/join
(Yahoo! ID required)

<*> To change settings via email:
seajug-digest-***@public.gmane.org
seajug-fullfeatured-***@public.gmane.org

<*> To unsubscribe from this group, send an email to:
seajug-unsubscribe-***@public.gmane.org

<*> Your use of Yahoo Groups is subject to:
http://info.yahoo.com/legal/us/yahoo/utos/terms/
Eric Jain
2013-11-21 01:21:18 UTC
Permalink
Post by Stan Dyck
Might be a longshot, but have you tried running update-ca-certificates on the machine? You might have to update
/etc/ca-certificates.conf. I know that /etc/ssl/certs directory has a bunch of symlinks in it so it might not like it if
you just copy files directly in there. It seems a little more complex than it needs to be.
http://manpages.ubuntu.com/manpages/lucid/man8/update-ca-certificates.8.html
I did run that; `update-ca-certificates` rebuilds
/etc/ssl/certs/java/cacerts, which is symlinked from
/usr/lib/jvm/java-7-openjdk/jre/lib/security/cacerts.

Turns out the problem wasn't with the local certificates, but with
servers that return their certificates in the wrong order. Most
browsers can deal with that, as does Java 7u40, but apparently not
Java 7u25.
--
Eric Jain
zenobase.com -- What do you want to track today?


------------------------------------

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/seajug/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/seajug/join
(Yahoo! ID required)

<*> To change settings via email:
seajug-digest-***@public.gmane.org
seajug-fullfeatured-***@public.gmane.org

<*> To unsubscribe from this group, send an email to:
seajug-unsubscribe-***@public.gmane.org

<*> Your use of Yahoo Groups is subject to:
http://info.yahoo.com/legal/us/yahoo/utos/terms/
Loading...