search

Scout24 / restapi-java-sdk

Apache License 2.0
11 stars 3 forks source link

Certificate issue when using Is24Api #5

Closed jhiemer closed 8 years ago

jhiemer commented 9 years ago

Hi, I recently tried to run an export against the API. The OAuth authentication works smoothly. Afterwards, I put the consumer key, secret and the access token, secret into the API as follows:

private String SANDBOX_API_URL = "http://rest.sandbox-immobilienscout24.de/restapi/api";

    private Is24Api isAIs24Api;

    public void init(String consumerKey, String secrectKey) {
        isAIs24Api = new IS24ApiImpl();
        isAIs24Api.init(consumerKey, secrectKey, SANDBOX_API_URL);
    }

    public void login(String accessToken, String tokenSecret) {
        isAIs24Api.signIn(accessToken, tokenSecret);
    ...

But when executing:

public List<String> getRealEstateIds() {
        return isAIs24Api.getAllRealestateIds();
    }

I get the following exception. I am sure this has been working before:

java.lang.RuntimeException
    at de.is24.rest.api.export.api.impl.IS24ApiImpl.sendGetRequest(IS24ApiImpl.java:819)
    at de.is24.rest.api.export.api.impl.IS24ApiImpl.sendGetRequest(IS24ApiImpl.java:844)
    at de.is24.rest.api.export.api.impl.IS24ApiImpl.getAllRealestateIds(IS24ApiImpl.java:295)
    at de.is24.rest.api.export.api.impl.IS24ApiImpl.getAllRealestateIds(IS24ApiImpl.java:1220)
    at de.immomio.cloud.immoscout.Immoscout24.getRealEstateIds(Immoscout24.java:37)
    at de.immomio.cloud.immoscout.Immoscout24Test.test(Immoscout24Test.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
    at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
    at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1471)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:871)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at de.is24.rest.api.export.api.impl.IS24ApiImpl.sendGetRequest(IS24ApiImpl.java:799)
    ... 28 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1453)
    ... 39 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 45 more

Am I missing something?

denisneuling commented 9 years ago

Hi,

we had exact the same issue months ago. We added some extra jvm arguments to resolve this. If it's really urgent add the following to your jvm opts:

-Djdk.tls.allowUnsafeServerCertChange=true 
-Dsun.security.ssl.allowUnsafeRenegotiation=true

This is considered as a quick fix and should be removed when the guys from is24 fixed this.

transacid commented 9 years ago

Hey guys,

we are in the process of serving a certificate issued by a CA bundled with java. Our current setup serves a StartSSL certificate wich unfortunately is not bundled. We will switch to a verisign certificate coming week.

Cheers Boris

marco-hoyer commented 9 years ago

@transacid Are you sure about the StartSSL certificate not being available in the ca bundle? You usually need to combine the server certificate with the intermediate ca certificate in case of StartSSL since the intermediate ca is usually not available in ca bundles but the root ca is. If you serve the intermediate, the client should be able to validate the certificate

transacid commented 9 years ago

we are serving the intermediate cert. It is widely known that java doesn't include startssl.

$ openssl s_client -connect rest.sandbox-immobilienscout24.de:443
<snip>
---
Certificate chain
 0 s:/description=1E3VqALu8ntIdTtA/C=DE/ST=Berlin/L=Berlin/O=Immobilien Scout GmbH/CN=*.sandbox-immobilienscout24.de/emailAddress=webmaster@sandbox-immobilienscout24.de
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
</snip>
jhiemer commented 8 years ago

Hi, is there any estimate, when this will be fixed?

transacid commented 8 years ago

Finally after some hassle with Symantec and our Loadbalancer the new Certificate is installed :)

$ openssl s_client -connect rest.sandbox-immobilienscout24.de:443 2>&1 |grep -A4 "Certificate chain"
Certificate chain
 0 s:/C=DE/ST=Berlin/L=Berlin/O=Immobilien Scout GmbH/CN=*.sandbox-immobilienscout24.de
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
$ openssl s_client -connect www.sandbox-immobilienscout24.de:443 2>&1 |grep -A4 "Certificate chain"
Certificate chain
 0 s:/C=DE/ST=Berlin/L=Berlin/O=Immobilien Scout GmbH/CN=*.sandbox-immobilienscout24.de
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5