Error al firmar operación con google chrome / linux ubuntu

steinkel commented 11 months ago

Versión 1.8.2 recién actualizada
Chrome Version 118.0.5993.70 (Official Build) (64-bit)
Ubuntu 22.04 LTS

Error: Ha ocurrido un error realizando la operación. (SAF_16: Error al recuperar los datos del servidor intermedio)

Traza del error:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:298)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511)
      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)
      at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:572)
      at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:201)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1367)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1342)
      at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:246)
      at es.gob.afirma.core.misc.http.UrlHttpManagerImpl.readUrl(UrlHttpManagerImpl.java:254)
      at es.gob.afirma.core.misc.http.UrlHttpManagerImpl.readUrl(UrlHttpManagerImpl.java:128)
      at es.gob.afirma.core.misc.http.UrlHttpManagerImpl.readUrl(UrlHttpManagerImpl.java:99)
      at es.gob.afirma.standalone.HttpManager.readUrl(HttpManager.java:37)
      at es.gob.afirma.standalone.protocol.IntermediateServerUtil.send(IntermediateServerUtil.java:82)
      at es.gob.afirma.standalone.protocol.IntermediateServerUtil.retrieveData(IntermediateServerUtil.java:72)
      at es.gob.afirma.standalone.protocol.ProtocolInvocationLauncherUtil.getDataFromRetrieveServlet(ProtocolInvocationLauncherUtil.java:64)
      at es.gob.afirma.standalone.protocol.ProtocolInvocationLauncher.launch(ProtocolInvocationLauncher.java:665)
      at es.gob.afirma.standalone.protocol.ProtocolInvocationLauncher.launch(ProtocolInvocationLauncher.java:138)
      at es.gob.afirma.standalone.SimpleAfirma.main(SimpleAfirma.java:691)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
      at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
      at java.base/sun.security.validator.Validator.validate(Validator.java:264)
      at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
      ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
      at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
      at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
      ... 32 more

Gracias,

pmorange commented 11 months ago

Hi: Same problem in macos (M1, with Sonoma installed). I have seen on internet a "solution" that consists on importing a certificate in the keystore of AutoFirma, but the keystore has a password that I don't know, so I can't proceed with the importation and therefore can't say if the solution would work...

Version 1.8.2 Brave v1.59.124 (Oct 25, 2023) MacOS Sonoma

Final error is a little different (although trace is identical):

steinkel commented 11 months ago

... meanwhile I had to use a windows environment to be able to sign some stuff. I have an old windows box for these things. I also know others used a virtualbox + windows dev environment to keep going, if that helps you @pmorange

pmorange commented 11 months ago

... meanwhile I had to use a windows environment to be able to sign some stuff. I have an old windows box for these things. I also know others used a virtualbox + windows dev environment to keep going, if that helps you @pmorange

Indeed, I had to use Windows to do what I needed to do 🤪

LucasFA commented 5 months ago

Autofirma versión 1.8.2
Mozilla Firefox 124.0.2
Pop!OS 22.04, basado en Ubuntu 22.04. Con
```
java --version
openjdk 11.0.22 2024-01-16
OpenJDK Runtime Environment (build 11.0.22+7-post-Ubuntu-0ubuntu222.04.1)
OpenJDK 64-Bit Server VM (build 11.0.22+7-post-Ubuntu-0ubuntu222.04.1, mixed mode, sharing)
```
Mi error ha salido con un SAF_11, dando un PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

Adjunto error log:


javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:298)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511)
      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)
      at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:580)
      at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:201)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1367)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1342)
      at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:246)
      at es.gob.afirma.core.misc.http.UrlHttpManagerImpl.readUrl(UrlHttpManagerImpl.java:254)
      at es.gob.afirma.core.misc.http.UrlHttpManagerImpl.readUrl(UrlHttpManagerImpl.java:128)
      at es.gob.afirma.core.misc.http.UrlHttpManagerImpl.readUrl(UrlHttpManagerImpl.java:99)
      at es.gob.afirma.standalone.HttpManager.readUrl(HttpManager.java:37)
      at es.gob.afirma.standalone.protocol.IntermediateServerUtil.send(IntermediateServerUtil.java:82)
      at es.gob.afirma.standalone.protocol.IntermediateServerUtil.sendData(IntermediateServerUtil.java:58)
      at es.gob.afirma.standalone.protocol.ProtocolInvocationLauncher.sendDataToServer(ProtocolInvocationLauncher.java:927)
      at es.gob.afirma.standalone.protocol.ProtocolInvocationLauncher.launch(ProtocolInvocationLauncher.java:713)
      at es.gob.afirma.standalone.protocol.ProtocolInvocationLauncher.launch(ProtocolInvocationLauncher.java:138)
      at es.gob.afirma.standalone.SimpleAfirma.main(SimpleAfirma.java:691)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
      at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
      at java.base/sun.security.validator.Validator.validate(Validator.java:264)
      at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
      at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
      ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
      at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
      at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
      ... 32 more

jmmut commented 3 weeks ago

A mí me daba el mismo error y el workaround de este comentario me funcionó (desactivar que solo permita conectarse a sitios seguros) https://github.com/ctt-gob-es/clienteafirma/issues/321#issuecomment-1790382794 .

ctt-gob-es / clienteafirma

Error al firmar operación con google chrome / linux ubuntu #365