Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing CA ends in SSLHandshakeException #706

Closed
kkopper opened this issue May 9, 2018 · 4 comments
Closed

Missing CA ends in SSLHandshakeException #706

kkopper opened this issue May 9, 2018 · 4 comments
Assignees
@marci4
Labels
Question wss

Comments

@kkopper
Copy link

kkopper commented May 9, 2018
edited
Loading

Expected Behavior

Establish a secure WebSocket connection to a server using a Let's Encrypt certificate.

Current Behavior

SSLHandshakeException (full stack trace below) and closing the connection with status -1.

If I try to connect to wss://echo.websocket.org, which uses Go Daddy Secure Certificate Authority - G2, all works as expected.

I also connect to a HTTP service provided by this server which uses the same certificate. That works like a charm.

Steps to Reproduce (for bugs)

  1. Try to connect to the server:
WebSocketImpl.DEBUG = true
val u = URI.create("wss://mysocket.com")
val client = object : WebSocketClient(u) {
    override fun onOpen(handshakedata: ServerHandshake?) {
        println("Connected!")
        send("You are amazing!")
    }

    override fun onClose(code: Int, reason: String?, remote: Boolean) {
        println("Closing: $code - $reason")
    }

    override fun onMessage(message: String?) {
        println(message)
        close()
    }

    override fun onError(ex: Exception?) {
        ex?.printStackTrace()
    }

}

client.connect()

Adding a custom sslContext, factory and socket as in the example changes nothing.

Debug log (for bugs)

write(183): {GET / HTTP/1.1
Connection: Upgrade
Host: XXXXXXX
Sec-WebSocket-Key: mDOtEzdFcf7j8mfDfHTl5Q==
Sec-WebSocket-Version: 13
Upgrade: websocket

}

followed by the exception stacktrace:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
	at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974)
	at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345)
	at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339)
	at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968)
	at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777)
	at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264)
	at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098)
	at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026)
	at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
	at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
	at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
	at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
	at java.base/sun.security.ssl.SSLSocketImpl.bytesInCompletePacket(SSLSocketImpl.java:907)
	at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:144)
	at java.base/java.io.InputStream.read(InputStream.java:106)
	at org.java_websocket.client.WebSocketClient.run(WebSocketClient.java:388)
	at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)
	at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)
	... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 19 more
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
	at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974)
	at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345)
	at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339)
	at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968)
	at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777)
	at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264)
	at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098)
	at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026)
	at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
	at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
	at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
	at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
	at java.base/sun.security.ssl.SSLSocketImpl.bytesInCompletePacket(SSLSocketImpl.java:907)
	at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:144)
	at java.base/java.io.InputStream.read(InputStream.java:106)
	at org.java_websocket.client.WebSocketClient.run(WebSocketClient.java:388)
	at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)
	at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)
	... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	... 19 more

Your Environment

  • Version used: 1.3.8
  • Java version: 10 (build 10+46)
  • Operating System and version: macOS 10.13.4
@marci4
Copy link
Collaborator

marci4 commented May 9, 2018

Hello @kkopper,

thank you for your bug report!

I fear that you have to take actions on that yourself.
The problem is, that your WebSocket server is not including the certificate chain and therefore Java is not able to verify your certificate.

There is nothing this library can do for you!
Hope this helps you.

Best regards,
marci4

@kkopper kkopper changed the title Let's Encrypt certificate ends in SSLHandshakeException Missing CA ends in SSLHandshakeException May 11, 2018
@kkopper
Copy link
Author

kkopper commented May 11, 2018

Thank you very much for the hint. I contacted the responsible for the server and after he included the certificate chain, everything works as expected.

I just changed the title to better represent the actual problem, it is up to you if you want to close the issue or leave it open to provide help for others.

@marci4
Copy link
Collaborator

marci4 commented May 11, 2018

Hello @kkopper,

Happy that this helped you!

I would add my answer to the FAQ and then close this issue since it is solved.

Best regards,
marci4

@marci4 marci4 self-assigned this May 11, 2018
@marci4
Copy link
Collaborator

marci4 commented May 14, 2018

Included it to the FAQ.

Thank you again!
Best regards,
marci4

@marci4 marci4 closed this as completed May 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marci4 marci4

Labels
Question wss
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marci4 @kkopper