Hi,
I have an Certificate chaining error that i cannot resolve.
I'm on: WebSphere Platform 8.5.5.11 [BASE 8.5.5.11 cf111649.01] [IBMJAVA7 7.0.9.60 cf111647.02]
and have the following error when contacting https://sgw01.cm.nl:

ClientProtocolException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error

The certificate is correct according to DigiCert (https://www.digicert.com/help/).
The chain is: sgw01.cm.nl > RapidSSL TLS RSA CA G1 > DigiCert Global Root G2 (A > B > C)

I did a retrieve from port for A, I downloaded both B and C and imported them in the NodeDefaultTrustStore. Also restarted WAS.
There was no effect, the error remains.

Does anyone have an idea what i can do to solve this chaining error ?


EDIT:
Upgrading the IBM JDK to [IBMJAVA7 7.0.10.15 cf131751.02]  didn't help.


Thanks.

------------------------------
JStefan.
------------------------------

Hi,
Certificate chain means your CA certificate may have intermediate CA. Your all intermediate CA certificates also should be present in the trust store. Check your CA certificate and download all certificates including intermediate CA certificates

------------------------------
Balraj Jeyaprakash IT Architect
IT Architect
IBM India Pvt Ltd
Chennai
------------------------------

Original Message:
Sent: 08-01-2018 05:57
From: Stefan Witte
Subject: Certificate chaining error

Hi,
I have an Certificate chaining error that i cannot resolve.
I'm on: WebSphere Platform 8.5.5.11 [BASE 8.5.5.11 cf111649.01] [IBMJAVA7 7.0.9.60 cf111647.02]
and have the following error when contacting https://sgw01.cm.nl:

ClientProtocolException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error

The certificate is correct according to DigiCert (https://www.digicert.com/help/).
The chain is: sgw01.cm.nl > RapidSSL TLS RSA CA G1 > DigiCert Global Root G2 (A > B > C)

I did a retrieve from port for A, I downloaded both B and C and imported them in the NodeDefaultTrustStore. Also restarted WAS.
There was no effect, the error remains.

Does anyone have an idea what i can do to solve this chaining error ?


EDIT:
Upgrading the IBM JDK to [IBMJAVA7 7.0.10.15 cf131751.02]  didn't help.


Thanks.

------------------------------
JStefan.
------------------------------

"Your all intermediate CA certificates also should be present in the trust store."
I did download the intermediate and root certificate and added them to the NodeDefaultTrustStore. That didn't help. Is that te right place to add these certificates ?

The main certificate I imported using "retrieve from port".

"Check your CA certificate .. "
Where exactly can I check this in the Admin console?
Where can i see which root and intermediate certs are known by IBM or by the JDK ?

------------------------------
Stefan Witte
------------------------------

Original Message:
Sent: 08-01-2018 09:45
From: Balraj Jeyaprakash
Subject: Certificate chaining error

Hi,
Certificate chain means your CA certificate may have intermediate CA. Your all intermediate CA certificates also should be present in the trust store. Check your CA certificate and download all certificates including intermediate CA certificates

------------------------------
Balraj Jeyaprakash IT Architect
IT Architect
IBM India Pvt Ltd
Chennai

Original Message:
Sent: 08-01-2018 05:57
From: Stefan Witte
Subject: Certificate chaining error

Hi,
I have an Certificate chaining error that i cannot resolve.
I'm on: WebSphere Platform 8.5.5.11 [BASE 8.5.5.11 cf111649.01] [IBMJAVA7 7.0.9.60 cf111647.02]
and have the following error when contacting https://sgw01.cm.nl:

ClientProtocolException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error

The certificate is correct according to DigiCert (https://www.digicert.com/help/).
The chain is: sgw01.cm.nl > RapidSSL TLS RSA CA G1 > DigiCert Global Root G2 (A > B > C)

I did a retrieve from port for A, I downloaded both B and C and imported them in the NodeDefaultTrustStore. Also restarted WAS.
There was no effect, the error remains.

Does anyone have an idea what i can do to solve this chaining error ?


EDIT:
Upgrading the IBM JDK to [IBMJAVA7 7.0.10.15 cf131751.02]  didn't help.


Thanks.

------------------------------
JStefan.
------------------------------

Stefan,

From your message, looks like you are using a base version of the product ! When using base version, a node default truststore's signer certs section  is the correct place. Just cross check these settings.

Security > SSL certificate and key management > Related Item - SSL Configurations > NodeDefaultSSLSettings > Trust store name

When using an ND version of Websphere you will add it to cell default truststore rather than node.

If the above keystore is intact, I would like to you try adding the three certificates to the following file (assuming you are using java7 from your message, if not change the path to the java in use), restart the server and test your communication.
$WAS_HOME/java_1.7/jre/lib/security/cacerts.

If  the above method fails, please gather ssl traces as mentioned here and post it here and I will look further.

IBM MustGather: SSL problems on WebSphere traditional - United States

Good Luck !













------------------------------
Madhava
------------------------------

Original Message:
Sent: 08-01-2018 10:47
From: Stefan Witte
Subject: Certificate chaining error

"Your all intermediate CA certificates also should be present in the trust store."
I did download the intermediate and root certificate and added them to the NodeDefaultTrustStore. That didn't help. Is that te right place to add these certificates ?

The main certificate I imported using "retrieve from port".

"Check your CA certificate .. "
Where exactly can I check this in the Admin console?
Where can i see which root and intermediate certs are known by IBM or by the JDK ?

------------------------------
Stefan Witte

Original Message:
Sent: 08-01-2018 09:45
From: Balraj Jeyaprakash
Subject: Certificate chaining error

Hi,
Certificate chain means your CA certificate may have intermediate CA. Your all intermediate CA certificates also should be present in the trust store. Check your CA certificate and download all certificates including intermediate CA certificates

------------------------------
Balraj Jeyaprakash IT Architect
IT Architect
IBM India Pvt Ltd
Chennai

Original Message:
Sent: 08-01-2018 05:57
From: Stefan Witte
Subject: Certificate chaining error

Hi,
I have an Certificate chaining error that i cannot resolve.
I'm on: WebSphere Platform 8.5.5.11 [BASE 8.5.5.11 cf111649.01] [IBMJAVA7 7.0.9.60 cf111647.02]
and have the following error when contacting https://sgw01.cm.nl:

ClientProtocolException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error

The certificate is correct according to DigiCert (https://www.digicert.com/help/).
The chain is: sgw01.cm.nl > RapidSSL TLS RSA CA G1 > DigiCert Global Root G2 (A > B > C)

I did a retrieve from port for A, I downloaded both B and C and imported them in the NodeDefaultTrustStore. Also restarted WAS.
There was no effect, the error remains.

Does anyone have an idea what i can do to solve this chaining error ?


EDIT:
Upgrading the IBM JDK to [IBMJAVA7 7.0.10.15 cf131751.02]  didn't help.


Thanks.

------------------------------
JStefan.
------------------------------

Hi Madhava,

The solution was indeed to add the missing root certificate to the cacerts like:

keytool -import -file D:\tmp\DigiCertGlobalRootG2.crt -storepass changeit -keystore "D:\Apps\IBM\WebSphere\AppServer\java_1.7.1_64\jre\lib\security\cacerts" -alias DigiCertGlobalRootG2

No WebSphere restart needed.
The error originated from a HTTPS call that suddenly needed minimum TLSv1.1. So i forced the http client to use TLSv1.2.
Thanks for your help.

------------------------------
Stefan Witte
------------------------------

Original Message:
Sent: 08-04-2018 12:11
From: Madhava
Subject: Certificate chaining error

Stefan,

From your message, looks like you are using a base version of the product ! When using base version, a node default truststore's signer certs section  is the correct place. Just cross check these settings.

Security > SSL certificate and key management > Related Item - SSL Configurations > NodeDefaultSSLSettings > Trust store name

When using an ND version of Websphere you will add it to cell default truststore rather than node.

If the above keystore is intact, I would like to you try adding the three certificates to the following file (assuming you are using java7 from your message, if not change the path to the java in use), restart the server and test your communication.
$WAS_HOME/java_1.7/jre/lib/security/cacerts.

If  the above method fails, please gather ssl traces as mentioned here and post it here and I will look further.

IBM MustGather: SSL problems on WebSphere traditional - United States

Good Luck !













------------------------------
Madhava

Original Message:
Sent: 08-01-2018 10:47
From: Stefan Witte
Subject: Certificate chaining error

"Your all intermediate CA certificates also should be present in the trust store."
I did download the intermediate and root certificate and added them to the NodeDefaultTrustStore. That didn't help. Is that te right place to add these certificates ?

The main certificate I imported using "retrieve from port".

"Check your CA certificate .. "
Where exactly can I check this in the Admin console?
Where can i see which root and intermediate certs are known by IBM or by the JDK ?

------------------------------
Stefan Witte

Original Message:
Sent: 08-01-2018 09:45
From: Balraj Jeyaprakash
Subject: Certificate chaining error

Hi,
Certificate chain means your CA certificate may have intermediate CA. Your all intermediate CA certificates also should be present in the trust store. Check your CA certificate and download all certificates including intermediate CA certificates

------------------------------
Balraj Jeyaprakash IT Architect
IT Architect
IBM India Pvt Ltd
Chennai

Original Message:
Sent: 08-01-2018 05:57
From: Stefan Witte
Subject: Certificate chaining error

Hi,
I have an Certificate chaining error that i cannot resolve.
I'm on: WebSphere Platform 8.5.5.11 [BASE 8.5.5.11 cf111649.01] [IBMJAVA7 7.0.9.60 cf111647.02]
and have the following error when contacting https://sgw01.cm.nl:

ClientProtocolException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error

The certificate is correct according to DigiCert (https://www.digicert.com/help/).
The chain is: sgw01.cm.nl > RapidSSL TLS RSA CA G1 > DigiCert Global Root G2 (A > B > C)

I did a retrieve from port for A, I downloaded both B and C and imported them in the NodeDefaultTrustStore. Also restarted WAS.
There was no effect, the error remains.

Does anyone have an idea what i can do to solve this chaining error ?


EDIT:
Upgrading the IBM JDK to [IBMJAVA7 7.0.10.15 cf131751.02]  didn't help.


Thanks.

------------------------------
JStefan.
------------------------------