CAS SunCertPathBuilderException:unable to find valid certification path to requested target
Question
I have CAS configured in my computer to work on a particular domain (say a.com ) which works fine. There I had a pair of .crt and .key files along with the code. Now there has been a need to change the domain, so what I did was, changed the domain (say b.com ) in the source code accordingly and imported the .crt and .key files I have received. Now, when I access the CAS login page I can access that. But when I provide the login credentials and click on the login button, it fails with the following exception.
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
sun.security.validator.Validator.validate(Validator.java:260)
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:158)
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:143)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:270)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
Can someone please tell me what the heck is going on here? I have seen a lot of similar questions but none seemed to address my scenario.
2 answers
solution1
2 ACCPTED 2017-07-21 15:00:37
Turns out to be a problem with my Tomcat configuration. Even though I have imported the keys into the keystore, the keystore was not being accessed by tomcat, leading to a failure to read the certificate.
Seems like this applies to those who download and extract binaries of tomcat distributions instead of using a package manager such as apt-get .
Two possible options are there currently (there may be more).
- Modifying the catalina.sh to add the property
-Djavax.net.ssl.trustStoreto include the required trust store file. Basically, the property and the value are appended to theJAVA_OPTSvariable in the above script. EgJAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts".However this is just a quick fix. I don't think that this is a good solution because the trust store is being added globally. - Adding the keystore location to the connector attribute in
server.xmlconfiguration file. Examples could be found at here .
I now realize that this is a very simple fundamental problem. But for the sake of supporting the learners I thought of leaving the question and the answer. Please improve this answer further.
solution2
1 2020-09-24 10:43:35
From the CAS docs :
PKIX path building errors are the most common SSL errors. The problem here is that the CAS client does not trust the certificate presented by the CAS server; most often this occurs because of using a self-signed certificate on the CAS server. To resolve this error, import the CAS server certificate into the system truststore of the CAS client. If the certificate is issued by your own PKI, it is better to import the root certificate of your PKI into the CAS client truststore.
By default the Java system truststore is at $JAVA_HOME/jre/lib/security/cacerts. The certificate to be imported MUST be a DER-encoded file.
So, if you have the keystore file, say store.jks , firstly, export the server's certificate:
keytool -exportcert -keystore store.jks -alias server -file server.crt
[Note that alias could be different in your keystore]. Next, move the certificate in the $JAVA_HOME/jre/lib/security/cacerts directory, and import it into client's truststore (here, the client is your JVM):
keytool -import -keystore cacerts -file server.crt -alias server -storepass changeit
[The last command must be invoked with administrator privileges!]
Note that if you run this on localhost, the certificate's CN must be "localhost".
That's it, now start the server and enjoy.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.