How to configure trustStore for javax.net.ssl.trustStore on windows?
Asked Answered
P

3

11

I'm trying to pull messages from an email server in java using imap and i run into this exception:

DEBUG: JavaMail version 1.4.2
DEBUG: successfully loaded resource: /META-INF/javamail.default.providers
DEBUG: Tables of loaded providers
DEBUG: Providers Listed By Class Name: {com.sun.mail.smtp.SMTPSSLTransport=javax.mail.Provider[TRANSPORT,smtps,com.sun.mail.smtp.SMTPSSLTransport,Sun Microsystems, Inc], com.sun.mail.smtp.SMTPTransport=javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc], com.sun.mail.imap.IMAPSSLStore=javax.mail.Provider[STORE,imaps,com.sun.mail.imap.IMAPSSLStore,Sun Microsystems, Inc], com.sun.mail.pop3.POP3SSLStore=javax.mail.Provider[STORE,pop3s,com.sun.mail.pop3.POP3SSLStore,Sun Microsystems, Inc], com.sun.mail.imap.IMAPStore=javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Sun Microsystems, Inc], com.sun.mail.pop3.POP3Store=javax.mail.Provider[STORE,pop3,com.sun.mail.pop3.POP3Store,Sun Microsystems, Inc]}
DEBUG: Providers Listed By Protocol: {imaps=javax.mail.Provider[STORE,imaps,com.sun.mail.imap.IMAPSSLStore,Sun Microsystems, Inc], imap=javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Sun Microsystems, Inc], smtps=javax.mail.Provider[TRANSPORT,smtps,com.sun.mail.smtp.SMTPSSLTransport,Sun Microsystems, Inc], pop3=javax.mail.Provider[STORE,pop3,com.sun.mail.pop3.POP3Store,Sun Microsystems, Inc], pop3s=javax.mail.Provider[STORE,pop3s,com.sun.mail.pop3.POP3SSLStore,Sun Microsystems, Inc], smtp=javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]}
DEBUG: successfully loaded resource: /META-INF/javamail.default.address.map
DEBUG: getProvider() returning javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Sun Microsystems, Inc]
DEBUG: mail.imap.fetchsize: 16384
DEBUG: mail.imap.statuscachetimeout: 1000
DEBUG: mail.imap.appendbuffersize: -1
DEBUG: mail.imap.minidletime: 10
DEBUG: enable STARTTLS
DEBUG: trying to connect to host "10.53.151.183", port 143, isSSL false
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
DEBUG: protocolConnect login, host=10.53.151.183, user=compass, password=<non-null>
A0 STARTTLS
A0 OK Begin TLS negotiation now.
A1 CAPABILITY
com.mycompany.blah.common.lifecycle.exception.StartException: javax.mail.MessagingException: * BYE JavaMail Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
  nested exception is:
    com.sun.mail.iap.ProtocolException: * BYE JavaMail Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.mycompany.blah.impl.email.IMAPEmailMonitorIngestor.start(IMAPEmailMonitorIngestor.java:63)
    at com.mycompany.blah.impl.EmailMonitorIT.test(EmailMonitorIT.java:54)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:45)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:42)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:263)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:68)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:47)
    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
    at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
    at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:30)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:300)
    at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:53)
    at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:123)
    at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:104)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:164)
    at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:110)
    at org.apache.maven.surefire.booter.SurefireStarter.invokeProvider(SurefireStarter.java:172)
    at org.apache.maven.surefire.booter.SurefireStarter.runSuitesInProcessWhenForked(SurefireStarter.java:104)
    at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:70)
Caused by: javax.mail.MessagingException: * BYE JavaMail Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
  nested exception is:
    com.sun.mail.iap.ProtocolException: * BYE JavaMail Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:609)
    at javax.mail.Service.connect(Service.java:291)
    at com.mycompany.blah.impl.email.IMAPEmailMonitorIngestor.start(IMAPEmailMonitorIngestor.java:58)
    ... 32 more
Caused by: com.sun.mail.iap.ProtocolException: * BYE JavaMail Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.mail.imap.protocol.IMAPProtocol.capability(IMAPProtocol.java:143)
    at com.sun.mail.imap.IMAPStore.login(IMAPStore.java:624)
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:589)
    ... 34 more

my collegue thinks its an issue with configuring my trust store. I've tried both these lines below without any luck:

System.setProperty("javax.net.ssl.trustStore", "C:/Program Files (x86)/Java/jdk1.7.0_21/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStore", "C:/Program Files/Java/jdk1.7.0_17/jre/lib/security/cacerts");

Any ideas on what i need to be setting. BTW my colleague got this to work on a Linux box by launching the app using:

-Djavax.net.ssl.trustStore=/usr/java/jdk1.7.0_25/jre/lib/security/cacerts

But I'd really like to get this working on my development machine as well. I've read that the set system property should be identical to the -D option when launching the app.

Petite answered 18/7, 2013 at 0:11 Comment(1)
None of those settings is necessary. They all assert the default.Addressee
B
16

You should first check what certificate server is sending you.To do it:

  1. Turn on ssl debug: -Djavax.net.debug=all
  2. Find the following lines in log: *** Certificate chain ...
  3. Find who the issuer of certificate
  4. Add issuer certificate to some trust store (actually if you receive cert. chain you can add root certificate)
  5. Rerun with -Djavax.net.ssl.trustStore=path/to/new/truststore and -Djava.net.ssl.trustStorePassword=...

BTW:

  1. You don't need to explicitly specify java trust store
  2. every setting of same system property overrides previous value
  3. you have strange line: DEBUG: trying to connect to host "10.53.151.183", port 143, isSSL false
Butlery answered 31/10, 2014 at 13:24 Comment(2)
Great! You saved me a lot of time with those indications. SSL debug option together with the log line to find where awesome to analyse and solve ssl problems;)Wife
For step #4, what do you mean? How can I add it? In my case there are many 'chain[x]' each one with an issuerAldo
I
25

Actually all you need to do is use Windows-ROOT as trustStoreType. This will use built-in certificates so if anything works in your browser then it should work.

  1. Add to VM options:
    • -Djavax.net.ssl.trustStoreType=Windows-ROOT
    • -Djavax.net.ssl.trustStore=C:\\Windows\\win.ini
  2. Restart the server.

Note! Probably any readable file can be used as a trustStore path. It's not really used.

You can also use Windows-MY instead so:

-Djavax.net.ssl.trustStoreType=Windows-MY

See also: https://github.com/gradle/gradle/issues/6584#issuecomment-431862413.

Invalidate answered 26/11, 2019 at 17:35 Comment(0)
B
16

You should first check what certificate server is sending you.To do it:

  1. Turn on ssl debug: -Djavax.net.debug=all
  2. Find the following lines in log: *** Certificate chain ...
  3. Find who the issuer of certificate
  4. Add issuer certificate to some trust store (actually if you receive cert. chain you can add root certificate)
  5. Rerun with -Djavax.net.ssl.trustStore=path/to/new/truststore and -Djava.net.ssl.trustStorePassword=...

BTW:

  1. You don't need to explicitly specify java trust store
  2. every setting of same system property overrides previous value
  3. you have strange line: DEBUG: trying to connect to host "10.53.151.183", port 143, isSSL false
Butlery answered 31/10, 2014 at 13:24 Comment(2)
Great! You saved me a lot of time with those indications. SSL debug option together with the log line to find where awesome to analyse and solve ssl problems;)Wife
For step #4, what do you mean? How can I add it? In my case there are many 'chain[x]' each one with an issuerAldo
K
-2

The error is that java can't find a certificate to invoke the server in your keystore.

You are using the default keystore from java. Make sure that you put the server certificate in it.

Or you can create your keystore. Use the standard Java keytool, for example:

keytool -genkey -dname "cn=CLIENT" -alias truststorekey -keyalg RSA -keystore ./client-truststore.jks -keypass whatever -storepass whatever
keytool -import -keystore ./client-truststore.jks -file servercert.crt -alias myca
Kimberelykimberlee answered 30/3, 2016 at 23:17 Comment(1)
No, the error is that Java can't find a trusted signer for the server's certificate in the truststore; and he is using the default *truststore. 'To invoke the server' is meaningless. He has already connected to the server and received its certificate.Addressee

© 2022 - 2024 — McMap. All rights reserved.