0

I want to get the content of a url with the https protocol. The problem is that when this code is executed from a tomcat server, I get a HandshakeException.

url = new URL("https://donneespubliques.meteofrance.fr/donnees_libres/Txt/Nivo/nivo.20140309.csv");    
Scanner s = new Scanner(url.openStream());

I tried to look into other stackoverflow questions (How can I use different certificates on specific connections? or SSL Socket connection) and it seems I need to define a KeyStore.

I have no idea of how to do this.

The full error in the tomcat server is

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

What is the best way to acheve this?

Community
  • 1
  • 1
Paul Fournel
  • 10,807
  • 9
  • 40
  • 68
  • 1
    That certificate is not self signed. It's signed by Entrust. You can import the Entrust CA into your existing java keystore. Google java keytool, or type "keytool -importcert -help" on the command line. – Ted Bigham Mar 15 '14 at 10:16
  • Thx for the answer. I tried to create a keystore `keytool -genkey -alias tomcat -keyalg RSA` but it keeps looping in the console asking for my name, city, country, etc. Is it always that hard to acces a https url with tomcat? – Paul Fournel Mar 15 '14 at 11:01
  • Java ships with a keystore, you can just use that. you don't need to make a new one. And you shouldn't be generating any keys. You have to download the Entrust certificate and import it. – Ted Bigham Mar 15 '14 at 11:02
  • Okay. I think you can forget about importing the CA cert. I just checked and it's already in the java ca root store. You're probably battling with tomcat overriding the default keystore. – Ted Bigham Mar 15 '14 at 11:15
  • Does your application override its default truststore or trustmanager anywhere? Perhaps in the catalina.sh (or .bat) with `-Djavax.net.trustStore=...` or somewhere in the code? – Bruno Mar 15 '14 at 17:23

1 Answers1

0

The default java truststore ($JAVA_HOME/lib/security/cacerts) contains the CA cert for donneespubliques.meteofrance.fr. Most likely tomcat is using a different one.

You should be able to force it by updating the tomcat startup script to include the castore location. Something like this:

-Djavax.net.ssl.trustStore="C:\Program Files\Java\jre7\lib\security\cacerts" 
-Djavax.net.ssl.trustStorePassword=changeit
Ted Bigham
  • 4,237
  • 1
  • 26
  • 31