AnsweredAssumed Answered

Why Can't validate certificate chain JBoss AS 7.1 with APR?

Question asked by camillelola on Aug 11, 2018

I am new to JBoss. I am trying to get HTTPS working with JBoss AS 7.1, using the web-native connector with (APR) Apache Portable Runtime based.

This is my configuration:

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="true">
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" certificate-key-file="/home/appserver/" protocol="TLSv1" certificate-file="/home/appserver/foobar.pem"/>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name=""/>

And I created the PEM file by appending first the Server cert, then the two intermediate certs and finally the root cert. The CA is Comodo.

I put the key and the pem into the above-configured folder. Now, the strange thing is, that it works perfectly fine in the browser. A connection is secure and all. BUT it won't work anymore from our Android App, which accesses our API. I get the Exception:

SSLHandshakeException: Trust anchor for certification path not found

 According to the Android docs, that could be bc. of a missing intermediate cert. But I did add both of them.

I tried getting some info via openssl, with openssl s_client -showcerts -connect and I get:

depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

...some more output... and finally:

Verify return code: 21 (unable to verify the first certificate)

So it fails already at depth 0? I can't figure this out. There is lot's of documentation using JSSE and the java keytool based approach, but using the native connector/APR, an OpenSSL/PEM cert approach is needed and it's much harder to find information on that.


Thanks & Regards