On Sat, Aug 8, 2020, 13:59 David Filip <dfi...@colornet.com> wrote: > Hello Everyone! > > I spent a large part of yesterday and this morning trying to debug an SSL > problem on Tomcat 8.5.57 to no avail. I've seen some discussion on either > this problem or something related back in 2016, but wanted to confirm what > the "correct" solution might be, because I got lost in the threads. > > I never had this problem with Tomcat 7.0.x, but it started once I upgraded > to 8.5.57 (same application code), and it is related to making outgoing SSL > connections to web services. And this is NOT related to a self-signed, but > to a commercial (GoDaddy) SSL certificate, albeit on a server that I also > run in the cloud. > > The exception is being thrown when trying to connect to an SSL protected > web service is: > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > although the exact same code worked (and still works on other servers) > reliably under Tomcat 7.0.x for several years. > > Now, here is the weird part: after Google'ing around, I thought the > problem might be that Tomcat 8.5.5 and later -- at least this is the gist > that I got -- no longer finds the 'default' Java certificate store > (cacerts), so I added the following to /bin/catalina.sh (running on a Mac > 10.14 / Mojave): > > export > -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts > > The weird part is that this appeared to fix the problem, so I thought I > was done. Then, I rebooted, and the problem re-appeared! > > I stopped and started Tomcat, and the problem was resolved again. I > rebooted again, and the problem re-appeared. >
When you "stopped and started Tomcat", how did restart it? At the command line using one of the Tomcat shell scripts? My thought is, "whatever" fires up Tomcat after an iOS system reboot - that startup process does not call catalina.sh. But when you start Tomcat manually, using catalina.sh or startup.sh (which calls catalina.sh), it works because the Java option is being set. Previously, when it worked, I refreshed the page several times, and it kept > working. When it doesn't work, if I keep refreshing the page, it continues > to throw the exception. > > Does this mean that some "worker threads" can find the certificate store, > and others can't? Or am I going down the wrong rabbit hole? > > So, any idea? The intermittent nature is driving me crazy! > > And I have can reproduce the problem on two separate servers (both Mac > 10.14 / Mojave, both Java 1.8.0), one (new server) running 8.5.57 and one > (slightly older server) running 8.5.35. But again, I have several 7.0.x > instances where I've never seen this problem before. > > Also, the generic 'SSLPoke' always connects to the service, and it appears > that if I run (mostly) the same code from the command line outside of > Tomcat (javac / java) it always works. And if I paste the web service URL > into Safari or Chrome, it always works. And if I use the web service URL > with curl (just for good measure), it always works. So it only seems to > fall under Tomcat 8.5.x. > > Thanks in advance for any guidance, as I'm running out of things to Google > and try. >
