Help - untrusted server cert chain again !!!

Similar Messages

• Untrusted server cert chain - while connecting with ldap

  Hi All,
  I am getting the following error while running a standalone java program in windows 2000+jdk1.3 environment to connect with LDAP.
  javax.naming.CommunicationException: hostname:636 [Root exception is ja
  vax.net.ssl.SSLException: untrusted server cert chain]
  javax.naming.CommunicationException: hostname:636. Root exception is j
  avax.net.ssl.SSLException: untrusted server cert chain
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA12275)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA12
  275)
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA12275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
  at java.io.OutputStream.write(Unknown Source)
  at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
  at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
  at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
  at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
  at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
  at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
  at javax.naming.InitialContext.init(Unknown Source)
  at javax.naming.InitialContext.<init>(Unknown Source)
  at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
  at Test2.getProxyDirContext(Test2.java:66)
  at Test2.main(Test2.java:40)
  Any help would be appreciated
  Thanks in Advance
  Somu

  This got resolved when in the code the following
  System.setProperty("javax.net.ssl.tmrustStore", CertFileName);
  where cert file name is the filename with complete path.the file is a CA certificate of the LDAP server
  in X509 format

• Another untrusted server cert chain question

  I have two servlets that make SSL connections to other servers and they seem to conflict with each other. The first servlet creates an SSL using a self-signed certificate that is imported programatically then used to make the connection:
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("javax.net.ssl.truststore", "<path>\cert");
  LDAPJSSESecureSocketFactory ldapjssesecuresocketfactory = new LDAPJSSESecureSocketFactory();
  LDAPConnection ldapconnection = new LDAPConnection(ldapjssesecuresocketfactory);
  The second servlet makes opens an SSL socket to a server using a Verisign-signed certificate, which desn't require any imported certificates:
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
  socket = (SSLSocket)factory.createSocket("<URL>", 443);
  When each is run independently they both work perfect but when you run the first before the second, the second returns:
  I/O error javax.net.ssl.SSLException: untrusted server cert chain
  I have tried importing the cert used in the first servet into the cacerts but it says it is not x.509 (and fails).
  I have tried programatically importing the cacerts into the truststore in the second servlet but get the same untrusted server cert chain error.
  Any assistance will be greatly appreciate.

  Well, I answered my own problem and now everything is working. Since the main problem was that I could not import the certificate into the cacerts file (error: not x.509 format), I concentrated on that. Even though the server with the self-signed key is not a web server, I used IE to browse to https://<server>:<port>. When given the security prompt, I imported the certificate into IE. I then exported the same certificate in an x.509 standard. From there importing the certificate was text book:
  keytool -import -trustcacert -alias <certalias> -file <path><certname> -keystore <javahome>\lib\security\cacerts
  Hope this helps someone else :-)

• Untrusted server cert chain Error

  I am trying to connect to a HTTPS server using a jsp page, running JRUN 1.3 and JSSE 1.0.2.
  I have an error message consistenly that says: "untrusted server cert chain".
  I believe that the certificate is ok, and JSSE is configured properly.
  Here is the code I am using, do you know where the preoblem is?
  <html>
  <%@ page import="java.io.*"%>
  <%@ page import="java.net.*"%>
  <%@ page import="com.sun.net.ssl.*"%>
  <%@ page import="java.security.*"%>
  <%@ page import="java.util.*"%>
  <head>
       <title></title>
  </head>
  <body>
  <%
  System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("javax.net.debug", "help all");
  URL thisURL=new URL("https://test.com/index.html");
  URLConnection uCon= null;
  uCon = (URLConnection) thisURL.openConnection();
  InputStreamReader isr=new InputStreamReader(uCon.getInputStream());
  BufferedReader brObject=new BufferedReader(isr);
  //printing out
  String line = "";
  StringBuffer sb     =     new StringBuffer();
  while ((line = brObject.readLine()) != null){
            sb.append(line);
  sb.toString();
  %>
  </body>
  </html>

  Why dont u try to connect to
  https://www.verisign.com
  Code seems to be correct. If it doesnt work, mail me at
  [email protected]

• Untrusted server cert chain

  Our product is a server. It uses Tomcat to receive HTTP requests.
  We would like tomcat to serve HTTP/SSL (https) directly.
  As described in the Tomcat documentation, we have used the Sun keytool.exe to create the SSL certificate.
  This certificate is autosigned.
  Tomcat is now running and supports SSL on port 8443.
  One client of our server try to send an HTTP request to our server.
  Here is the code of the client program:
       // Declaring SSL Provider
       com.sun.net.ssl.internal.ssl.Provider provider = new com.sun.net.ssl.internal.ssl.Provider ();               
       Security.addProvider(provider);
       // Opening connection
       URL processUrl = new URL("https://serverHostName:8443/serverApp/serverJSP.jsp");
       m_httpsCnct = (HttpsURLConnection)processUrl.openConnection();
       // Connection settings
       // Posting request
       OutputStreamWriter osw = new OutputStreamWriter(m_httpsCnct.getOutputStream());
  At this point, the following exception and debug info is thrown :
       %% No cached client session
       *** ClientHello, v3.1
       Thread-0, WRITE: SSL v3.1 Handshake, length = 59
       Thread-0, WRITE: SSL v2, contentType = 22, translated length = 16310
       Thread-0, READ: SSL v3.1 Handshake, length = 664
       *** ServerHello, v3.1
       %% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
       ** SSL_RSA_WITH_RC4_128_SHA
       *** Certificate chain
       Thread-0, SEND SSL v3.1 ALERT: fatal, description = certificate_unknown
       Thread-0, WRITE: SSL v3.1 Alert, length = 2
       javax.net.ssl.SSLException: untrusted server cert chain
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
            at java.io.OutputStream.write(Unknown Source)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
            at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getOutputStream([DashoPro-V1.2-120198])
  I believe that my certificate is not trusted because it is autosigned.
  Is it true?
  Can I customize my client to accept this certificate?
  We register dynamically the SunJSSE Provider. It seems to take a long time. How can we avoid this?
  We didn't complete successfully the static registration.
  Any help would be appreciated.
  Thanks.

  I believe that the server is not trusted because it is not in your so-called "truststore." If you import the server certificate into a keystore using keytool and then reference that keystore as your "truststore", then you should be able to authenticate the server.
  One approach is to hit the server via a browser, save the server certificate, and export it. Then import it via keytool. You should be able to configure properties (jdk1.4 example below) such as:
  javax.net.ssl.trustStore=<path-to-truststore>
  javax.net.ssl.trustStoreType=JKS
  javax.net.ssl.trustStorePassword=<password>
  Good luck!

• Untrusted server cert chain for HTTPS on tomcat

  I have written 2 servlets
  1)One for sending username and password over HTTPS
  2)One for receiving the username and password and decrypting this
  When I am executing the 1st servlet,i get the exception :
  Error is client : javax.net.ssl.exception.:untrusted server cert chain
  I hv already created a server certificate with the 'keytool' command so why am i getting this
  error
  Please can any body help me on
  I am using TOMCAT as an HTTPS server!!!
  What shud I do to get rid of the 'untrusted server set chain' exception?
  Please help as I need to deploy this on my production server
  ajay
  [email protected]

  You get this error because your self-signed certificate is not trusted by the default installation of JDK/Tomcat. The simple way is probably to import the certificate you made with keytool into your store of trusted certificates. I don't exactly know how to do this.
  The other way is to override how certificates are handled. This is done by implementing your own X509TrustManager like this:
      SSLSocketFactory sslSF = null;
      KeyManager[] km = null;
      TrustManager[] tm = {new RelaxedX509TrustManager()};
      SSLContext sslContext = SSLContext.getInstance("SSL");
      sslContext.init(null, tm, new java.security.SecureRandom());
      sslSF = sslContext.getSocketFactory();
      URL url = new URL("https://myServer");
      URLConnection uCon = url.openConnection();
      ( (javax.net.ssl.HttpsURLConnection) uCon).setSSLSocketFactory(sslSF);
  And here is RelaxedX509TrustManager:
      class RelaxedX509TrustManager implements X509TrustManager {
          public boolean checkClientTrusted(java.security.cert.X509Certificate[] chain){
              return true;
          public boolean isServerTrusted(java.security.cert.X509Certificate[] chain){
              return true;
          public java.security.cert.X509Certificate[] getAcceptedIssuers() {
              return null;
          public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {}
          public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {}
  There might be some compilation errors...

• Untrusted server cert chain - MI 7.1 Client PDA

  Dear Expert,
  I am implementing SSL security in SAP MI 7.1.
  The HTTPS service is already enabled (port 443) and I can enter on via browser.
  Generate a certificate and signed by the SAP test certificate for 8 weeks.
  Export the certificate to the truststore file, using the command:
  keytool -import -file MID.cer  -keystore truststore -alias MID -storepass access
  Copy the truststore file (whit certificate MID) in PDA: \MI\settings.
  And also enable the parameters (in configuration.properties ):
  com.sap.tc.mobile.sync.http.port=443
  com.sap.tc.mobile.sync.protocol=https
  com.sap.tc.mobile.sync.http.sslenabled=true
  com.sap.tc.mobile.sync.https.hostnameverifying=false
  com.sap.tc.mobile.sync.https.truststore=/MI/settings/truststore
  But in trying to synchronize the PDA with the DOE get an error: "untrusted server cert chain"
  I am using: Client MI 7.1 for PDA SP9
  I have reviewed the documents: "How To Configure SSL for SAP NetWeaver Mobile 7.1 Applicable"
  Check various forms, without finding a solution ...
  some idea of the problem?
  Thanks!!

  Hi,
  Follow the below given links to configure SSL
  --> Making External Server Certificates Trusted
  http://help.sap.com/saphelp_dm40/helpdata/en/0f/8d80f68eace441b3d1ebdc4b
  2f2c81/content.htm (The link applies for PDA also)
  --> Configure the below given parameters in the default.properties
  com.sap.tc.mobile.sync.http.sslenabled
    > Default value: True
  com.sap.tc.mobile.sync.https.hostnameverifying
     > Default value: True
  com.sap.tc.mobile.sync.https.truststore
    > Location of truststore file containing SSL certificates. If the
  given location is not absolute, the system searches for the file in a
  path that is relative to the installation directory.
  For more details refer Note : 1312866
  And follow the below given link :
  http://help.sap.com/saphelp_nwmobile71/helpdata/en/06/a7d001e17b421db7e2
  dd8279853971/frameset.htm
  --> Even after following the above mentioned steps,Do the following :
  Create the Trustsore on a PC and then use a Addon to
  deploy these files to the PDA along with the SSL Libraries.
  Regards,
  Suma

• Synchronization Error: Untrusted Server Cert Chain

  Hi Folks,
  The basis team have installed SAP Netweaver 7.01 with Mobile 7.1 on the server. I'm using the NW Mobile Client on a Hand Held to synchronize and register for the first time to the DOE. But I'm getting the error: "Untrusted Server Cert Chain".
  Can anyone guide me through this problem. I know that this is something with a certificate but still don't know how solve this.
  Thanks in advance.
  Regards,
  Gilberto Li

  Solved it with OSS Note 550498.

• Ignoring untrusted server cert chain SSLException

  Does anyone know how to get hold of the input stream of an https url that has an untrusted server cert chain?
  I'm trying to read the contents of a page hosted on a machine with a self signed or expired certificate but HttpsURLConnection.getInputStream() will just throw an SSLException saying "untrusted server cert chain" rather than returning an input stream. Do you know how I might avoid the exception and get the stream?

  Hi MPistoia
  u have to import server cert inside a keystore and use it in your code.
  I suggest you to download keyman tool from ibm (http://www.alphaworks.ibm.com/tech/keyman)..it's very simple and
  it works great.
  This are the steps
  1. Navigate with netscape to that url
  2. accept certificate
  3. Launch keyman tool and import server certificate from netscape
  4. save a file client.keystore and obviously remember your keystore password
  5. use this code to connect
  SSLSocketFactory ssf;
  TrustManagerFactory tmf;
  KeyStore ks;
  FileInputStream fis;
  String pathKeyStore="C:\\client.keystore";
  char[] passphrase = "keystorePassword".toCharArray();
  fis=new FileInputStream(pathKeyStore);
  ks = KeyStore.getInstance("JKS");
  ks.load(fis, passphrase);
  tmf = TrustManagerFactory.getInstance("SunX509");
  tmf.init(ks);
  SSLContext ctx = SSLContext.getInstance("TLS");
  ctx.init(null, tmf.getTrustManagers(), null);
  fis.close();
  try {
  URL url = new URL("https://yourpage");
  com.sun.net.ssl.HttpsURLConnection connection = (com.sun.net.ssl.HttpsURLConnection) url.openConnection();
  ssf = ctx.getSocketFactory();
  connection.setSSLSocketFactory(ssf);
  connection.connect();
  System.out.println("Ok :" + connection.getURL());
  this code should work..
  good luck
  Michele

• SSLException : untrusted server cert chain in java client, but not getting that with weblogic.

  Hi,
  I am bit confused about what i am seeing,
  a. i used java client to talk to talk to server, got "untrusted server cert chain"
  , ressolved the exceptio by adding certificate to cacerts file.
  b. tried to connect to server using another weblogic server and not getting "untrusted
  server cert chain", even when the certificates are not installed.
  i dont know why it is throwning the SSLException in (a) and not in (b).
  thanks,
  Nirmala

  Stand alone client takes its trusted certificate from the JDK cacerts keystore
  by default.
  SSL client running on server uses server trust configuration. By default the server
  is configured to trust the CAs with certificates in DemoTrust.jks keystore and
  the JDK cacerts keystore.
  Pavel.
  "Nirmala" <[email protected]> wrote:
  >
  Hi,
  I am bit confused about what i am seeing,
  a. i used java client to talk to talk to server, got "untrusted server
  cert chain"
  , ressolved the exceptio by adding certificate to cacerts file.
  b. tried to connect to server using another weblogic server and not getting
  "untrusted
  server cert chain", even when the certificates are not installed.
  i dont know why it is throwning the SSLException in (a) and not in (b).
  thanks,
  Nirmala

• Untrusted server cert chain & does not recognize the certificate authority

  I have java code that makes an ssl connection to an HTTPS server.
  The code workes fine when I connect to a server that has a
  certificate that was issued by a recognizable authority.
  But when I try to connect to our test HTTPS server which has a
  certificate that was created by ourselves for debug, I get this
  java exception: "untrusted server cert chain".
  When I connect to our test HTTPS server with a browser, I get
  this message from the browser in a popup window:
  "www.xyz.com is a web site that uses a security certifcate to
  identify itself. However netscape 6 does not recognize the
  certificate authority that issued this certificate."
  At this point I am able to accept the certificate in the popup
  window and continue.
  Question: In my java code how can I accept a certificate
  that was signed by an unrecognizable authority just like the
  browser can. Or during debug, how can I set an override
  to accept ALL certs no matter what.
  Thanks.....Paul

  You will have to import your server test certificate into your client machine keystore. By default the keystore will be the 'cacerts' file in JAVA_HOME/jre/lib/security, get your server certificate in .pem format and use keytool to import it to the client.
  keytool -import -alias <anything> -file <full path of .pem file> -keystore <full path of cacerts file>
  The keystore password is 'changeit' by default, keytool comes with the JDK.
  The reasoning behind this is to prevent the misuse of test certificates, the client has to consciously import an untrusted certificate. When you install a real certificate on your server the client will be automatically validated if bought from a trusted CA (Thawte, Verisign).
  Take a look at the java.security.KeyStore class, you can use it to view your certificate chain.
  Ronny.

• Untrusted server cert chain  - another one

  Hi We have an application communites with our partners via HTTPS. We , partners and us, purchase our server/client certificate from Verisign
  The partners send data to us thru W2k IIS which then forward the data to our Application Server
  (JRun).
  We send the data back from our appserver to the partner HTTPS url
  There is one particular partner which we are not able to send data to it's server
  We use JSSE 1.0.2 JDK 1.3 using the default truststore comes with JRE which should have
  the versign root certificates
  Any suggestions?
  Helps are greatly appreciated
  -Dan

  We ended up importing the partner's server certificate to our truststore.
  But prefer to understand why
  Thanks
  -Dan

• "untrusted server cert chain" exception while connecting LDAP server

  While connecting to LDAP server using JNDI over JSSE ..This is happening when trying to get the initial context
  using
  InitialDirContext initContext = new InitialDirContext(env);
  where env is a hash table set with the default parametes.The certificate used for is a Novell CA certificate converted to X509 format and the key store is initialized with this

  This got resolved when in the code the following
  System.setProperty("javax.net.ssl.tmrustStore", CertFileName);
  where cert file name is the filename with complete path.the file is a CA certificate of the LDAP server
  in X509 format

• JSSE  Client and server communication problem .err:untrusted server cert

  Hai all,
  I am trying to communicate JSSE client and server.
  I have created root.cert(CA),root.key,server.cert,server.key , client.cert and client.key. All these certificates are created using openssl.
  I have placed root.cert in default keystore cacerts.
  I have created a keystores(server & client) name mykeystore.
  I have placed root.cert and client.cert in the client keystore.
  I have placed root.cert and server.cert in the server keystore.
  But during the run time i am getting javax.net.ssl.SSLException: untrusted server cert chain.
  please suggest the modifications needs to be done to fix the error.
  please tell me In the client keystore and in the server keystore....what certificates we need to put?
  whether my approach as said above is correct or not?
  In java code how to specify this particular certificate we are referring?
  I have coded in this way ....
  SSLContext ctx;
  KeyManagerFactory kmf;
  KeyStore ks;
  char[] prasad = "prasad".toCharArray();
  ctx = SSLContext.getInstance("SSLv3");
  kmf = KeyManagerFactory.getInstance("SunX509");
  ks = KeyStore.getInstance("jks");
  ks.load(new FileInputStream("mykeystore"), prasad);
  kmf.init(ks, prasad);
  ctx.init(kmf.getKeyManagers(), null, null);
  factory = ctx.getSocketFactory();
  But my doubt is we are specifying only keystore name with that how it will check root.cert(ca) and client.cert and server.cert?
  Is there any modifications need in my code?
  Please tell me some way ...
  Thanks ,
  Prasad.

  Hi prasad,
  There will be a problem with the certificates being received from thr remote server or client. Check that your trust store contains the certificate of the remote machine or the CA that signed it and that the certificate has not expired.
  Also be sure that both machines are using the latest version of the JSSE.
  Hope this will help you.
  Regards,
  Anil.
  Technical Support Engineer.

• Untrusted Server Certificate Chain error

  I am trying to use a certificate (digital signature) on the client, when accessing a Webservice. This fails with the following error :
  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
  My code is :
  KeyStore ks = null;
  String strURL = "https://myserver.com/myurl/lookup.asmx";
  SSLSocketFactory sslSocketFactory = null;
  System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Load certificate dynamically
  SSLContext sslContext = SSLContext.getInstance("SSLv3");
  TrustManagerFactory trustMgtFactory = TrustManagerFactory.getInstance("SunX509");
  CertificateFactory cert = CertificateFactory.getInstance("X.509");
  FileInputStream lo_fileinputstream = null;
  lo_fileinputstream = new FileInputStream("c:\\temp\\digital.cer");
  X509Certificate servercacert = (X509Certificate)cert.generateCertificate(lo_fileinputstream);
  lo_fileinputstream.close();
  String s1 = servercacert.getSerialNumber().toString();
  if(ks == null)
  ks = KeyStore.getInstance("JKS");
  ks.load(null, null);
  ks.setCertificateEntry(s1, servercacert);
  trustMgtFactory.init(ks);
  sslContext.init(null, trustMgtFactory.getTrustManagers(), null);
  sslSocketFactory = sslContext.getSocketFactory();
  HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
  // Call webservice
  URL cascadeURL = new URL(strURL);
  HttpsURLConnection conn = (HttpsURLConnection) cascadeURL.openConnection();
  String inputline=null;
  if (conn instanceof HttpsURLConnection) {
  conn.connect();
  BufferedReader in = new BufferedReader(
  new InputStreamReader(
  conn.getInputStream()));
  while ((inputline = in.readLine()) != null) {
  System.out.println(inputline);
  in.close();
  Please help - I am on a very tight deadline (as usual).

  Found the problem. I simply needed to add another certificate.