1

I have 2 fresh machines with the same version of JDK7 installed.

And on one of the machines I can successfully connect to the remote host from my Java application via HTTPS without any issues and without importing any certificates to the default 'cacerts' keystore.

However on the other machine I'm getting the subj error.

JDKs on both machines are absolutely the same. The only difference between machines is that one of them is located in Europe, and one in the USA (this is the one where I'm getting the error).

Does anybody have a clue to what could cause this error in my case?

UPDATE

Certificate of the host I'm trying to connect to is issued by QuoVadis CA, which by default has the appropriate record in cacerts in Java distibution.

UPDATE2

Looks like the problematic machine for some reason doesn't receive the whole certificate chain from the machine to which it tries to connect (I can see only the last certificate from the chain and right after that follows a message certificate_unknown). So it doesn't get the root certificate.

Besides that the only difference I can see in the log is that working machine uses TLS_RSA_WITH_AES_128_CBC_SHA cipher suite and not working machine uses TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher suite. Could this be a reason of my problem? (I also cannot understand why they use different cipher suites while JDKs are the same and they are connecting to the same machine)

base2
  • 61
  • 3
  • You can investigate your issue using the `-Djavax.net.debug=ssl` setting – Dici May 07 '16 at 19:32
  • Thanks, I've already done that. Error is "certificate_unknown". I'm just wondering why this happens only on one out of two absolutely similar machines, with the same JDKs and same default "cacerts" keystore – base2 May 08 '16 at 12:10
  • With this flag activated you should have plenty of logs to help you diagnose the problem, not just the top-level error message. Compare the logs for the machine that works and the machine that does not – Dici May 08 '16 at 14:25
  • @Dici Looks like the problematic machine doesn't receive the whole certificate chain from the machine to which it tries to connect (I can see only the last certificate from the chain and right after that follows a message certificate_unknown). So it doesn't get the root certificate. – base2 May 10 '16 at 16:29
  • Besides that the only difference I can see in the log is that working machine uses TLS_RSA_WITH_AES_128_CBC_SHA cipher suite and not working machine uses TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher suite. Could this be a reason of my problem? (I also cannot understand why they use different cipher suites while JDKs are the same and they are connecting to the same machine) – base2 May 10 '16 at 16:33
  • I can ontly tell you how I debugged of this kind an issue I had. Like you, I looked at which trusted certificate was found on the succeeding machine and then grepped the log of the other machine to find this certificate, and see when it was added in the trustStore. The bug I had probably won't help you since I was using additional certificates and adding them by code, which is not your case. Have you tried comparing the logs with a diff tool (it's gonna be a bit slow because the logs are massive but I did it) ? Look carefully at which remote hosts are contacted, they might be different – Dici May 10 '16 at 18:14

1 Answers1

0

Try to compare the keystore certificates once. I had a similar issue where one machine had other applications which added the same certificates and it was working fine, but a stand alone machine was not.

sriram manoj
  • 155
  • 1
  • 9
  • Thank you. I compared keystores and they are equal. I even tried to to copy the keystore from the machine where it works fine to the problematic machine, but the issue persists. – base2 May 08 '16 at 12:14