Closed indrekmae closed 1 year ago
naare
commented
1 year ago Hello,
We have not discovered any problems on handling timestamp request in Digidco4j 5.1.0.
This error indicates that the timestamp service is not reachable (SK service requires IP based access). Maybe you are using some sort of proxy/firewall/different IP on your setup when testing between Digidoc4j 5.0.0 and 5.1.0 that can result in this behavior?
indrekmae
commented
1 year ago Hello,
We have not discovered any problems on handling timestamp request in Digidco4j 5.1.0.
This error indicates that the timestamp service is not reachable (SK service requires IP based access). Maybe you are using some sort of proxy/firewall/different IP on your setup when testing between Digidoc4j 5.0.0 and 5.1.0 that can result in this behavior?
Can't be, because if I'm using 5.0.0 jar, there is no problem, TSP works. same server, same network
naare
commented
1 year ago Can you provide more extensive logs? Do you have custom digidoc4j.yaml in use? Do you have custom implementations on Digidoc4j logic (your own data loader implementation for example)?
Based on current information we are not able to help you any further.
indrekmae
commented
1 year ago I'll provide logs using digidoc4j 5.0.0 and 5.1.0, first does successful container signing with 5.0.0, 2nd one using 5.1.0 is failing. We are not using custom digidoc4j.yaml, only this yaml which is inside jar.
rsarendus
commented
1 year ago Hello,
Are you using DigiDoc4j library in your application or are you executing DigiDoc4j command line utility? In the logs you provided, I can see at least one log entry that is emitted by DigiDoc4j command line utility, but the last part that performs container signing doesn't look like it's run by the command line utility.
In case DigiDoc4j library is used inside your application which catches the Unable to process <TSP> POST call for service <http://tsa.sk.ee> exception, then would it be possible to also provide the entire stack trace of that exception? I'm especially interested in the cause of the caught exception.
In case you execute DigiDoc4j command line utility, then would it be possible to use the following logback.xml file with the utility in order to obtain the stack trace of the exception:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
<Target>System.out</Target>
<encoder>
<pattern>%d{dd.MM.yyyy HH:mm:ss.SSS} %-5p [%thread] [%logger{36}.%method:%line] - %m%n</pattern>
</encoder>
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>INFO</level>
</filter>
</appender>
<logger name="org.digidoc4j" level="INFO"/>
<logger name="org.digidoc4j.main" level="DEBUG"/>
<logger name="eu.europa" level="INFO"/>
<logger name="org.digidoc4j.Configuration" level="INFO"/>
<logger name="eu.europa.esig.dss.client.http.commons" level="INFO"/>
<logger name="ee.sk" level="INFO"/>
<root level="INFO">
<appender-ref ref="stdout"/>
</root>
</configuration>We are using digidoc4j command line utility. I configured logging into DEBUG mode and attached last part of container signing log here digidoc.log
naare
commented
1 year ago Hi,
As a general remark Digidoc4j utility is provided as testing tool and should not be used in production systems: https://github.com/open-eid/digidoc4j/wiki/Command-line-utility-tool
The logs you provided do not provide the info what we need. Please add logback.xml file with content given in previous post next to the digidoc4j-util.jar file. We need to see what actually causes the generic error message Unable to process <TSP> POST call for service <http://tsa.sk.ee>. Here is an example stacktrace what we want to get:
05.09.2023 11:03:43.270 ERROR [main] [org.digidoc4j.main.DigiDoc4J.main:55] - Utility error org.digidoc4j.main.DigiDoc4JUtilityException: Failed to connect to TSP service http://tsa.sk.ee. Service is down or URL is invalid. at org.digidoc4j.main.DigiDoc4J.execute(DigiDoc4J.java:151) at org.digidoc4j.main.DigiDoc4J.run(DigiDoc4J.java:104) at org.digidoc4j.main.DigiDoc4J.main(DigiDoc4J.java:52) Caused by: org.digidoc4j.exceptions.ServiceUnreachableException: Failed to connect to TSP service http://tsa.sk.ee. Service is down or URL is invalid. at org.digidoc4j.impl.SkDataLoader.post(SkDataLoader.java:84) at eu.europa.esig.dss.service.tsp.OnlineTSPSource.getTimeStampResponse(OnlineTSPSource.java:176) at eu.europa.esig.dss.xades.signature.XAdESLevelBaselineT.createXAdESTimeStampType(XAdESLevelBaselineT.java:596) at eu.europa.esig.dss.xades.signature.XAdESLevelBaselineT.extendSignatures(XAdESLevelBaselineT.java:225) at eu.europa.esig.dss.xades.signature.XAdESLevelBaselineLT.extendSignatures(XAdESLevelBaselineLT.java:65) at eu.europa.esig.dss.xades.signature.XAdESLevelBaselineT.extendSignatures(XAdESLevelBaselineT.java:148) at eu.europa.esig.dss.xades.signature.XAdESLevelBaselineT.extendSignatures(XAdESLevelBaselineT.java:83) at eu.europa.esig.dss.xades.signature.XAdESService.signDocument(XAdESService.java:146) at eu.europa.esig.dss.xades.signature.XAdESService.signDocument(XAdESService.java:167) at org.digidoc4j.impl.asic.xades.XadesSigningDssFacade.signDocument(XadesSigningDssFacade.java:123) at org.digidoc4j.impl.asic.AsicSignatureFinalizer.finalizeSignature(AsicSignatureFinalizer.java:85) at org.digidoc4j.impl.asic.AsicSignatureBuilder.invokeSigningProcess(AsicSignatureBuilder.java:52) at org.digidoc4j.SignatureBuilder.invokeSigning(SignatureBuilder.java:159) at org.digidoc4j.main.CommandLineExecutor.invokeSigning(CommandLineExecutor.java:511) at org.digidoc4j.main.CommandLineExecutor.signWithPkcs11(CommandLineExecutor.java:504) at org.digidoc4j.main.CommandLineExecutor.signContainer(CommandLineExecutor.java:428) at org.digidoc4j.main.CommandLineExecutor.processContainer(CommandLineExecutor.java:88) at org.digidoc4j.main.DigiDoc4J.execute(DigiDoc4J.java:141) ... 2 common frames omitted Failed to connect to TSP service http://tsa.sk.ee. Service is down or URL is invalid.
indrekmae
commented
1 year ago I got such exception:
06.09.2023 08:10:59.947 INFO [main] [e.e.e.d.x.v.XAdESCertificateSource.
rsarendus
commented
1 year ago Hello,
It looks as if the version of Java, that you are using, does not support TLS version 1.3. Which Java version are you using?
TLSv1.3 support was introduced in Java since version 11. Around 2020, it was also backported to Java 8, according to internet sources:
If you are using Java 8 that is older than the listed versions, then it is highly recommended to update your Java version.
In case it is not possible to update your Java version for some reason, then you could make a copy of the digidoc4j.yaml file, replace its SSL section with the following:
SSL_PROTOCOL: TLSv1.2
SUPPORTED_SSL_PROTOCOLS:
- TLSv1.2
SUPPORTED_SSL_CIPHER_SUITES:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384And then place the file into the same directory where your digidoc4j-util.jar is located. This should hopefully make it work with old Java 8 versions as well.
indrekmae
commented
1 year ago OK, thank you we will try resolve it with newer java8 and will consider if possible to move java11
indrekmae
commented
1 year ago newer java8 works, thank you!
It works in 5.0.0 version, but using 5.1.0 signing container throws this error, why?