How to solve "The certificate is not valid and cannot be used to verify the identity of this website" error?
Asked Answered
E

2

7

The question is, How to solve "The certificate is not valid and cannot be used to verify the identity of this website" error?.

Here are the details:

I have a signed applet that has been working fine, until I updated Java to 8u25 (1.8.0_25-b18). Now, the application shows an alert message "Do you want to continue? The connection to this website is untrusted". There is a note in this message too, "The certificate is not valid and cannot be used to verify the identity of this website".

The applet is loaded without problems. But when the user tries to use a specific function of that application, the warning message is displayed.

I've checked the java console when this happens, and this warning message is displayed right after these lines:

security: Obtain certificate collection in SSL Root CA certificate store
security: Invalid certificate from HTTPS server
network: Cache entry not found [url: https://sub.domain.net:9876, version: null]

The application is downloaded from a different domain, say "https://app.domain.net/.....", so no jars are downloaded from "https://sub.domain.net:9876", but the applet connects to "https://sub.domain.net:9876" to send/receive data.

The applet is signed correctly, and so far, it meets all the security requirements according to Java. This issue seems to happen when the application tries to connect internally with an HTTPS url like https://sub.domain.net:9876. That sites' SSL certificate is valid, issued by GoDaddy and has not expired.

Again, this started to happen after updating my JRE to 8u25. I've tested adding the offending URL to Java security exception list, with no success.

Here are a few screenshot of this problem:

This is the warning message displayed: Warning message More information about the warning message Certificate basic information 1 Certificate basic information 2


Edit 10/18/2014:

Question posted in "Oracle Community" too, to increase answer options: Question in Oracle Community.


Edit 10/21/2014:

I noticed this: When I click the link "More Information" displayed in the "Security Warning" dialog, the reason displayed says:

The application is being downloaded from a site other than the one specified by the security certificate.

  • Downloading from "sub.domain.net"

  • Expecting "*.DOMAIN.NET"

This message says the application is BEING DOWNLOADED FROM "sub.domain.com", and that is false. The application (applet) is already downloaded, and it is only using that domain in an internal HTTPS request, to get/send business data, not to download additional Jars, JNLPs, etc.

Ethnomusicology answered 17/10, 2014 at 20:53 Comment(3)
According to the error messages in your redacted screen shots the certificate might be issued for a different hostname then the one your are using within the connection. It might be, hat Java8 now does stricter checks for the names in the certificate.Nigel
Thank you for your help. Yes, that is a possibility, but the website's certificate is a wildcard one, which is used in multiple subdomains (my.domain.net, test.domain.net, domain.net), so I would expect this certificate to be valid for Java too. If that is not the case, it means that Java is now requiring a separate certificate specific for each domain/subdomain. I'm not sure if another cause of the problem is that the certificate mentions the website's domain in uppercase letters.Ethnomusicology
It's really hard to say what is wrong without seeing the certificate. But it might also be the case, that Java 7 did not verify the hostname in the certificate at all, while Java 8 has incomplete verification. See also #18139948Nigel
E
2

I found how to solve this issue, and thanks to Steffen Ullrich for a valid proposal.

This is related to the certificate's Common Name (CN) value. In my case, that value was *.DOMAIN.NET, and to change it to *.domain.net, all we had to do was a procedure called "Domain Transfer". This means, to change the CN to *.REKEY.DOMAIN.NET, and then to change it again to *.domain.net. We could not change it to *.domain.net directly because the certificate provider says *.DOMAIN.NET and *.domain.net are the same.

Now, this issue happened only with Java 7.71 and Java 8.25. Previous version of Java 7 and 8 don't have this issue (SSL certificate restrictions for CN in a different casing).

Anyway, this solved the issue, and now we receive a gentle information message about the domain:

Notification Message after the certificate CN change

Ethnomusicology answered 22/10, 2014 at 23:24 Comment(0)
M
0

If you trust the certificate and the website you are accessing, hit Continue to get past this message.

However, unless you ABSOLUTELY trust that website, this is a red-flag warning that you may not be accessing the page you think you are, and there may be a serious security risk. That's why it warns you. A "wildcard certificate", if that is indeed possible, would be a Bad Idea unless it restricts itself to a very specific and limited set of domains.

I doubt this is case-sensitive.

Massasauga answered 18/10, 2014 at 17:32 Comment(1)
Thanks for your help!. Yes, hitting "Continue" allows the application to load without problems, but the problem is that I am the developer of this application, and it is not good for the business that this app keep asking the customer if he/she trusts the site/app. I also doubt it is case sensitive, but to be sure, I'll search some more info about it.Ethnomusicology

© 2022 - 2024 — McMap. All rights reserved.