It's all about the answers!

Ask a question

Certificate chaining error


Erik anderson (38315029) | asked Oct 03 '13, 12:15 p.m.
Our builds publish URLs to directories on a file server (where build output is staged).  In 3.0.1.4 (rich client and server) opening the link would open a browser.  After upgrading to 4.0.3 (rich client and server) trying to open the link results in:

com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
    java.security.cert.CertPathValidatorException: The certificate issued by CN=IBM Internal Root CA, O=International Business Machines Corporation, C=US is not trusted; internal cause is:
    java.security.cert.CertPathValidatorException: Certificate chaining error
com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
    java.security.cert.CertPathValidatorException: The certificate issued by CN=IBM Internal Root CA, O=International Business Machines Corporation, C=US is not trusted; internal cause is:
    java.security.cert.CertPathValidatorException: Certificate chaining error

  javax.net.ssl.SSLHandshakeException

I can successfully open the link directly in a browser. 
I can also paste the link into a work item and click on it (1st time I get a dialog warning about an invalid cert but am allowed to proceed).

I expect the same dialog when opening a link from the download tab of a build result but instead get the error (above).  What can we do to get this working like it did in 3.0.1.4?

One answer



permanent link
Kevin Ramer (4.5k8183200) | answered Oct 03 '13, 4:31 p.m.
If I understand right you're trying to bounce out to another server from RTC UI ?

Sounds like the JRE (for  RTC) certificate file doesn't contain the signing certificate    Did your application server/jre change.   If your application server is Tomcat try running keytool on the cacerts file thus:

keytool -list -keystore jre/lib/security/cacerts -storepass ....   ( I know the default is 'changeit' but it could be different )
 
and look for your IBM issued certificate

If WAS, you could get the certificate into the DefaultTrustStore by importing from a given host or port.  

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.