Update certificate file throws :2023-05-22 17:17:45,828 ERROR [org.apache.wss4j.common.crypto.Merlin] [] Cannot find key for certificate in keystore of type [JKS] from provider [SUN version 1.8] with size [1] and aliases: {cert}

[bjdijk]

When we update our certificate file with the new certificate from PEPPOL, and try to ruin the "testbed", sendig data fail. We get the below message:

2023-05-22 17:17:45,828 ERROR [org.apache.wss4j.common.crypto.Merlin] [] Cannot find key for certificate in keystore of type [JKS] from provider [SUN version 1.8] with size [1] and aliases: {cert}

We have verified the keystore, password and aliases and can also see on startup it is displaying the correct information. When we change back to the original keystore, it works (but we then have the old certificate).

We run:

version.oxalis: 5.3.0 version.java: 1.8.0_144 mode: TEST certificate.subject: correct subject certificate.issuer: CN=PEPPOL ACCESS POINT TEST CA - G2,OU=FOR TEST ONLY,O=OpenPEPPOL AISBL,C=BE certificate.expired: false build.id: 58f9b65354ae732613d51cde788b85c32133deac build.tstamp: 12.06.2022 @ 15:17:26 UTC

Any pointers where to look for?

[RichardVanMaaren]

Hi @bjdijk ,

Is the reference in the oxalis.conf point to the correct keystore ? Does the logging during startup tell you something more ?

Best regards,

Richard

[bjdijk]

@RichardVanMaaren

We do not have any errors starting up as far as I can see, and the status page works correctly, displaying the correct certificate subject. The keystore is almost identical to the original one, only the certificates (and key) changed. I'm using the OpenPeppol testbed just to verify and it fails with mentioned error.

2023-05-23 09:12:06,633 ERROR [org.apache.wss4j.common.crypto.Merlin] [] Cannot find key for certificate in keystore of type [JKS] from provider [SUN version 1.8] with size [1] and aliases: {cert}

Is there a method to get more debug on which cert it is searching for?

[bjdijk]

I have my doubts it is a problem on the oxalis side, since the TESTBED 2.0 (BETA) seems to work correctly with the new keystore. Very odd.

[dladlk]

Do you have the same instance on the same java for TESTBED 2.0?

Looks like it cannot read the key - but can find the certificate.

You can try just a usual java remote debug.

But one of many possible reasons of the issue - your PKCS12 uses a PBES2 cipher and Java versions below 8u301 or 11.0.1 don't correctly handle PBES2. Either use a newer version of Java, or (re)create the PKCS12 so that is doesn't use PBES2. This reason - if you have in a hidden stacktrace something like 'data isn't an object ID (tag = 48)'

Link: https://stackoverflow.com/questions/70244066/keytool-error-java-io-ioexception-parsealgparameters-failed-objectidentifier#comment124176010_70244066

[bjdijk]

For both tests, the difference is the keystore. I do not see errors related to the keystore and it seems to be able to find the key when we test with the openpeppol testbed 2.0 (Beta). Maybe the original test bed keeps the key we had when we performed the initial test 2 years ago, our test suites where still there. But even after deleting them, and double checking we connect with the correct cert in the browser it still does not work

[dladlk]

Just to be sure - do you have the same password and key alias in old and new keystore? If not - try to make a copy of your new keystore and change its password/key alias to be the same as in old one (or it is expired?) - so you can exclude misconfiguration.

If it works - then you have updated not all places with new values. If it does not work - there is something in the new keystore itself. You can try to change its type from JKS to PKCS or vice versa.

But I guess you agree it is far away from the Oxalis issue itself.

[bjdijk]

I have my doubts also if it is oxalis. Is there a way to see which cert it is looking for?

[aaron-kumar]

@bjdijk Changing this to discussion since it is Not an issue with Oxalis