Https authentication through Connector

nrajesh · May 23, 2019, 3:44pm

Hi,
Https authentication through Connector, is failing with SSL Certificates.

Getting below error: May 23, 2019 2:06:57 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [org.camunda.bpm.spring.boot.starter.rest.CamundaJerseyResourceConfig] in context
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

we followed the below link, still the same issue: Camunda - Getting certificate error while calling an https REST service through connector - #3 by dg_camunda_learner

can you please help us to access https endpoint which has SSL certificates.

Regards,
Rajesh

Webcyberrob · May 23, 2019, 11:46pm

Hi Rajesh,

This looks like your JVM was not able to verify the SSL certificate supplied by the called host. This can often happen behind corporate firewalls as the firewall may do an SSL man in the middle attack so it can inspect content. This is transparent to browsing as the firewall dynamically generates a ‘proxy’ self signed certificate to send to the browser. The browser trusts the self signed cert as the org can install their own root cert in the browser trust store…

To see if thats the case, you could start the jvm with java -Djavax.net.debug=all

If that is the problem, you either have to bypass the proxy, or install the proxy’s certificates into your local JVM keystore.

Note: It could also be that the JVM cannot find the proxy out. Consider these JVM settings as well;
-Dhttps.proxyHost=https://your.https.proxy
-Dhttps.proxyPort=443

regards

Rob

nrajesh · May 28, 2019, 4:00pm

Hi Rob,

Thanks for replying. The above solution didn’t work. We tried by adding proxyport and host as part of JVM config but nothing helps.

And also we tried to do the same with Dockerfile for camunda (source code taken from github GitHub - camunda/docker-camunda-bpm-platform: Docker images for the camunda BPM platform) and added below lines.

USER root
COPY ./5f65b3413cc3ee9dfe7689f71688265b7a8c36b15d3db8814a779153ff03ae2a.crt /
RUN keytool -import -alias alias -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts -file /5f65b3413cc3ee9dfe7689f71688265b7a8c36b15d3db8814a779153ff03ae2a.crt --storepass changeit --noprompt
RUN update-ca-certificates

can you please provide the Dockerfile and steps to do make https with certificates work.

Thanks,
RajeshDockerfile.txt (1.7 KB)

tofertek · May 28, 2019, 4:22pm

Hi Rajesh:

As Rob mentioned, this is a JVM cert issue, not a Camunda issue.

Googling for this error will yield many results. This article comes up a lot, and has a nice solution. http://nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target . The source file noted was originally from an Oracle blog post.

Hope this helps.

Chris

system · January 30, 2024, 11:44am