On Mon, 2016-02-15 at 10:54 -0500, Matt Chambers wrote: > Hi Oleg, > > Thanks for response…I don’t know if I’m seeing this up right. > > Does anyone have the steps handy to have a Tomcat and HttpClient communicate > with each other using self signed keys? > > -Matt >
Matt, When it comes to SSL one _must_ know exactly what he or she is doing. Does the server use a self-signed cert (there is only one certificate in the cert chain) or does it use a cert signed by a custom CA (the cert chain consists of multiple certs)? When configured to use TrustSelfSignedStrategy HttpClient will accept the former but will reject the latter unless explicitly set up to trust the custom CA. So, what is it you are trying to do? You might also want to run your app with SSL debugging turned and find out why the SSL security provider rejects server creds presented during the SSL session handshake. Oleg > > On Feb 15, 2016, at 5:47 AM, Oleg Kalnichevski <ol...@apache.org> wrote: > > > > On Fri, 2016-02-12 at 17:53 -0500, Matt Chambers wrote: > >> I’m not sure if I’m daft or just missing something super obvious, but I’m > >> trying to setup HttpClient to connect to a Spring Boot server using a self > >> signed cert, pretty much all day. Works fine via Chome, Python’s > >> ‘requests’ module, and Objective-C but no matter what I do, this exception > >> haunts me. > >> > > > > Are you sure the server authenticates with a self-signed certificate (no > > CA) and not with a certificate signed by a non-standard CA? > > > > Oleg > > > >> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: > >> sun.security.validator.ValidatorException: PKIX path building failed: > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find > >> valid certification path to requested target > >> at > >> com.zorroa.archivist.sdk.client.ExceptionTranslator.translate(ExceptionTranslator.java:9) > >> ~[archivist-sdk-0.17.0.jar:na] > >> at com.zorroa.archivist.sdk.client.Http.post(Http.java:39) > >> ~[archivist-sdk-0.17.0.jar:na] > >> at > >> com.zorroa.archivist.sdk.client.archivist.ArchivistClient.registerAnalyst(ArchivistClient.java:57) > >> ~[archivist-sdk-0.17.0.jar:na] > >> at > >> com.zorroa.analyst.service.RegisterServiceImpl.runOneIteration(RegisterServiceImpl.java:45) > >> ~[classes/:na] > >> at > >> com.google.common.util.concurrent.AbstractScheduledService$1$1.run(AbstractScheduledService.java:174) > >> [guava-18.0.jar:na] > >> at com.google.common.util.concurrent.Callables$3.run(Callables.java:95) > >> [guava-18.0.jar:na] > >> at > >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > >> [na:1.8.0_65] > >> at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > >> [na:1.8.0_65] > >> at > >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > >> [na:1.8.0_65] > >> at > >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > >> [na:1.8.0_65] > >> at > >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > >> [na:1.8.0_65] > >> at > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > >> [na:1.8.0_65] > >> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_65] > >> Caused by: javax.net.ssl.SSLHandshakeException: > >> sun.security.validator.ValidatorException: PKIX path building failed: > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find > >> valid certification path to requested target > >> > >> I’ve basically tried 1000 different combinations of HttpClient setup and > >> versions, but this is how I’m setting it up currently: > >> > >> this.client = HttpClients.custom() > >> .setConnectionManager(new PoolingHttpClientConnectionManager()) > >> .setSSLSocketFactory(new > >> SSLConnectionSocketFactory(SSLContexts.custom() > >> .loadTrustMaterial(null, new TrustSelfSignedStrategy()) > >> .build())) > >> .setSSLHostnameVerifier(new NoopHostnameVerifier()) > >> .build(); > >> > >> Any help would be greatly appreciated. > >> > >> -Matt > >> > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > > <mailto:httpclient-users-unsubscr...@hc.apache.org> > > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > > <mailto:httpclient-users-h...@hc.apache.org> --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
