Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Accept this certificate permanently not working anymore

Team Concert client keep asking what we would like to do with our self-signed certificate even if 'Accept this certificate permanently' option is flagged.

Error log view reports:
java.lang.RuntimeException: CRJAZ0109I Communications error.
at com.ibm.team.repository.transport.client.RemoteTeamService.rte(RemoteTeamService.java:747)
at com.ibm.team.repository.transport.client.RemoteTeamService.getAppropriateException(RemoteTeamService.java:663)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeMethod(RemoteTeamService.java:518)
at com.ibm.team.repository.transport.client.RemoteTeamService.invoke(RemoteTeamService.java:194)
at com.ibm.team.repository.transport.client.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:43)
at com.sun.proxy.$Proxy9.getAllConfigurations(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invokeServiceCall(ServiceInterfaceProxy.java:254)
at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invoke(ServiceInterfaceProxy.java:110)
at com.sun.proxy.$Proxy9.getAllConfigurations(Unknown Source)
at com.ibm.team.workitem.client.internal.ComponentConfigurationClient.fetchConfigurations(ComponentConfigurationClient.java:73)
at com.ibm.team.workitem.client.internal.ComponentConfigurationClient.initialize(ComponentConfigurationClient.java:45)
at com.ibm.team.workitem.rcp.ui.internal.WorkItemRCPUIPlugin$2.runProtected(WorkItemRCPUIPlugin.java:255)
at com.ibm.team.foundation.client.util.FoundationJob.run(FoundationJob.java:68)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error.
at com.ibm.team.repository.transport.client.ClientHttpUtil.executePrimitiveRequest(ClientHttpUtil.java:1345)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:373)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:323)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:221)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:230)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeCancelableHttpMethod(RemoteTeamService.java:565)
at com.ibm.team.repository.transport.client.RemoteTeamService.invokePost(RemoteTeamService.java:552)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeMethod(RemoteTeamService.java:493)
... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:32)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:435)
at com.ibm.jsse2.kb.a(kb.java:258)
at com.ibm.jsse2.kb.a(kb.java:577)
at com.ibm.jsse2.lb.a(lb.java:286)
at com.ibm.jsse2.lb.a(lb.java:574)
at com.ibm.jsse2.kb.s(kb.java:365)
at com.ibm.jsse2.kb.a(kb.java:3)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:595)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:645)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:138)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:268)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createSocket(SecureInterruptableSocketFactory.java:145)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createEncryptedSocket(SecureInterruptableSocketFactory.java:321)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createSocket(SecureInterruptableSocketFactory.java:303)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executePrimitiveRequest(ClientHttpUtil.java:1294)
... 22 more
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.h.b(h.java:107)
at com.ibm.jsse2.util.h.b(h.java:84)
at com.ibm.jsse2.util.g.a(g.java:21)
at com.ibm.jsse2.pc.a(pc.java:45)
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:95)
at com.ibm.team.repository.transport.client.ValidatingX509TrustManager.checkServerTrusted(ValidatingX509TrustManager.java:147)
at com.ibm.jsse2.lb.a(lb.java:530)
... 38 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258)
at com.ibm.jsse2.util.h.b(h.java:68)
... 44 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357)
... 46 more
Any advice?
Thanks in advance.

0 votes



3 answers

Permanent link
I have seen this in other ssl contexts where the web server has self-signed certificates, but there is no signer certificate "visible" to the ssl client.  

e.g. using openssl s_client -connect hostname.domain:port < /dev/null

returns but a single certificate, not a 'chain' of the certificate plus signer.

Certificate chain
 0 s:/C=US/ST=NC/L=Raleigh/OU=HDC/CN=ciscat-r/emailAddress=email@email.com
   i:/C=US/ST=NC/L=Raleigh/OU=HDC/CN=ciscat-ri/emailAddress=email@email.com

versus:

Certificate chain
 0 s:/C=US/ST=Durham, NC/L=Durham, NC//CN=rtcserver1/mail=email@email.com
  i:/C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA
 1 s:/C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA
   i:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
 2 s:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
   i:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA

from our internally provided Certificate Authority.


0 votes


Permanent link
I have seen this in other ssl contexts where the web server has self-signed certificates, but there is no signer certificate "visible" to the ssl client.
It should not be the case since the certificate chain appears correct.
According to comments from source code at:
com.ibm.team.repository.transport.client.RemoteTeamService.getAppropriateException(RemoteTeamService.java:663)
we see it should be a special case which indicate transport errors:
658:        if (0 == declaredExceptionTypes.length) { 
659: // Special case TeamServiceExceptions which indicate transport errors
660: String rteMessage = (exception instanceof TeamServiceException) ? 
661:         Messages.getServerString("RemoteTeamService.CommError") : //$NON-NLS-1$
We executed command as you suggest:
openssl s_client -connect hostname.domain:port < /dev/null 
and it returned:

0 votes

Comments

You'd need to specify the hostname:port with actual values.   I.e.  Your RTC's host name and port must be the value to the argument -connect

Sure, we did that! ;)

Cheers.


Permanent link

We resolved removing old local certificates as reported in https://jazz.net/forum/questions/108227/where-does-the-permanently-accepted-certificates-get-saved-in-the-rtc-eclipse-clients/108228.

Cheers.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Oct 05 '18, 4:35 a.m.

Question was seen: 3,324 times

Last updated: Oct 09 '18, 5:31 a.m.

Confirmation Cancel Confirm