Question
The owners of a service we consume in one of our preproduction environments recently changed their certificate setup (without notifying us).
Since this cert change any attempts to call our service (which lives on a weblogic box) result in:
https://stackoverflow.com/questions/17840725
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode>ns0:Server</faultcode>
<faultstring xml:lang="en">javax.xml.ws.WebServiceException: javax.net.ssl.SSLKeyException: [Security:090569]The certificate chain received from xxxxxxx - xx.xxx.xx.xxx contained a V3 CA certificate which key usage constraints indicate its key cannot be used to sign certificates.</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
I've never encountered this error before (and as far as google goes, no one else has), but I'm reasoning that one of the certs in the chain is a CA and it doesn't have the constraint for key signing (obviously). However, I can't see a problem with the cert chain and nothing is flagged when I visit the URL in a browser.
Here's what the chain looks like:
DigiCert
->DigiCert High Assurance CA-3
-->*.co.uk
DigiCert
Version - V3
Key Usage - Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Basic Constraints - Subject Type=CA, Path Length Constraint=None
DigiCert High Assurance CA-3
Version - V3
Key Usage - Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Basic Constraints - Subject Type=CA, Path Length Constraint=0
*.co.uk
Version - V3
Key Usage - Digital Signature, Key Encipherment (a0)
Basic Constraints - Subject Type=End Entity, Path Length Constraint=None
All of the certs are in our trust store. I've also tried setting weblogic to demo trust, but oddly, that doesn't have any effect.
Any ideas?
UPDATE
After enabling debug with
-Dssl.debug=true
-Dweblogic.StdoutDebugEnabled=true
-Dweblogic.security.SSL.verbose=true
I got:
<Jul 25, 2013 7:22:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 4797710814556239092785509911582462711
Issuer:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Subject:C=GB, L=Belfast, O=xxxxx xxxxx xxxxx xxxxx, CN=*.co.uk
Not Valid Before:Mon Jan 14 00:00:00 GMT 2013
Not Valid After:Tue Jan 21 12:00:00 GMT 2014
Signature Algorithm:SHA1withRSA
>
<Jul 25, 2013 7:22:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is invalid because the issuer DN does not match the next certificate subject: C=GB, L=Belfast, O=xxxxx xxxxx xxxxx xxxxx, CN=*.co.uk>
<Jul 25, 2013 7:22:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <Signature verification failed>
<Jul 25, 2013 7:22:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 7868785665241589417982590706715607915
Issuer:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Subject:C=GB, L=Belfast, O=xxxxx xxxxx xxxxx xxxxx, CN=*.co.uk
Not Valid Before:Mon Jan 14 00:00:00 GMT 2013
Not Valid After:Tue Jan 21 12:00:00 GMT 2014
Signature Algorithm:SHA1withRSA
To me this looks like weblogic is reading the cert chain incorrectly, it seems to think the cert at the bottom of the chain is signing itself?
Solution
The issue turned out to be the certificate itself, just as the error said! My mistake was assuming the issue was with our systems.
The certificate showed as being correct in the browser but weblogic's authentication libraries appear to be stricter.
The service owner has since issued a correctly signed certificate.
