It's all about the answers!

Ask a question

Certificate chaining error


Erik anderson (38315029) | asked Oct 03 '13, 12:15 p.m.
Our builds publish URLs to directories on a file server (where build output is staged).  In 3.0.1.4 (rich client and server) opening the link would open a browser.  After upgrading to 4.0.3 (rich client and server) trying to open the link results in:

com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
    java.security.cert.CertPathValidatorException: The certificate issued by CN=IBM Internal Root CA, O=International Business Machines Corporation, C=US is not trusted; internal cause is:
    java.security.cert.CertPathValidatorException: Certificate chaining error
com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
    java.security.cert.CertPathValidatorException: The certificate issued by CN=IBM Internal Root CA, O=International Business Machines Corporation, C=US is not trusted; internal cause is:
    java.security.cert.CertPathValidatorException: Certificate chaining error

  javax.net.ssl.SSLHandshakeException

I can successfully open the link directly in a browser. 
I can also paste the link into a work item and click on it (1st time I get a dialog warning about an invalid cert but am allowed to proceed).

I expect the same dialog when opening a link from the download tab of a build result but instead get the error (above).  What can we do to get this working like it did in 3.0.1.4?

One answer



permanent link
Kevin Ramer (4.5k6171190) | answered Oct 03 '13, 4:31 p.m.
If I understand right you're trying to bounce out to another server from RTC UI ?

Sounds like the JRE (for  RTC) certificate file doesn't contain the signing certificate    Did your application server/jre change.   If your application server is Tomcat try running keytool on the cacerts file thus:

keytool -list -keystore jre/lib/security/cacerts -storepass ....   ( I know the default is 'changeit' but it could be different )
 
and look for your IBM issued certificate

If WAS, you could get the certificate into the DefaultTrustStore by importing from a given host or port.  

Your answer


Register or to post your answer.