0

I am using spring template to connect to ldap server over ssl. I used the following command to save ssl certificate from server:

echo -n | openssl s_client -connect <ldapserverip>:<port> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem

Then went to /jre/lib/security directory and executed the following command to add certificate to cacerts.

keytool -import -keystore cacerts -file ldapserver.pem

Then verified the count in list of entries in cacerts using the command:

keytool -list -keystore cacerts

I am running the application in tomcat and tomcat is pointed to same JDK_HOME.

I am getting the following exception in tomcat while logging in using authenticate() in ldapTemplate using spring. 

Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

It was working fine with plain text (with out https). I tried setting VMArguments as well but none of them worked.

-Djavax.net.ssl.trustStore="<path to cacerts file>"
-Djavax.net.ssl.trustStorePassword="<passphrase>"

How can i solve this issue?

Thanks

user1188867
  • 3,726
  • 5
  • 43
  • 69
  • If you use the `-showcerts` option with openssl you can see all the certificates in the chain up to the issuing CA. All intermediate certificates need to be imported as well. – mvreijn Sep 21 '16 at 08:37
  • Thanks mvreijn, how to get all the certificates in the chain upto issuing CA. I tried -showcerts option but it says invalid option for openssl. – user1188867 Sep 22 '16 at 04:23
  • -showcerts is working fine but its not showing all the certificates and in the last line i am getting "Verify return code: 21 (unable to verify the first certificate)". Is there any command to get entire certificate chain so that i can direct import them into my cacerts? – user1188867 Sep 22 '16 at 04:38
  • Sorry, I was away for a few days - good to see that you have solved the issue. – mvreijn Sep 26 '16 at 09:06
  • Thats ok thanks for your help – user1188867 Sep 27 '16 at 06:25

1 Answers1

1

Chain of trust is broken it looks like. Two possible reasons.

  1. The certificate from server is not a single certificate but a chain up to root CA and you have imported only one. You need to verify and import that complete chain.

    a. To check the certificate chain, dump it using openssl 

    >openssl s_client -showcerts -connect host:port

    b. To import the chain you need either convert PEM to PKCS#7 or split.

    i. Convert PEM to PKCS#7

    ii. Split

  2. While importing the certificate use "-trustcacerts" option so that certificates from keystore are considered for chain of trust. 

    >keytool -import -trustcacerts -file /path/ldapserver.pem -alias somealias -keystore /security/cacerts
Community
  • 1
  • 1
Roshith
  • 2,116
  • 13
  • 21