I’m using tomcat 7.0.50 on CentOS 6.5 on a headless blade server; 8 processor
cores, 18 GB RAM.
My java client is opening an HttpsURLConnection:
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, null, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
URL url = new URL(urlText);
HttpsURLConnection urlConnection = (HttpsURLConnection)
url.openConnection();
urlConnection.setHostnameVerifier(DO_NOT_VERIFY);
urlConnection.setDoOutput(true);
try (OutputStreamWriter output = new
OutputStreamWriter(urlConnection.getOutputStream(), "UTF-8")) {
output.write(msg.writeNodes(false));
output.write("\n");
output.flush();
}
On getting the urlConnection.getOutputStream() the following exception is
thrown:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
If I set the SSLContext to accept all hosts it works.
I can see the servlet’s “Hello World” message from a web browser. Chrome says
that it has a valid certificate.
I verified that the certificates were valid using SSLShopper:
www.xxxxxxxxx.net resolves to xxx.xxx.xxx.xxx
Server Type: Apache/2.2.15 (CentOS)
The certificate should be trusted by all major web browsers (all the
correct intermediate certificates are installed).
The certificate was issued by GoDaddy.
The certificate will expire in 364 days.
The hostname (www.xxxxxxxxxx.net) is correctly listed in the certificate.
Common name: www.xxxxxxxxx.net
SANs: www.xxxxxxxxxx.net, xxxxxxxxxx.net
Valid from April 3, 2014 to April 3, 2015
Serial Number: 0431cbc326fefc
Signature Algorithm: sha256WithRSAEncryption
Issuer: Go Daddy Secure Certificate Authority - G2
Common name: Go Daddy Secure Certificate Authority - G2
Organization: GoDaddy.com, Inc.
Location: Scottsdale, Arizona, US
Valid from May 3, 2011 to May 3, 2031
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Go Daddy Root Certificate Authority - G2
Common name: Go Daddy Root Certificate Authority - G2
Organization: GoDaddy.com, Inc.
Location: Scottsdale, Arizona, US
Valid from August 31, 2009 to December 31, 2037
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Go Daddy Root Certificate Authority - G2
I have similar setup. The keystores are in the same folder, the server.xml are
the same except for the hostnames and the keystore password. The server with
the problem is not using the default keystorepassword of "changeit"
Any help would be greatly appreciated.
Jeff Crump
