AnsweredAssumed Answered

SSL Keystore issue

Question asked by chrisokelly on Aug 17, 2012
Latest reply on Aug 20, 2012 by chrisokelly
Hi Guys,
Last night the certificate in our ssl.keystore expired, so this morning I have been trying to recreate it. We would like to use our own, CA-signed certificate, however i am also trying with just the plain Alfresco CA also (when I couldn't get it to work). Prior to the certificates expiring the site was working fine.
using the Alfresco CA we have simply followed the steps exactly in CreateSSLKeystores.txt. I create the keystores in alf_data/keystore, which is the location pointed to in alfresco-global.properties. When we try using our own certificate I simply copy our files to ca.crt and ca.key in the directory then follow the same steps, after which I also import the digiCert root CA into ssl.truststore.
When the server starts up, I see the following in catalina.out:
 2012-08-17 12:44:41,263  ERROR [web.context.ContextLoader] [main] Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'twitterDeliveryChannelType' defined in URL [file:/opt/alfresco-4.0.d/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/twitter-publishing-context.xml]: Cannot create inner bean 'org.springframework.social.twitter.connect.TwitterConnectionFactory#18287811' of type [org.springframework.social.twitter.connect.TwitterConnectionFactory] while setting bean property 'connectionFactory'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.social.twitter.connect.TwitterConnectionFactory#18287811' defined in URL [file:/opt/alfresco-4.0.d/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/twitter-publishing-context.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.social.twitter.connect.TwitterConnectionFactory]: Constructor threw exception; nested exception is java.lang.IllegalStateException: Failure initializing default SSL context
        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:281)
        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:120)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1325)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1086)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:580)
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
        at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
        at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:63)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4135)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4630)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:637)
        at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:563)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:498)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
        at org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.social.twitter.connect.TwitterConnectionFactory#18287811' defined in URL [file:/opt/alfresco-4.0.d/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/twitter-publishing-context.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.social.twitter.connect.TwitterConnectionFactory]: Constructor threw exception; nested exception is java.lang.IllegalStateException: Failure initializing default SSL context
        at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:288)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1003)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:907)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:270)
        … 40 more
Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.springframework.social.twitter.connect.TwitterConnectionFactory]: Constructor threw exception; nested exception is java.lang.IllegalStateException: Failure initializing default SSL context
        at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:141)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:108)
        at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:280)
        … 45 more
Caused by: java.lang.IllegalStateException: Failure initializing default SSL context
        at org.apache.http.conn.ssl.SSLSocketFactory.createDefaultSSLContext(SSLSocketFactory.java:211)
        at org.apache.http.conn.ssl.SSLSocketFactory.<init>(SSLSocketFactory.java:333)
        at org.apache.http.conn.ssl.SSLSocketFactory.getSocketFactory(SSLSocketFactory.java:165)
        at org.springframework.social.support.HttpComponentsClientHttpRequestFactory$HttpComponentsClient_4_1.getInstance(HttpComponentsClientHttpRequestFactory.java:185)
        at org.springframework.social.support.HttpComponentsClientHttpRequestFactory.<init>(HttpComponentsClientHttpRequestFactory.java:79)
        at org.springframework.social.support.ClientHttpRequestFactorySelector$HttpComponentsClientRequestFactoryCreator$1.<init>(ClientHttpRequestFactorySelector.java:68)
        at org.springframework.social.support.ClientHttpRequestFactorySelector$HttpComponentsClientRequestFactoryCreator.createRequestFactory(ClientHttpRequestFactorySelector.java:68)
        at org.springframework.social.support.ClientHttpRequestFactorySelector.getRequestFactory(ClientHttpRequestFactorySelector.java:44)
        at org.springframework.social.oauth1.OAuth1Template.createRestTemplate(OAuth1Template.java:169)
        at org.springframework.social.oauth1.OAuth1Template.<init>(OAuth1Template.java:92)
        at org.springframework.social.oauth1.OAuth1Template.<init>(OAuth1Template.java:76)
        at org.springframework.social.twitter.connect.TwitterServiceProvider.<init>(TwitterServiceProvider.java:31)
        at org.springframework.social.twitter.connect.TwitterConnectionFactory.<init>(TwitterConnectionFactory.java:28)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:126)
        … 47 more
Caused by: java.security.KeyStoreException: problem accessing trust storejava.io.IOException: Invalid keystore format
        at com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:55)
        at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:230)
        at org.apache.http.conn.ssl.SSLSocketFactory.createSSLContext(SSLSocketFactory.java:190)
        at org.apache.http.conn.ssl.SSLSocketFactory.createDefaultSSLContext(SSLSocketFactory.java:209)
        … 64 more

…Other lines we see in a normal startup…

…After server finished starting:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
        at java.io.BufferedOutputStream.write(BufferedOutputStream.java:104)
        at java.io.FilterOutputStream.write(FilterOutputStream.java:80)
        at org.apache.commons.httpclient.methods.ByteArrayRequestEntity.writeRequest(ByteArrayRequestEntity.java:90)
        at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
        at org.alfresco.httpclient.AbstractHttpClient.executeMethod(AbstractHttpClient.java:110)
        at org.alfresco.httpclient.AbstractHttpClient.sendRemoteRequest(AbstractHttpClient.java:86)
        at org.alfresco.httpclient.HttpClientFactory$HttpsClient.sendRequest(HttpClientFactory.java:307)
        at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1007)
        at org.alfresco.solr.tracker.CoreTracker.trackModels(CoreTracker.java:1630)
        at org.alfresco.solr.tracker.CoreTracker.trackRepository(CoreTracker.java:1134)
        at org.alfresco.solr.tracker.CoreTracker.updateIndex(CoreTracker.java:491)
        at org.alfresco.solr.tracker.CoreTrackerJob.execute(CoreTrackerJob.java:45)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
        … 28 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
        … 34 more

The initial error refers to the trust store being in an incorrect format, which I do not understand. In alfresco-global.properties:
###SSL Cert Directory definition
alfresco.encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
alfresco.encryption.ssl.keystore.provider=SunJCE
alfresco.encryption.ssl.keystore.type=JCEKS
alfresco.encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-passwords.properties

alfresco.encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore
alfresco.encryption.ssl.truststore.provider=SunJCE
alfresco.encryption.ssl.truststore.type=JCEKS
alfresco.encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties

###End SSL Cert Directory Definition

the truststore.type is set as JCEKS, and in the truststore file itself:
/opt/alfresco-4.0.d/alf_data/keystore$ sudo keytool -list -v -keystore ssl.truststore -storetype JCEKS
Enter keystore password:

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 2 entries…

I would very much appreciate some help, as I have no clue where all this leads me. The most I can figure out is that the exception seems identical to what I get when I try to view the keystore without specifying the -storetype, such as:
/opt/alfresco-4.0.d/alf_data/keystore$ sudo keytool -list -v -keystore ssl.truststore
keytool error: java.io.IOException: Invalid keystore format
java.io.IOException: Invalid keystore format
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1201)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:647)
        at sun.security.tools.KeyTool.run(KeyTool.java:194)
        at sun.security.tools.KeyTool.main(KeyTool.java:188)

Edit:
A little more info - I no longer see the twitter channel issue in catalina.out while starting, but once started we see a repetition of
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
        at java.io.BufferedOutputStream.write(BufferedOutputStream.java:104)
        at java.io.FilterOutputStream.write(FilterOutputStream.java:80)
        at org.apache.commons.httpclient.methods.ByteArrayRequestEntity.writeRequest(ByteArrayRequestEntity.java:90)
        at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
        at org.alfresco.httpclient.AbstractHttpClient.executeMethod(AbstractHttpClient.java:110)
        at org.alfresco.httpclient.AbstractHttpClient.sendRemoteRequest(AbstractHttpClient.java:86)
        at org.alfresco.httpclient.HttpClientFactory$HttpsClient.sendRequest(HttpClientFactory.java:307)
        at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1007)
        at org.alfresco.solr.tracker.CoreTracker.trackModels(CoreTracker.java:1630)
        at org.alfresco.solr.tracker.CoreTracker.trackRepository(CoreTracker.java:1134)
        at org.alfresco.solr.tracker.CoreTracker.updateIndex(CoreTracker.java:491)
        at org.alfresco.solr.tracker.CoreTrackerJob.execute(CoreTrackerJob.java:45)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
        … 28 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
        … 34 more

/alfresco and share are accessible but these error messages continue appearing, so I assume that the site is not indexing.

Outcomes