to find valid certification path to requested target
Michael Ströder
michael at stroeder.com
Thu Mar 6 08:17:07 EST 2008
HI!
I think I have configured Tomcat correctly with a server
certificate and the accompanying CA cert in a single PKCS#12 file.
CAS ticketing fully works with PHP example apps even when
accessing them over different server names (which did not work
without HTTPS as designed).
Also a test with openssl s_client shows that everything seems
perfect with cert validation and Tomcat is sending the full cert
chain including the CA cert.
But I still get this message when accessing the services manager
through https://cas-server.stroeder.local:8443/mycas/services/
-------------------------- snip --------------------------
Authorization Failure
You are not authorized to use this application for the following
reason: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target.
-------------------------- snip --------------------------
I tried to dig the mailing list archives but I did not find
anything helpful how to track this down further. Does anybody can
give me a hint? Maybe something's wrong with the cert extensions
for Java? Mozilla and OpenSSL accept these.
Ciao, Michael.
------------------- server.xml (lines wrapped) -------------------
<Server port="8005" shutdown="SHUTDOWN">
<GlobalNamingResources>
<!-- Used by Manager webapp -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="100" minSpareThreads="3"
maxSpareThreads="10"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="/etc/tomcat5.5/cas-server.stroeder.local.p12"
keystorePass="1234"
truststoreType="PKCS12"
truststoreFile="/etc/tomcat5.5/cas-server.stroeder.local.p12"
truststorePass="1234" />
<Engine name="Catalina" defaultHost="cas-server.stroeder.local">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
<Host name="cas-server.stroeder.local" appBase="webapps"
unpackWARs="true" autoDeploy="true" />
</Engine>
</Service>
</Server>
------------------- text ouput of server cert -------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, L=Leverkusen, O=stroeder.com, OU=ITS,
CN=Server CA No. 1
Validity
Not Before: Mar 6 11:56:36 2008 GMT
Not After : Mar 6 11:56:36 2009 GMT
Subject: C=DE, L=Karlsruhe, O=stroeder.com, OU=ITS,
CN=cas-server.stroeder.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ba:7f:ba:f5:fe:fd:92:21:7e:20:10:73:88:e5:
[..binary garbage snipped..]
1c:85:ed:9c:a3:63:36:b1:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 CRL Distribution Points:
URI:http://localhost/pyca/get-cert.py/Root/crl.crl
Netscape Comment:
This certificate is solely used for SSL-enabled
servers.
Netscape Cert Type:
SSL Server
Signature Algorithm: sha1WithRSAEncryption
0e:53:61:7b:90:0c:80:f4:b5:9d:12:6b:94:6b:f6:74:93:84:
[..even more binary garbage snipped..]
d0:4f:e5:51
More information about the cas
mailing list