No trusted certificate found (https)

Discussion in 'Java' started by Alex Hunsley, Jan 28, 2004.

  1. Alex Hunsley

    Alex Hunsley Guest

    I've reworking some http resource accessing code to make it use an https
    connection, rather than just http.

    So, the people running the web server have generated a certificate (not
    signed by verisign or anything similar), and I can access the https
    resource in a browser (although obviously I get a certificate warning
    first, I just hit "yes" and the page loads).

    I've changed the java http connecting code to look like this:

    // notice the URL is now https
    URL url = new URL("https://server.name/aResource/thing.html");
    String status = conn.open(url);

    When I run this, the status string comes back as
    "sun.security.validator.ValidatorException: No trusted certificate
    found". Is this because the web server certificate is not signed by
    verisign or a similar authority, or just because it is poorly formed in
    some way?
    I was led to believe that paying money to get a cert. signed by verisign
    et al wasn't strictly necessary....

    thanks!
    alex
    Alex Hunsley, Jan 28, 2004
    #1
    1. Advertising

  2. Alex Hunsley

    Alex Hunsley Guest

    Alex Hunsley wrote:
    > I've reworking some http resource accessing code to make it use an https
    > connection, rather than just http.
    >
    > So, the people running the web server have generated a certificate (not
    > signed by verisign or anything similar), and I can access the https
    > resource in a browser (although obviously I get a certificate warning
    > first, I just hit "yes" and the page loads).
    >
    > I've changed the java http connecting code to look like this:
    >
    > // notice the URL is now https
    > URL url = new URL("https://server.name/aResource/thing.html");
    > String status = conn.open(url);
    >
    > When I run this, the status string comes back as
    > "sun.security.validator.ValidatorException: No trusted certificate
    > found". Is this because the web server certificate is not signed by
    > verisign or a similar authority, or just because it is poorly formed in
    > some way?
    > I was led to believe that paying money to get a cert. signed by verisign
    > et al wasn't strictly necessary....
    >
    > thanks!
    > alex
    >
    >

    btw, am using j2se1.4.2_03.

    alex
    Alex Hunsley, Jan 28, 2004
    #2
    1. Advertising

  3. Alex Hunsley

    Chris Smith Guest

    Alex Hunsley wrote:
    > When I run this, the status string comes back as
    > "sun.security.validator.ValidatorException: No trusted certificate
    > found". Is this because the web server certificate is not signed by
    > verisign or a similar authority, or just because it is poorly formed in
    > some way?
    > I was led to believe that paying money to get a cert. signed by verisign
    > et al wasn't strictly necessary....


    It isn't strictly necessary. You just need to go to a few lengths to
    accept the certificate (just as you did with the web browser, except the
    few lengths are less obvious here). To do this, you need to get an
    SSLContext that uses a custom TrustManager object, and build an
    SSLSocketFactory from there. I've included below some code from
    MindIQ's Design-a-Course application that does this -- with the actual
    code of the TrustManager removed so that it accepts all certificates.
    Depending on your needs, you may want to have the class examine the
    certificate and decide whether to accept it or not.

    Once you've got the SocketFactory, you need to arrange for your HTTPS
    connection to use that factory. I'm not sure off-hand how this would
    work, since we use Jakarta Commons HTTPClient at this point, so we
    depart from the core API. You may find that to use a custom
    SocketFactory for a URLConnection, you would need to reimplement the
    URLStreamHandler, which would be a bit of a pain. At that point, I'd
    end up recommending that you switch to the Jakarta Commons HttpClient
    library yourself, before going on.

    So here's that code:

    try
    {
    X509TrustManager trustMgr = new X509TrustManager() {
    public void checkClientTrusted(
    X509Certificate[] arg0, String arg1)
    throws CertificateException
    {
    }

    public void checkServerTrusted(
    X509Certificate[] arg0,String arg1)
    throws CertificateException
    {
    }

    public X509Certificate[] getAcceptedIssuers()
    {
    return new X509Certificate[0];
    }
    };

    SSLContext context = SSLContext.getInstance("TLS");
    context.init(null, new TrustManager[] { trustMgr }, null);

    sockFactory = context.getSocketFactory();
    }
    catch (NoSuchAlgorithmException e)
    {
    ...
    }
    catch (KeyManagementException e)
    {
    ...
    }


    --
    www.designacourse.com
    The Easiest Way to Train Anyone... Anywhere.

    Chris Smith - Lead Software Developer/Technical Trainer
    MindIQ Corporation
    Chris Smith, Jan 28, 2004
    #3
  4. Alex Hunsley wrote:

    > "sun.security.validator.ValidatorException: No trusted certificate
    > found". Is this because the web server certificate is not signed by
    > verisign or a similar authority, or just because it is poorly formed in
    > some way?


    Not really my area but have a look at policytool.
    Thomas Schodt, Jan 28, 2004
    #4
  5. Alex Hunsley

    Alex Hunsley Guest

    Chris Smith wrote:

    > Alex Hunsley wrote:
    >
    >>When I run this, the status string comes back as
    >>"sun.security.validator.ValidatorException: No trusted certificate
    >>found". Is this because the web server certificate is not signed by
    >>verisign or a similar authority, or just because it is poorly formed in
    >>some way?
    >>I was led to believe that paying money to get a cert. signed by verisign
    >>et al wasn't strictly necessary....

    >
    >
    > It isn't strictly necessary. You just need to go to a few lengths to
    > accept the certificate (just as you did with the web browser, except the
    > few lengths are less obvious here).

    [sniperoon]

    Thanks Chris, you life saver!
    I'm looking at this right now....

    alex :)
    Alex Hunsley, Jan 28, 2004
    #5
  6. Alex Hunsley

    Alex Hunsley Guest

    Thomas Schodt wrote:

    > Alex Hunsley wrote:
    >
    >> "sun.security.validator.ValidatorException: No trusted certificate
    >> found". Is this because the web server certificate is not signed by
    >> verisign or a similar authority, or just because it is poorly formed
    >> in some way?

    >
    >
    > Not really my area but have a look at policytool.


    Ok, am duly hunting it down... thanks for that.
    alex
    Alex Hunsley, Jan 28, 2004
    #6
  7. Alex Hunsley

    Alex Hunsley Guest

    Chris Smith wrote:

    > Alex Hunsley wrote:
    >
    >>When I run this, the status string comes back as
    >>"sun.security.validator.ValidatorException: No trusted certificate
    >>found". Is this because the web server certificate is not signed by
    >>verisign or a similar authority, or just because it is poorly formed in
    >>some way?
    >>I was led to believe that paying money to get a cert. signed by verisign
    >>et al wasn't strictly necessary....

    >

    [snip]

    Ok, got it to work (sort of).
    I also had to provide a HostnameVerifier, in addition to what you
    suggested, so FYI the code was

    // this calls Chris' code (posted to newsgroup)
    // to make the SocketFactory
    SocketFactory sf = SecureSocketFactoryProducer
    .getSecureSocketFactory();
    HttpsURLConnection.setDefaultSSLSocketFactory(sf);
    HttpsURLConnection httpsURLConn
    = (HttpsURLConnection) url.openConnection();

    // my own HostnameVerifier object which verifies
    // everything, for the moment
    HostVerifier hv = new HostVerifier();
    httpsURLConn.setHostnameVerifier(hv);


    When I programatically then get data over this connection, it works on
    average about 70 times, and then I get 500 internal server error.
    Our server is quite busy, and the plain http code has a mechanism to
    retry the http get if the get failed. So my theory is that the SSL
    bridging in apache just gives up after failing to get a URL and throws a
    500 internal error. Have no idea how to solve this atm but am looking!

    thanks for your help
    alex
    Alex Hunsley, Jan 29, 2004
    #7
  8. Alex Hunsley

    xulrmb

    Joined:
    Apr 7, 2008
    Messages:
    1
    Chris thank you very much~~~~ ^_^

    dear Chris, you code solve my problem!

    thank you very much!


    8)
    xulrmb, Apr 8, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Roedy Green
    Replies:
    1
    Views:
    539
    Brian Palmer
    Aug 11, 2003
  2. Joona I Palaste
    Replies:
    0
    Views:
    6,424
    Joona I Palaste
    Aug 16, 2004
  3. Neill
    Replies:
    0
    Views:
    2,310
    Neill
    Jun 7, 2005
  4. Neill
    Replies:
    0
    Views:
    1,183
    Neill
    Jun 7, 2005
  5. Neill
    Replies:
    2
    Views:
    3,820
    Neill
    Jul 29, 2005
Loading...

Share This Page