Why does clclient client have different behavior (SSL related) on DO blobs?

Question

Why does clclient client have different behavior (SSL related) on DO blobs?

On my Ubuntu (16.04) dev. env. I can create a default httpclient

and send a request to an endpoint https

(like Slack), however, on prod. env. (DO drops since Ubuntu 14.04) I am getting this error:

sun.security.validator.ValidatorException: PKIX path building failed: 
     sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

edit: still trying to figure it out ... I guess DO blobs with Java (Oracle) installed do not have the same certifications than Ubuntu desktop images. I added the Slack certificate (got it using this tool InstallCert

mentioned elsewhere on SO) to cacerts

(and run update-ca-certificates

) to no avail.

+3

java ssl ubuntu apache-httpclient-4.x digital-ocean

Rhangaun Apr 25. 17 at 21:35

source to share

1 answer

Magnus · Accepted Answer · 2017-05-03T02:02:43+0000

Your Java cacerts may be missing root geotrust.

You can see which certificates are trusted using keytool. For example, for the oracle JVM:

keytool -list -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts

Look for an entry with the correct signature, i.e .:

debian:geotrust_global_ca.pem, 18/05/2015, trustedCertEntry, 
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12

If you are not trusted, you can install it by downloading from:
https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem

Install it with

keytool -import -trustcacerts -file GeoTrust_Global_CA.pem -alias GeoTrust_Global_CA -keystore $JAVA_HOME/jre/lib/security/cacerts

Why does clclient client have different behavior (SSL related) on DO blobs?

More articles: