Accept this certificate permanently not working anymore
Team Concert client keep asking what we would like to do with our self-signed certificate even if 'Accept this certificate permanently' option is flagged.
Error log view reports:
java.lang.RuntimeException: CRJAZ0109I Communications error.
at com.ibm.team.repository.transport.client.RemoteTeamService.rte(RemoteTeamService.java:747)
at com.ibm.team.repository.transport.client.RemoteTeamService.getAppropriateException(RemoteTeamService.java:663)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeMethod(RemoteTeamService.java:518)
at com.ibm.team.repository.transport.client.RemoteTeamService.invoke(RemoteTeamService.java:194)
at com.ibm.team.repository.transport.client.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:43)
at com.sun.proxy.$Proxy9.getAllConfigurations(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invokeServiceCall(ServiceInterfaceProxy.java:254)
at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invoke(ServiceInterfaceProxy.java:110)
at com.sun.proxy.$Proxy9.getAllConfigurations(Unknown Source)
at com.ibm.team.workitem.client.internal.ComponentConfigurationClient.fetchConfigurations(ComponentConfigurationClient.java:73)
at com.ibm.team.workitem.client.internal.ComponentConfigurationClient.initialize(ComponentConfigurationClient.java:45)
at com.ibm.team.workitem.rcp.ui.internal.WorkItemRCPUIPlugin$2.runProtected(WorkItemRCPUIPlugin.java:255)
at com.ibm.team.foundation.client.util.FoundationJob.run(FoundationJob.java:68)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error.
at com.ibm.team.repository.transport.client.ClientHttpUtil.executePrimitiveRequest(ClientHttpUtil.java:1345)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:373)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:323)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:221)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:230)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeCancelableHttpMethod(RemoteTeamService.java:565)
at com.ibm.team.repository.transport.client.RemoteTeamService.invokePost(RemoteTeamService.java:552)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeMethod(RemoteTeamService.java:493)
... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:32)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:435)
at com.ibm.jsse2.kb.a(kb.java:258)
at com.ibm.jsse2.kb.a(kb.java:577)
at com.ibm.jsse2.lb.a(lb.java:286)
at com.ibm.jsse2.lb.a(lb.java:574)
at com.ibm.jsse2.kb.s(kb.java:365)
at com.ibm.jsse2.kb.a(kb.java:3)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:595)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:645)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:138)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:268)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createSocket(SecureInterruptableSocketFactory.java:145)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createEncryptedSocket(SecureInterruptableSocketFactory.java:321)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createSocket(SecureInterruptableSocketFactory.java:303)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executePrimitiveRequest(ClientHttpUtil.java:1294)
... 22 more
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.h.b(h.java:107)
at com.ibm.jsse2.util.h.b(h.java:84)
at com.ibm.jsse2.util.g.a(g.java:21)
at com.ibm.jsse2.pc.a(pc.java:45)
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:95)
at com.ibm.team.repository.transport.client.ValidatingX509TrustManager.checkServerTrusted(ValidatingX509TrustManager.java:147)
at com.ibm.jsse2.lb.a(lb.java:530)
... 38 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258)
at com.ibm.jsse2.util.h.b(h.java:68)
... 44 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357)
... 46 more
Any advice?
Thanks in advance.
3 answers
I have seen this in other ssl contexts where the web server has self-signed certificates, but there is no signer certificate "visible" to the ssl client.
e.g. using openssl s_client -connect hostname.domain:port < /dev/null
returns but a single certificate, not a 'chain' of the certificate plus signer.
returns but a single certificate, not a 'chain' of the certificate plus signer.
Certificate chain
0 s:/C=US/ST=NC/L=Raleigh/OU=HDC/CN=ciscat-r/emailAddress=email@email.com
0 s:/C=US/ST=NC/L=Raleigh/OU=HDC/CN=ciscat-r/emailAddress=email@email.com
i:/C=US/ST=NC/L=Raleigh/OU=HDC/CN=ciscat-ri/emailAddress=email@email.com
versus:
Certificate chain
0 s:/C=US/ST=Durham, NC/L=Durham, NC//CN=rtcserver1/mail=email@email.com
0 s:/C=US/ST=Durham, NC/L=Durham, NC//CN=rtcserver1/mail=email@email.com
i:/C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA
1 s:/C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA
i:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
2 s:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
i:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
1 s:/C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA
i:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
2 s:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
i:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
from our internally provided Certificate Authority.
I have seen this in other ssl contexts where the web server has self-signed certificates, but there is no signer certificate "visible" to the ssl client.
It should not be the case since the certificate chain appears correct.
According to comments from source code at:
com.ibm.team.repository.transport.client.RemoteTeamService.getAppropriateException(RemoteTeamService.java:663)
we see it should be a special case which indicate transport errors:
658: if (0 == declaredExceptionTypes.length) {
659: // Special case TeamServiceExceptions which indicate transport errors
660: String rteMessage = (exception instanceof TeamServiceException) ?
661: Messages.getServerString("RemoteTeamService.CommError") : //$NON-NLS-1$
We executed command as you suggest:
openssl s_client -connect hostname.domain:port < /dev/null
and it returned:
Comments
You'd need to specify the hostname:port with actual values. I.e. Your RTC's host name and port must be the value to the argument -connect
Sure, we did that! ;)
Cheers.
We resolved removing old local certificates as reported in https://jazz.net/forum/questions/108227/where-does-the-permanently-accepted-certificates-get-saved-in-the-rtc-eclipse-clients/108228.
Cheers.