Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Can't call the server with 2-way TLS based on trusting CA authority - javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this server certificate chain
See original GitHub issueAfter going through the instructions for setting up two way TLS bases on trusting the certificate authority, when I run the tests I get the following exception:
javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this server certificate chain
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
<...>
at nl.altindag.client.service.ApacheHttpClientService.executeRequest(ApacheHttpClientService.java:32)
at nl.altindag.client.stepdefs.HelloStepDefs.iSayHelloWithClient(HelloStepDefs.java:47)
at ✽.I say hello with "Apache HttpClient"(file:///Users/eugeneh/Development/mutual-tls-ssl/client/src/test/resources/features/Hello.feature:6)
Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this server certificate chain
at nl.altindag.sslcontext.trustmanager.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.java:86)
at io.netty.handler.ssl.util.X509TrustManagerWrapper.checkServerTrusted(X509TrustManagerWrapper.java:63)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
<...>
at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:230)
at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:58)
Any ideas what I’m doing wrong?
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
why doesn't java send the client certificate during SSL ...
Server requested a client certificate (CN=RootCA) - i.e. "give me a cert that is signed by the root CA"; Java looked into the...
Read more >Security with network protocols - Android Developers
To remove this trust gap, the server sends a chain of certificates from the server CA through any intermediates to a trusted root...
Read more >Rehash: How to Fix the SSL/TLS Handshake Failed Error
The client and server ping one another. The server presents its SSL/TLS certificate. The client authenticates the certificate authority (CA)-signed certificate.
Read more >How to Troubleshoot and Fix Certificate Validation Issues in ...
Quickly troubleshoot and fix Java certificate validation issues (PKIX path building failed ... The error message is usually javax.net.ssl.
Read more >Setting up two-way TLS - Luminis
Enabling HTTPS on the server (one-way TLS); Require the client to identify itself (two way TLS); Two way TLS based on trusting the...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Great, I just pulled your latest commit. When I start the App.java and afterwards ClientRunnerIT.java it passes. If I run maven clean install from the root directory it is also passing. I also validated your identities and truststores of both the server and the client. The setup looks good and the keystores are loaded by the ClientConfig class with the SSLFactory. Do you still have uncommitted local changes?
I also made a video of the test of your repo, see here: https://youtu.be/K5GHCfR-wNY
Let me know if it is still occurring with the latest version of your commit without any local changes. If it is still occuring, let’s do a remote session
Hi again @EugeneBy
I got the same SSLHandshakeException exception when using the Oracle JDK and especially the following exception even deeper in the stacktrace:
ValidatorException: TrustAnchor with subject is not a CA certificate. The issue was that the root-ca provided in this project was created without the following property:-ext bc:c. So it was basically not a really valid ca because of missing that property. I pushed the fix, so it should work for you as well right now. Could you let me know if it is working?