This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with setting up HTTPS for the User App."

Hi

Trying to setup User App. to use HTTPS. Get this error in the cataline.out log

IDM 4.7.2 AE on Windows Server 2016
The User App is acceptiong the https url and give me the option to sign in, but the sign-in process failed

2019-04-03 12:12:18,290 [ERROR] OAuthServlet [RBPM] An error occurred while attempting to contact the authentication service.
com.novell.common.auth.ValidationException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status
at com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:187)


Tomcat Cataline.out...

certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: b05b8b3213bc8067b6b8dd7306bcca1
Issuer: CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=\2A.intern.vejenkommune.dk, OU=IT, O=Vejen Kommune, L=Vejen, C=DK)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: 546fe1823f7e1941da39fce14c46173
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: b05b8b3213bc8067b6b8dd7306bcca1
Issuer: CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=\2A.intern.vejenkommune.dk, OU=IT, O=Vejen Kommune, L=Vejen, C=DK)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again searching all certstores
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: b05b8b3213bc8067b6b8dd7306bcca1
Issuer: CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=\2A.intern.vejenkommune.dk, OU=IT, O=Vejen Kommune, L=Vejen, C=DK)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: 546fe1823f7e1941da39fce14c46173
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: b05b8b3213bc8067b6b8dd7306bcca1
Issuer: CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=\2A.intern.vejenkommune.dk, OU=IT, O=Vejen Kommune, L=Vejen, C=DK)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: AdaptableX509CertSelector.match: subject key IDs don't match. Expected: [4, 20, -112, 88, -1, -80, -100, 117, -88, 81, 84, 119, -79, -19, -14, -93, 67, 22, 56, -98, 108, -59] Cert's: [4, 20, -39, 119, 2, 33, 123, -94, 52, -40, -35, 22, -9, -36, -84, 103, -29, 6, -50, -119, -103, -48]
certpath: NO - don't try this trustedCert
certpath: AdaptableX509CertSelector.match: subject key IDs don't match. Expected: [4, 20, -112, 88, -1, -80, -100, 117, -88, 81, 84, 119, -79, -19, -14, -93, 67, 22, 56, -98, 108, -59] Cert's: [4, 20, -46, 111, -9, -106, -12, -123, 63, 114, 60, 48, 125, 35, -38, -123, 120, -101, -93, 124, 90, 124]
certpath: NO - don't try this trustedCert
2019-04-03 12:12:18,290 [ERROR] OAuthServlet [RBPM] An error occurred while attempting to contact the authentication service.
com.novell.common.auth.ValidationException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status
at com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:187)



Best regards
Michael
Parents
  • 0  
    On 2019-04-03 12:34, mJg2XW wrote:>
    > Hi
    >
    > Trying to setup User App. to use HTTPS. Get this error in the
    > cataline.out log
    >
    > IDM 4.7.2 AE on Windows Server 2016
    > The User App is acceptiong the https url and give me the option to sign
    > in, but the sign-in process failed
    >
    > 2019-04-03 12:12:18,290 [ERROR] OAuthServlet [RBPM] An error occurred
    > while attempting to contact the authentication service.
    > com.novell.common.auth.ValidationException:
    > javax.net.ssl.SSLHandshakeException:
    > sun.security.validator.ValidatorException: PKIX path validation failed:
    > java.security.cert.CertPathValidatorException: Could not determine
    > revocation status
    > at
    >

    com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:187)


    Does the HTTPS connector in Tomcat send the server certificate as well
    as the intermediate certificate (GeoTrust RSA CA 2018)?

    Do you trust the DigiCert Global Root CA in your truststores?
    Specifically in {com.netiq.idm.osp.ssl-keystore.file}


    --
    Norbert
Reply
  • 0  
    On 2019-04-03 12:34, mJg2XW wrote:>
    > Hi
    >
    > Trying to setup User App. to use HTTPS. Get this error in the
    > cataline.out log
    >
    > IDM 4.7.2 AE on Windows Server 2016
    > The User App is acceptiong the https url and give me the option to sign
    > in, but the sign-in process failed
    >
    > 2019-04-03 12:12:18,290 [ERROR] OAuthServlet [RBPM] An error occurred
    > while attempting to contact the authentication service.
    > com.novell.common.auth.ValidationException:
    > javax.net.ssl.SSLHandshakeException:
    > sun.security.validator.ValidatorException: PKIX path validation failed:
    > java.security.cert.CertPathValidatorException: Could not determine
    > revocation status
    > at
    >

    com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:187)


    Does the HTTPS connector in Tomcat send the server certificate as well
    as the intermediate certificate (GeoTrust RSA CA 2018)?

    Do you trust the DigiCert Global Root CA in your truststores?
    Specifically in {com.netiq.idm.osp.ssl-keystore.file}


    --
    Norbert
Children
  • 0 in reply to   
    Hi

    Does the HTTPS connector in Tomcat send the server certificate as well
    as the intermediate certificate (GeoTrust RSA CA 2018)? -> What do you mean by this?

    Do you trust the DigiCert Global Root CA in your truststores? -> YES
    Specifically in {com.netiq.idm.osp.ssl-keystore.file}