Launcher JDK doesn't update SSL certificates?

[phette23]

We recently updated our SSL certificate for an oE instance at https://vault.cca.edu and it broke the admin launcher (see the error stacktrace at the bottom of this issue). After reading about certificates and Java, trying a few failed approaches, I finally figured out how to fix it:

1. download the public cert from the website
2. run $PATH_TO_ADMIN_LAUNCHER/jdk8u242-b08-jre/Contents/Home/bin/keytool -import -file ~/Downloads/downloaded.cer -alias $ALIAS -keystore $PATH_TO_ADMIN_LAUNCHER/jdk8u242-b08-jre/Contents/Home/lib/security/cacerts (I'm on a Mac)
3. Enter the default keystore password "changeit" at the prompt
4. Type "yes" at the "Trust this certificate?" prompt

Does the JVM packaged with the launcher app really not keep its certs up to date? Would I be better off rewriting the launcher shell script to point to a system JVM? If we downloaded a fresh version of the launcher, would that work? It took a fair amount of time for me to fix this certificate error and I'm not sure how to help my coworkers fix it without running the commands for each person myself, not everyone is capable of navigating the command line.

For the record, the things I tried that did not work were adding -Dcom.sun.net.ssl.checkRevocation=false to the launcher shell script (is this an outdated setting? Maybe there's a correct one under javax.net.ssl) and trying a few different settings in MacOS's Java preferences (which I assume relate to a different JVM than the app launcher's?).

Error message:

Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.tle.admin.boot.Bootstrap.run(Bootstrap.java:129)
    at com.tle.admin.boot.Bootstrap.main(Bootstrap.java:71)
Caused by: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.tle.admin.boot.Bootstrap.login(Bootstrap.java:180)
    at com.tle.admin.boot.Bootstrap.run(Bootstrap.java:112)
    ... 1 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264)
    at com.tle.core.remoting.SessionLogin.postLogin(SessionLogin.java:44)
    at com.tle.admin.boot.Bootstrap.tryLogin(Bootstrap.java:190)
    at com.tle.admin.boot.Bootstrap.login(Bootstrap.java:166)
    ... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
    ... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445)
    ... 23 more
16693 [SwingWorker-pool-1-thread-1] INFO org.apereo.openequella.adminconsole.util.ExecUtils - Exec finished with status 1

[edalex-ian]

Hi @phette23

You are correct, the certificate store bundled in the admin console package is indeed static - as it is with all Java installations. Details for updating it are located in the README.md @ https://github.com/openequella/openEQUELLA-admin-console-package#adding-root-ca-certificates

Typically the way that this is managed is to regularly update your Java installation, but obviously with a bundled approach that then becomes the responsibility of the bundle - and we're hoping to do another release soon so we'll include an update for that.

However, that said the bundling of the JRE is just to make things simpler for people to download and use - when they don't have any custom requirements (CA certs or otherwise) and/or possibly work in an environment where they don't want Java installed on the SOE. So as to your query as to whether you could just use a local Java installation, yes that is definitely an option - but you'll want to obviously test before hand to ensure it works with what ever Java is part of your SOE. All you'd have to do, is download the package, tweak the launcher scripts to your environment, and then go with that. (You'll just need to do that each time you download an update to the package though.)

[phette23]

OK that makes sense! Sorry, I missed the explanation in the readme, that would have solved my problem.