根据客户提供不同的SSL证书

Question

I'm using a free SSL-cert from startssl.com for my Artifactory-repo. It's all green and nice in my browsers, but of course not from Java. So I installed the cacerts with this handy script:

http://www.ailis.de/~k/uploads/scripts/import-startssl

But I STILL get the:

Server access Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException

error. JAVA_HOME set correctly. Any suggestion highly appreciated!

More info:

Its Ivy from SBT 0.12.2 (using pualp's script https://github.com/paulp/sbt-extras ) that is barfing on the cert:

[info] Resolving net.liftmodules#omniauth_2.10;2.5-SNAPSHOT-0.7-SNAPSHOT ...
[error] Server access Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo.woodenstake.se/all/net/liftmodules/omniauth_2.10/2.5-SNAPSHOT-0.7-SNAPSHOT/maven-metadata.xml

-- Update:

The problem seems to be something totally different not related to Java per se. Visiting the page from a browser yields a green cert and I can see the info that its signed from StartSSL. But even wget or curl chokes and tells me that this is a self-signed cert. It seems that different certs are delivered depending on the client.

The repo is at https://repo.woodenstake.se/ - If you paste this in your browser I would guess that you get the StartSSL-cert. BUT if you do wget https://repo.woodenstake.se/ you get some old self-signed cert that I don't know where it comes from.

-- Update to update:

So the problem is that I'm serving a few sites of the form *.woodenstake.se. I got the feeling that it would be possible to have different certs like:

server {
    listen 443;
    server_name site1.woodenstake.se;
    client_max_body_size 512m;
    ssl on;
    ssl_certificate cert1.crt;
    ssl_certificate_key cert1.key;
    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://server1;
            break;
        }
    }
}

server {
    listen 443;
    server_name site2.woodenstake.se;
    client_max_body_size 512m;
    ssl on;
    ssl_certificate cert2.crt;
    ssl_certificate_key cert2.key;
    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://server2;
            break;
        }
    }
}

and it works just fine in all my browsers.

However, it doesn't work from wget or JDK6.

Answer 1

Problem was something completely different. Apparently you can't have more than one certificate on the same IP and be sure that all clients can handle it. I have a few tools on this machine and my nginx-config had references to both the StartSSL cert for this site but also to a self-signed (snakeoil) cert for some other sites.

My nginx supports TLS SNI:

~ $ sudo nginx -V
nginx version: nginx/0.7.65
TLS SNI support enabled

but apparently wget and Java clients doesn't handle it. All my browsers do though.

Maybe it's possible to do something like:

http://library.linode.com/security/ssl-certificates/subject-alternate-names

but I don't know if it is possible to get StartSSL to sign it.

More info here:

http://www.carloscastillo.com.ar/2011/05/multiple-ssl-certificates-on-same-ip.html

Wget test on my Ubuntu-desktop:

viktor@hedefalk-i7:~$ wget https://bob.sni.velox.ch/
--2013-03-25 17:07:19--  https://bob.sni.velox.ch/
Resolving bob.sni.velox.ch (bob.sni.velox.ch)... 62.75.148.60
Connecting to bob.sni.velox.ch (bob.sni.velox.ch)|62.75.148.60|:443... connected.
ERROR: no certificate subject alternative name matches
    requested host name `bob.sni.velox.ch'.
To connect to bob.sni.velox.ch insecurely, use `--no-check-certificate'

So I think the answer to my question is

Your version of Java (or all, but maybe it works in JDK7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html ) doesn't support TLS SNI so nginx can't be sure which certificate to serve since this is negotiated before http. Buy a wildcard-cert for real money from the man or cry a river.