SSLHandshakeException prevents downloading the database export

[jfly]

On Windows 10, with Java 1.8.0_45, I get a javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target when the WA attempts to update its database export.

C:\Users\Jeremy Fleischman\Downloads>java -version
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)

``` C:\Users\Jeremy Fleischman\Downloads>java -jar wca-workbook-assistant-2.3.jar javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at org.worldcubeassociation.ui.UpdateWCAExportAction$UpdateWCAExportRunnable.run(UpdateWCAExportAction.java:65) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 18 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 24 more ```

[jfly]

Here's what I see for our certificate currently:

C:\Users\Jeremy Fleischman\Downloads>openssl s_client -connect www.worldcubeassociation.org:443
Loading 'screen' into random state - done
CONNECTED(000001DC)
depth=2 /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/CN=worldcubeassociation.org
   i:/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2
 1 s:/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2
   i:/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
 2 s:/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
...

After reading http://iam-jla.blogspot.com/2015/04/startssl-in-java.html, it sounds like Java doesn't include the StartCom/StartSSL root certificate in the cacerts file, so even though a webbrowser like Chrome will trust a certificate from StartSSL, Java will not.

I followed the instructions on https://github.com/haron/startssl-java to install the StartCom root certificate on Windows, and I can verify that the workbook assistant is working for me again.

I suspect this will be a problem for TNoodle when it hits the WCA website to check if you're using the latest version of TNoodle.

[jfly]

I just verified that on Windows 10 without the StartSSL root certificate installed, I see the same problem with TNoodle when hitting http://localhost:2014/version.json:

``` {"error":"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\r\n\tat sun.security.ssl.Alerts.getSSLException(Unknown Source)\r\n\tat sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)\r\n\tat sun.security.ssl.Handshaker.fatalSE(Unknown Source)\r\n\tat sun.security.ssl.Handshaker.fatalSE(Unknown Source)\r\n\tat sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)\r\n\tat sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)\r\n\tat sun.security.ssl.Handshaker.processLoop(Unknown Source)\r\n\tat sun.security.ssl.Handshaker.process_record(Unknown Source)\r\n\tat sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)\r\n\tat sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)\r\n\tat sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)\r\n\tat sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)\r\n\tat sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)\r\n\tat sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)\r\n\tat sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)\r\n\tat sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)\r\n\tat sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)\r\n\tat java.net.URL.openStream(Unknown Source)\r\n\tat net.gnehzr.tnoodle.server.VersionServlet.wrappedService(VersionServlet.java:32)\r\n\tat net.gnehzr.tnoodle.server.SafeHttpServlet.service(SafeHttpServlet.java:41)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:45)\r\n\tat winstone.ServletConfiguration.execute(ServletConfiguration.java:249)\r\n\tat winstone.RequestDispatcher.forward(RequestDispatcher.java:335)\r\n\tat winstone.RequestDispatcher.doFilter(RequestDispatcher.java:378)\r\n\tat net.gnehzr.tnoodle.server.HtmlInjectFilter.doFilter(HtmlInjectFilter.java:40)\r\n\tat winstone.FilterConfiguration.execute(FilterConfiguration.java:195)\r\n\tat winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)\r\n\tat org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)\r\n\tat org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)\r\n\tat org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)\r\n\tat org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)\r\n\tat winstone.FilterConfiguration.execute(FilterConfiguration.java:195)\r\n\tat winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)\r\n\tat winstone.RequestDispatcher.forward(RequestDispatcher.java:333)\r\n\tat winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)\r\n\tat winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)\r\n\tat java.lang.Thread.run(Unknown Source)\r\nCaused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\r\n\tat sun.security.validator.PKIXValidator.doBuild(Unknown Source)\r\n\tat sun.security.validator.PKIXValidator.engineValidate(Unknown Source)\r\n\tat sun.security.validator.Validator.validate(Unknown Source)\r\n\tat sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)\r\n\tat sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)\r\n\tat sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)\r\n\t... 33 more\r\nCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\r\n\tat sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)\r\n\tat sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)\r\n\tat java.security.cert.CertPathBuilder.build(Unknown Source)\r\n\t... 39 more\r\n"} ```

[MatteoColombo]

I'm reporting this because I was trying to help Gianluca generating the results for the Rome Summer Open

Neither me nor him can download the database. We are both using windows 10. Also, I'm using java 1.8.0_101:

 C:\Users\Matteo Colombo\Desktop\Cubo\WCA>java -version
 java version "1.8.0_101"
 Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
 Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)

[jfly]

Thanks for commenting, @MatteoColombo. The software team agreed that we should switch to a non StartSSL certificate, but we haven't found anyone to actually do the work yet.

[jfly]

Closing this as we're no longer using StartSSL.