glassfish v3 “unable to find valid certification path to requested target”

Question

I realize that this question may appear to be a duplicate, but none of the threads I've browsed seem to address or help my situation.

I've been trying for days now to create a self-signed SSL certificate. The certificate is needed to access a glassfish domain that must provide WSDL files through HTTPS. I am using Glassfish 3.1.1 on Solaris 10, which does not use the default SSL port (443). At the moment, it is using 8181.

SSL certificates are very particular about the hostname used to access them. The certificate needs to be valid across several network zones; thus the glassfish domain has more than one different IP associated with it. The hostname (let's call it foobar) is not accessible outside the server itself as far as I can see.

After much research I decided I would need to generate a self-signed certificate with Subject Alternative Names indicating these IPs. Below are the steps I took.

1. The easiest way to generate a cert with SAN is to download Java 7, which includes a keytool utility with this capability. Download JDK 1.7.0_04 from the Oracle website and install it in foobar.

2. Navigate to the glassfish domain1 configuration directory, e.g. /opt/glassfish3/glassfish/domains/domain1/config

(The following is modified from the Oracle Glassfish 3.1 documentation: http://docs.oracle.com/cd/E18930_01/html/821-2435/ablqz.html)

1. Generate the certificate in the keystore. Note: each glassfish domain has its own keystore; the cert below is generated for domain1, which is associated with HTTPS port 8181.

   keytool -genkey -alias foobar -keyalg RSA -dname "CN=foobar, OU=xxxxxxx xxxx, O=xxxxxxxxxx, L=xxxxx xxx, S=xx, C=xx" -ext "SAN=IP:12.34.56.78,IP:99.88.77.66" -keypass changeit -storepass changeit -validity 3650 -keystore keystore.jks

2. Export the generated certificate to a file (in this case, foobar.cer)

   keytool -export -alias foobar -storepass changeit -file foobar.cer -keystore keystore.jks

3. Import the certificate into cacerts as a trusted certificate. Do this twice, once for the Glassfish cacerts file, and once for the Java JRE cacerts file on foobar.

   keytool -import -v -trustcacerts -alias foobar -file foobar.cer -keypass changeit -storepass changeit -keystore cacerts.jks

   In /usr/java/jre/lib/security: keytool -import -v -trustcacerts -alias foobar -file foobar.cer -keypass changeit -storepass changeit -keystore cacerts

4. Just in case, I also downloaded and import the certificate into the Java JRE cacerts file at the Windows workstation that will be accessing HTTPS (probably not necessary).

   In C:\Program Files\Java\jre\lib\security: keytool -import -v -trustcacerts -alias foobar -file foobar.cer -keypass changeit -storepass changeit -keystore cacerts

5. Restart glassfish domain1.

   asadmin restart-domain domain1

6. After restart complete, test the connection. In my case I go to my Windows workstation where I have the Java app loaded up in Netbeans. I run my test where the WSDL is needed through HTTPS, and enter https://12.34.56.78:8181 as the source.

This gives me the following error:

2012-06-05 10:25:32,132  WARN utilities.ConnectionManager - Could not connect to url https://12.34.56.78:8181/foobar/WebService?wsdl: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If I instead use the default Glassfish SSL certificate for domain1, I instead get an error indicating that no subject alternative names are present. That's why I went through the trouble of regenerating the cert in the first place.

As far as I can tell, importing the certificate as a trusted CA certificate ought to solve this "unable to find valid certification path" error. I admit I'm not much of a network specialist but all of my research thus far indicates that to be the case. I'm not sure if the problem here is because I'm using a non-standard SSL port (having to add the :8181 may lead to a mismatch with the SAN IP). I haven't tried that yet. But isn't there a way to generate a self-signed cert for an IP:Port combination, either in CN or SAN?

Thanks... Help would be much appreciated!

P.S. I can provide application code if necessary.

Answer 1

It's been quite some time since I had this problem.

I couldn't solve it as described above, so I ended up ordering SSL certs from a public CA.

I did run into one notable quirk concerning Glassfish (3.1.1) and SSL. For whatever reason, at least ONE non-SSL enabled network listener needs to exist per domain, or you'll get certificate errors when accessing the SSL enabled web service URLs.

So say I have a listener on 8080 and 8181. If both are SSL enabled then the certs won't work. If SSL is removed from 8080, the cert attached to listener 8181 will work.

Answer 2

I think the problem is that the certificate that goes to cacerts has to have a very specific alias (in 3.1.1.2 it is glassfish-instance)