Dear Loai, Your client can't very (don't trust) the certificate (chain) of the target. Either target's certificate is not an "official" one (e.g. self signed) or your clients JVM certificate trust chain is not up to date.
I you like I may send you a small java commandline tool to check the verification chain and/or add exceptions to the local trust store in case of self-signed certificates. Guido >-----Original Message----- >From: Loai Abdallatif [mailto:loai.abdalla...@gmail.com] >Sent: Thursday, September 27, 2018 4:52 PM >To: Tomcat Users List <users@tomcat.apache.org> >Subject: Re: SSL on Tomcat > >hello, shall I add the certificate to server.xml on tomcat server or just on >Webserver > > >On Thu, Sep 27, 2018 at 5:50 PM, Loai Abdallatif <loai.abdalla...@gmail.com ><mailto:loai.abdalla...@gmail.com> > wrote: > > > Hello, > > I have Set Apache Load Balancer ( ModJK) with Server IP 192.168.1.120 > (Webserver01.epsilon.test) which forward the >traffic to tomcat server .(192.168.1.111 (appserver01.epsilon.test) > > > each tomcat server has three workers ( 0,1,2) > > I deployed Central Authentication Service (CAS) on Worker0 and its > is working with warning related to ssl >Certificate, I have another Application on this worker0 called ServiceCatalog >unfortunatly it didnt work and gave error as below > > > > > > > > > ERROR org.jasig.cas.client.util.CommonUtils - > sun.security.validator.ValidatorException: PKIX path building failed >: sun.security.provider.certpath.SunCertPathBuilderException: unable to find >valid certification path to requested >target > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: sun.sec >urity.provider.certpath.SunCertPathBuilderException: unable to find valid >certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) > at > sun.security.ssl.Handshaker.process_record(Handshaker.java:987) > at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnectio >n.java:185) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) > at > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429) > at > org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(A >bstractCasProtocolUrlBasedTicketValidator.java:41) > at > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidato >r.java:193) > at > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthentica >tionProvider.java:157) > at > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticatio >nProvider.java:142) > > >
