One of the questions we ask our clients initiating an engagement to help them setup external authentication from our LMS to their server is, “What is the certificate authority for your SSL certificate?” We have been burned by people purchasing certificates from authorities Java does not support. (And the support is indeed limited compared to say, Mozilla.)
We were given the name of an intermediate certificate which set off warning klaxons. There are none of these in the cacerts file, the list of root CAs Java uses.
So the clients setup to test. Failures. The error:
javax.naming.CommunicationException: hostname.domain.tld:port [Root exception is javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
From what I was able to find, the error meant the certificate was not understood. Framed into thinking the intermediate CA was the cause I started looking at how to make it work. The two potential routes were get the client to add the intermediate CA to their server or test ways to complete the chain by adding the intermediate to my client.
Amy suggested looking at the certificate on the foreign server by connecting with openssl to get a better idea where it said there was a problem. The command looks like:
openssl s_client -connect hostname:port
The return was pretty clear that it could not understand or trust a self-signed certificate. The “i:” in the last line below is the Issuer. This made it clear the certificate was not signed by the intermediate CA we were told. It was a self-signed certificate. Doh!
depth=0 /CN=hostname.domain.tld verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=hostname.domain.tld verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=hostname.domain.tld verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=hostname.domain.tld i:/DC=tld/DC=domain/CN=domain-NAME-CA
It is clear I need to make checking the certificate on the foreign host part of the standard practice. Did some spot checking of previous setups to test against LDAP and every one has a good certificate chain.