It's all about the answers!

Ask a question

Accept this certificate permanently not working anymore


SEC Servizi (97122652) | asked Oct 05 '18, 4:35 a.m.

Team Concert client keep asking what we would like to do with our self-signed certificate even if 'Accept this certificate permanently' option is flagged.

Error log view reports:
java.lang.RuntimeException: CRJAZ0109I Communications error.
at com.ibm.team.repository.transport.client.RemoteTeamService.rte(RemoteTeamService.java:747)
at com.ibm.team.repository.transport.client.RemoteTeamService.getAppropriateException(RemoteTeamService.java:663)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeMethod(RemoteTeamService.java:518)
at com.ibm.team.repository.transport.client.RemoteTeamService.invoke(RemoteTeamService.java:194)
at com.ibm.team.repository.transport.client.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:43)
at com.sun.proxy.$Proxy9.getAllConfigurations(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invokeServiceCall(ServiceInterfaceProxy.java:254)
at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invoke(ServiceInterfaceProxy.java:110)
at com.sun.proxy.$Proxy9.getAllConfigurations(Unknown Source)
at com.ibm.team.workitem.client.internal.ComponentConfigurationClient.fetchConfigurations(ComponentConfigurationClient.java:73)
at com.ibm.team.workitem.client.internal.ComponentConfigurationClient.initialize(ComponentConfigurationClient.java:45)
at com.ibm.team.workitem.rcp.ui.internal.WorkItemRCPUIPlugin$2.runProtected(WorkItemRCPUIPlugin.java:255)
at com.ibm.team.foundation.client.util.FoundationJob.run(FoundationJob.java:68)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error.
at com.ibm.team.repository.transport.client.ClientHttpUtil.executePrimitiveRequest(ClientHttpUtil.java:1345)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:373)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:323)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:221)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executeHttpMethod(ClientHttpUtil.java:230)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeCancelableHttpMethod(RemoteTeamService.java:565)
at com.ibm.team.repository.transport.client.RemoteTeamService.invokePost(RemoteTeamService.java:552)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeMethod(RemoteTeamService.java:493)
... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:32)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:435)
at com.ibm.jsse2.kb.a(kb.java:258)
at com.ibm.jsse2.kb.a(kb.java:577)
at com.ibm.jsse2.lb.a(lb.java:286)
at com.ibm.jsse2.lb.a(lb.java:574)
at com.ibm.jsse2.kb.s(kb.java:365)
at com.ibm.jsse2.kb.a(kb.java:3)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:595)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:645)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:138)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:268)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createSocket(SecureInterruptableSocketFactory.java:145)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createEncryptedSocket(SecureInterruptableSocketFactory.java:321)
at com.ibm.team.repository.transport.client.SecureInterruptableSocketFactory.createSocket(SecureInterruptableSocketFactory.java:303)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at com.ibm.team.repository.transport.client.ClientHttpUtil.executePrimitiveRequest(ClientHttpUtil.java:1294)
... 22 more
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.h.b(h.java:107)
at com.ibm.jsse2.util.h.b(h.java:84)
at com.ibm.jsse2.util.g.a(g.java:21)
at com.ibm.jsse2.pc.a(pc.java:45)
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:95)
at com.ibm.team.repository.transport.client.ValidatingX509TrustManager.checkServerTrusted(ValidatingX509TrustManager.java:147)
at com.ibm.jsse2.lb.a(lb.java:530)
... 38 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258)
at com.ibm.jsse2.util.h.b(h.java:68)
... 44 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357)
... 46 more
Any advice?
Thanks in advance.

3 answers



permanent link
Kevin Ramer (4.5k6171190) | answered Oct 05 '18, 12:29 p.m.
I have seen this in other ssl contexts where the web server has self-signed certificates, but there is no signer certificate "visible" to the ssl client.  

e.g. using openssl s_client -connect hostname.domain:port < /dev/null

returns but a single certificate, not a 'chain' of the certificate plus signer.

Certificate chain
 0 s:/C=US/ST=NC/L=Raleigh/OU=HDC/CN=ciscat-r/emailAddress=email@email.com
   i:/C=US/ST=NC/L=Raleigh/OU=HDC/CN=ciscat-ri/emailAddress=email@email.com

versus:

Certificate chain
 0 s:/C=US/ST=Durham, NC/L=Durham, NC//CN=rtcserver1/mail=email@email.com
  i:/C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA
 1 s:/C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA
   i:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
 2 s:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
   i:/C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA

from our internally provided Certificate Authority.



permanent link
SEC Servizi (97122652) | answered Oct 08 '18, 4:30 a.m.
edited Oct 08 '18, 4:34 a.m.
I have seen this in other ssl contexts where the web server has self-signed certificates, but there is no signer certificate "visible" to the ssl client.
It should not be the case since the certificate chain appears correct.
According to comments from source code at:
com.ibm.team.repository.transport.client.RemoteTeamService.getAppropriateException(RemoteTeamService.java:663)
we see it should be a special case which indicate transport errors:
658:        if (0 == declaredExceptionTypes.length) { 
659: // Special case TeamServiceExceptions which indicate transport errors
660: String rteMessage = (exception instanceof TeamServiceException) ? 
661:         Messages.getServerString("RemoteTeamService.CommError") : //$NON-NLS-1$
We executed command as you suggest:
openssl s_client -connect hostname.domain:port < /dev/null 
and it returned:


Comments
Kevin Ramer commented Oct 08 '18, 8:43 a.m.

You'd need to specify the hostname:port with actual values.   I.e.  Your RTC's host name and port must be the value to the argument -connect


SEC Servizi commented Oct 08 '18, 9:04 a.m.

Sure, we did that! ;)

Cheers.


permanent link
SEC Servizi (97122652) | answered Oct 09 '18, 5:31 a.m.

Your answer


Register or to post your answer.