Running an HTTPS request with Payara Server fails with javax.net.ssl.SSLHandshakeException
Table of Contents
Problem Description
- Lets-Encrypt Certificate is missing on Payara 4.1.x installations
- URL: https://api.fachschaft.in/scrapi/meals/nbg-inselschuett.json
Exception Details
[2018-05-16T14:30:00.028+0200] [Payara 4.1] [INFO] [] [] [tid: _ThreadID=146 _ThreadName=__ejb-thread-pool5] [timeMillis: 1526473800028] [levelValue: 800] [[
14:30:00.028 [__ejb-thread-pool5] ERROR d.t.i.i.s.datacollection.TaskRunner - Failed to execute reader FachschaftMealParser
because of de.thnuernberg.in.infohm.server.datacollection.parser.mensa.MealParserException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
]]
Download Lets-Encrypt Certificate
- LetsEncrypt Download Page
- Select Let’s Encrypt Authority X3 (IdenTrust cross-signed) auswählen
- Save certificate as : lets-encrypt-x3-cross-signed.pem
File Locations for a Payara41 installation on Windows 10
- keystore File : D:\dev\payara41\glassfish\domains\domain1\config\cacerts.jks
- Keytool from JDK : D:\dev\jdk\jre1.8.0_162\bin\keytool.exe
- PEM File : lets-encrypt-x3-cross-signed.pem
- Keytool Password : changeit
Table of Contents
Note: The cacerts.jks form the payara server is used – not the JDK one
Install the Lets-Encrypt Certificate
Show all already installed certificates before Installation
keytool.exe -v -list -storepass changeit -noprompt -keystore D:\dev\payara41\glassfish\domains\domain1\config\cacerts.jks
Install New certificate
keytool.exe -trustcacerts -keystore D:\dev\payara41\glassfish\domains\domain1\config\cacerts.jks -storepass changeit -noprompt -importcert -file lets-encrypt-x3-cross-signed.pem
Certificate was added to keystore
Verify certificate installation with -alias mykey
keytool.exe -v -list -storepass changeit -noprompt -keystore D:\dev\payara41\glassfish\domains\domain1\config\cacerts.jks -alias mykey
Alias name: mykey
Creation date: May 16, 2018
Entry type: trustedCertEntry
Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial number: a0141420000015385736a0b85eca708
Valid from: Thu Mar 17 17:40:46 CET 2016 until: Wed Mar 17 17:40:46 CET 2021
Certificate fingerprints:
MD5: B1:54:09:27:4F:54:AD:8F:02:3D:3B:85:A5:EC:EC:5D
SHA1: E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
SHA256: 25:84:7D:66:8E:B4:F0:4F:DD:40:B1:2B:6B:07:40:C5:67:DA:7D:02:43:08:EB:6C:2C:96:FE:41:D9:DE:21:8D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
...
Reboot Payara !