IPT Scan AADC fails due to certificate issue error

Antartic Division IPT Scan is failing since Feb 19 due to connection to the IPT for AADC https://data.aad.gov.au/ipt/.

It seems that AADC has installed a new certificate and it is failing from our side. Looking into collectory logs when IPT Scan is called, the following error is logged.

2021-02-19 13:03:07,958 INFO  [IptService] Scanning https://data.aad.gov.au/ipt/rss.do from https://data.aad.gov.au/ipt/
2021-02-19 13:03:08,134 ERROR [IptController] Problem scanning IPT endpoint: null
java.lang.reflect.UndeclaredThrowableException
        at au.org.ala.collectory.IptController.scan(IptController.groovy:59)
        at grails.plugin.cache.web.filter.PageFragmentCachingFilter.doFilter(PageFragmentCachingFilter.java:198)
        at grails.plugin.cache.web.filter.AbstractFilter.doFilter(AbstractFilter.java:63)
        at au.org.ala.cas.client.UriFilter.doFilter(UriFilter.java:199)
        at au.org.ala.web.filter.ParametersFilterProxy.doFilter(ParametersFilterProxy.java:24)
        at au.org.ala.cas.client.UriFilter.doFilter(UriFilter.java:199)
        at au.org.ala.web.filter.ParametersFilterProxy.doFilter(ParametersFilterProxy.java:24)
        at au.org.ala.cas.client.UriFilter.doFilter(UriFilter.java:199)
        at au.org.ala.web.filter.ParametersFilterProxy.doFilter(ParametersFilterProxy.java:24)
        at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
        at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
        at groovyx.net.http.HTTPBuilder.doRequest(HTTPBuilder.java:476)
        at groovyx.net.http.HTTPBuilder.get(HTTPBuilder.java:292)
        at groovyx.net.http.HTTPBuilder.get(HTTPBuilder.java:262)
        at au.org.ala.collectory.IptService.rss(IptService.groovy:179)
        at au.org.ala.collectory.IptService.scan(IptService.groovy:86)
        ... 14 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        ... 28 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        ... 28 more

Initial investigation shows the root cert is in our truststore. The SHA1 for the root certificate coincides with the root certificate in our trust store

koh032@aws-collections:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts | grep -B1 -i 8C:F4
Enter keystore password: 
debian:entrust_root_certification_authority_-_g2.pem, Oct 9, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4

koh032@aws-collections:~$ openssl s_client -connect entrust.net:443
CONNECTED(00000003)
depth=3 C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority
verify return:1
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2014 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1M
verify return:1
depth=0 C = CA, ST = Ontario, L = Kanata, jurisdictionC = CA, jurisdictionST = Ontario, O = Entrust Datacard Limited, businessCategory = Private Organization, serialNumber = 1913605, CN = www.entrust.net
verify return:1
---
Certificate chain
 0 s:/C=CA/ST=Ontario/L=Kanata/jurisdictionC=CA/jurisdictionST=Ontario/O=Entrust Datacard Limited/businessCategory=Private Organization/serialNumber=1913605/CN=www.entrust.net
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M
 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHoTCCBomgAwIBAgIQfH1b6uEIBcEAAAAAVND9djANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDE0IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxTTAeFw0y
MDAzMDMyMjIxMzdaFw0yMjA2MDIyMjUxMzZaMIHNMQswCQYDVQQGEwJDQTEQMA4G
A1UECBMHT250YXJpbzEPMA0GA1UEBxMGS2FuYXRhMRMwEQYLKwYBBAGCNzwCAQMT
AkNBMRgwFgYLKwYBBAGCNzwCAQITB09udGFyaW8xITAfBgNVBAoTGEVudHJ1c3Qg
RGF0YWNhcmQgTGltaXRlZDEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24x
EDAOBgNVBAUTBzE5MTM2MDUxGDAWBgNVBAMTD3d3dy5lbnRydXN0Lm5ldDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOrQfNY6I4loNfe1tIhAFKpen0ZX
lJrLbORsIcslIfPjIaxwgbffAg/vEiVFpoSgxDmW6VLdB+snO38aqGHOQdjSxiru
Ri9yop6H7ZP8PWIIREwcT6p8cFnRx2r1nABNbTMV0f0CgKSozACXlkHXXq7MHIDy
rEsOIwZfW9mEproYDxazP6QYMXwKSaWJy3IiDP2bIEtx0k5N6nSRLV/ESTrPRVjC
tV3uPySa6Q9NbOp5BH47JwUhmgWsS4c/0r7QyHeSPcom+z993PD6W5aHPT74VYSa
j2lM/WoLaWVT8QwFkkCOBVYxrodcvI9bnSFCrMZ7hMZMXQy6nU3IN591atMCAwEA
AaOCA4wwggOIMCcGA1UdEQQgMB6CD3d3dy5lbnRydXN0Lm5ldIILZW50cnVzdC5u
ZXQwggH2BgorBgEEAdZ5AgQCBIIB5gSCAeIB4AB1AId1v+dZfPiMQ5lfvfNu/1aN
R1Y2/0q1YMG06v9eoIMPAAABcKKY9eUAAAQDAEYwRAIgSmz8wonCsuR8It7fztqn
HF9lcmhjmg8jcrSjOMS1G20CIDn8wKMdMc3pNTOTtSiXS81nfEoVozDFdFt9Hg4d
EoawAHcAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFwopj18AAA
BAMASDBGAiEAuv2OKx7RgQ+NXAVcqwWW+2UFiRYL/wWwGcNkc0jARrgCIQDojA6L
tkZpFiFue1T/3cfPVNk0AyNVv3XyCNrJvfffOwB2AFWB1MIWkDYBSuoLm1c8U/DA
5Dh4cCUIFy+jqh0HE9MMAAABcKKY9goAAAQDAEcwRQIhANSaFga3c1/BsZKyABod
dwM6S01/amD+Q5Fmy8gMrap7AiB0NWgZNtIjnIyio4rt9BBXina4lrcRIRIKvdDh
NDGFUAB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABcKKY9d4A
AAQDAEcwRQIgadShapP3B77csjqiMPtdoeL/TM/+cap3Oxfibvb1wuwCIQC8HQZv
0kMcrQe8MCHnWahCGPIGTWwqNSCJmtnwV8NU7TAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGgGCCsGAQUFBwEBBFwwWjAjBggr
BgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0
dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFtLWNoYWluMjU2LmNlcjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMW0uY3JsMEoGA1Ud
IARDMEEwNgYKYIZIAYb6bAoBAjAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVu
dHJ1c3QubmV0L3JwYTAHBgVngQwBATAfBgNVHSMEGDAWgBTD99C1KjCtrw2RIXA5
VN28iXDHOjAdBgNVHQ4EFgQUNc4ylqSgj+GqjQllCps6yyzB2mQwCQYDVR0TBAIw
ADANBgkqhkiG9w0BAQsFAAOCAQEAK0Mw/QSPEfDhJjsl5WLGqlWrBgMRsESX2r4Z
6auVVMQecwx7RLRIxeExbkt3agyJ9EXUc+yoWlDfxCpozLGdn3M3BdB2GyaPczzs
0wHBMVv4slwOOeNmf9qN/ROSfi1w2SJdJzwFS33IvvxRvYZE17lkISyplqMalgTd
qj1eAkXT0W6DqL65IbRu3ijLoE2bQveFRoUT8z5b6DbQmGpGcFCoRI5d7PBeQOPp
MOnfnuBFZy1QZR9/UCkEsGwwxHHGeP6/H2gkXLQ6LrbA0NPyu7jEb+4TQFpVoXa3
LxYLsx0YHJuF+8LG+MNO2FzMs7DbkrTceHJsf2ks7qep7UIbAQ==
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Kanata/jurisdictionC=CA/jurisdictionST=Ontario/O=Entrust Datacard Limited/businessCategory=Private Organization/serialNumber=1913605/CN=www.entrust.net
issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5080 bytes and written 391 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: F2A8F4C246EC69A7DB71B9CCAD35102D02ED6D2BA5B12A40EB7E51BB7EC5603F
    Session-ID-ctx: 
    Master-Key: 4B022DC05548B557834C5E04F5586AD42A14DEB1D2B5A43EADB14783D893E2807E051F12444483468393D69DFD3CE833
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1614639408
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

AtlasOfLivingAustralia / data-management

IPT Scan AADC fails due to certificate issue error #654