1 Reply Latest reply on Jan 16, 2020 11:03 AM by fjuma

    Unable to determine if the certificate is trusted.

    carla-2
    carla-2 Jan 9, 2020 5:52 AM

      Hi all,

      I'd like to automate the installation of mutual SSL for HTTP using security enable-ssl-http-server command in the CLI:

       

      security enable-ssl-http-server --key-store-path=server.keystore --key-store-password=secret --trusted-certificate-path=client.crt --trust-store-file-password=secret
Server reloaded.

ERROR, security changes have not been applied.
Failed action: Importing certificate /home/jboss/wildfly-18.0.1.Final/bin/public.cert in trust-store trust-store-18da8404-7935-4907-826f-db3905e3b017
Cause: WFLYELY01040: Unable to determine if the certificate is trusted. Inspect the certificate carefully and if it is valid, execute import-certificate again with validate set to false.

       

      is it a misconfiguration of the command security enable-ssl-http-server? Have I missed any parameter therefore validation fails?

      I've created the file client.crt as follows:

       

      keytool -genkey -keystore client.keystore -storepass secret -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12 -dname "cn=Desktop user,o=Acme,c=GB"
keytool -exportcert -keystore client.keystore  -storetype pkcs12 -storepass secret -keypass secret -file client.crt

       

      Any idea?

      Thanks

       

      EDIT: the following error is displayed in the logs:

      Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1939)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
      • 175 Views
      • Tags:
        • 1. Re: Unable to determine if the certificate is trusted.
          fjuma
          fjuma Jan 16, 2020 11:03 AM (in response to carla-2)

          By default, the enable-ssl-http-server command will try to validate that the client certificate being imported is really trusted. It does this by attempting to build a chain of trust from the certificate to a self-signed certificate belonging to a root CA. Since the certificate being used here was not issued by a trusted certificate authority, validation fails. If you want to use this certificate anyway, the no-trusted-certificate-validation option can be passed to the enable-ssl-http-server command to disable validation.

            • Actions