key.jks needs updated with new Twitter cert

[kpostreich]

these are the steps I took to add the twitter issuer certificate to the docker image...

1) got the cert from api.twitter.com 2) extracted the issuer cert 3) create a file with api.twitter.com.cert in the notification-twitter directory cat <<'EOF' >> api.twitter.com.cert -----BEGIN CERTIFICATE----- MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2 4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1 itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn 4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly /D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF 0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae cPUeybQ= -----END CERTIFICATE----- EOF

4) imported the cert into the key.jks file keytool -importcert -file ../api.twitter.com.cert -alias api.twitter.com -keystore key.jks -storepass passw0rd -storetype jks 5) build the docker image and push to ICP registry min package docker build notification-twitter . docker tag notification-slack:latest mycluster.icp:8500/default/notification-slack:latest docker push mycluster.icp:8500/default/notification-slack:latest 6) deploy the service kubectl create -f manifests/deploy.yaml

[kpostreich]

need to update key.jks with new Twitter cert

[jwalcorn]

I've looked into this a bit. It seems that Twitter has NOT updated their SSL certs since 2016. I grabbed the latest and tried adding it to my keystore, and it says it's already in there. If I look in my key.jks file (that I haven't touched in over a year), I see a "twitter" alias with this fingerprint:

twitter, Oct 15, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 24:EB:85:86:7A:98:71:85:E6:73:DF:0C:57:18:AE:50:2D:BA:0A:69

And if I view the SSL cert in Firefox when visiting https://api.twitter.com, I see this, showing the same fingerprint:

It's possible the issue has to do with moving up to Liberty 19.0.0.4, which is the first Liberty release that now defaults to the new industry standard PKCS12, rather than JKS - though JKS type keystores should still be supported for backward compatibility.

It's also possible I need to move up to the latest Twitter4J libraries. I see I'm using 4.0.4, but 4.0.7 is the latest.

Or it could be something in the JVM or the underlying OS (Ubuntu), like perhaps it no longer trusting the CA (DigiCert) that issued the cert.

Anyway, the problem apparently isn't as simple as just grabbing the latest cert and importing that into the keystore and that fixing it. Will need to investigate further....

[jwalcorn]

I just updated things to get the latest Twitter4J from Maven Central and package that in the war. Not sure if that will fix this problem - but at least we'll be using the latest, with all of its fixes.

[jwalcorn]

Oh, and I built it that way and push that to DockerHub (after a manual docker pull websphere-liberty:microProfile2, to get the latest Liberty). Can you try again with this latest image?

[kpostreich]

Yes I can test that tomorrow.

Thanks

Sent from my iPhone

On May 29, 2019, at 8:33 PM, John Alcorn notifications@github.com wrote:

Oh, and I built it that way and push that to DockerHub (after a manual docker pull websphere-liberty:microProfile2, to get the latest Liberty). Can you try again with this latest image?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[kpostreich]

I tested the notification-twitter today, I get SSL handshake errors. Here is what I did.

1. git clone on the new notification-twitter repo
2. ran the kube deploy, using the manifests/deploy.yaml (which pulls the image from dockerhub)

I get the following trust errors that states the cert may need to be added to the trust store.

[INFO ] SRVE0250I: Web Module Notification has been bound to default_host. [AUDIT ] CWWKT0016I: Web application available (default_host): http://notification-twitter-9bd7cfb49-6mkgk:9080/notification/ [INFO ] SESN0176I: A new session context will be created for application key default_host/notification [INFO ] SESN0172I: The session manager is using the Java default SecureRandom implementation for session ID generation. [AUDIT ] CWWKZ0001I: Application NotificationTwitter started in 12.008 seconds. [INFO ] CWWKS9123I: For URL /* in application NotificationTwitter, the following HTTP methods are uncovered, and not accessible: GET PUT DELETE HEAD OPTIONS TRACE [INFO ] SRVE9103I: A configuration file for a web server plugin was automatically generated for this server at /opt/ibm/wlp/output/defaultServer/logs/state/plugin-cfg.xml. [AUDIT ] CWWKF0012I: The server installed the following features: [appSecurity-2.0, cdi-2.0, concurrent-1.0, distributedMap-1.0, jaxrs-2.1, jaxrsClient-2.1, jndi-1.0, json-1.0, jsonb-1.0, jsonp-1.1, jwt-1.0, logstashCollector-1.0, microProfile-2.2, monitor-1.0, mpConfig-1.3, mpFaultTolerance-2.0, mpHealth-1.0, mpJwt-1.1, mpMetrics-1.1, mpOpenAPI-1.1, mpOpenTracing-1.3, mpRestClient-1.2, opentracing-1.3, servlet-4.0, ssl-1.0]. [INFO ] CWWKF0008I: Feature update completed in 37.995 seconds. [AUDIT ] CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 43.390 seconds. [INFO ] Setting the server's publish address to be / [INFO ] SRVE0242I: [NotificationTwitter] [/notification] [com.ibm.hybrid.cloud.sample.portfolio.NotificationTwitter]: Initialization successful. [ERROR ] CWMOT0008E: OpenTracing cannot track JAX-RS requests because an OpentracingTracerFactory class was not provided. [INFO ] FFDC1015I: An FFDC Incident has been created: "java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error com.ibm.ws.ssl.core.WSX509TrustManager checkServerTrusted" at ffdc_19.05.30_10.25.44.0.log [ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=api.twitter.com, OU=lon3, O="Twitter, Inc.", L=San Francisco, ST=California, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/usr/servers/defaultServer/resources/security/key.jks, located in SSL configuration alias RpSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error [WARNING ] Unable to send tweet. Continuing without notification of change in loyalty level. [WARNING ] twitter4j.TwitterException: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath. ibmdemo@workstation:~/IBMStockTrader/notification-twitter$

[kpostreich]

Hi John. After the failed attempt today using the new code provided, I followed the initial process in this thread to add the twitter cert to the notification-twitter. I rebuilt the container and pushed the updated image to my ICP repo. I then modified the deploy.yaml to pull my new image from ICP repo. The notification-twitter now SUCCESSFULLY sends the tweet, And I get the tweet in my twitter account. So, while adding the cert did not make sense to you, it resolves the issue. Could you follow the step I initially provided and update the github and docker image in dockerhub?

[jwalcorn]

This is a strange one. FYI, we just deployed Stock Trader to a new OpenShift 4.1 environment atop AWS, and all is working, including the tweets it sends. I did rebuild all the Stock Trader microservices atop Liberty 19.0.0.5 (and moved from commercial Liberty to Open Liberty) and pushed those images to DockerHub a couple days ago, so just in case, you may want to try that. Anyway, if you continue to experience the problem, I'm at a loss to understand why it isn't working for you, given the exact same Docker images works elsewhere, and that the Twitter cert (that hasn't changed since 2016) is clearly there already in the keystore.