Invalid HTTPS certificate #5282

openstreetmap-trac · 2021-07-23T12:13:17Z

Reporter: don-vip
[Submitted to the original trac issue database at 7.13pm, Friday, 20th February 2015]

Something has changed today on the HTTPS certificate used by the OSM API, and it is no more possible to access it with JOSM and latest version of Java (8u31):

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:957)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:892)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
	at org.openstreetmap.josm.io.OsmServerReader.getInputStreamRaw(OsmServerReader.java:158)
	... 13 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
	... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 30 more

Looking at https://api.openstreetmap.org with Chrome, I have a similar warning as well, about untrust certificate.

The text was updated successfully, but these errors were encountered:

openstreetmap-trac · 2021-07-23T20:13:06Z

Author: don-vip
[Added to the original trac issue at 10.44pm, Sunday, 22nd February 2015]

By the way, http://api06.dev.openstreetmap.org/api/capabilities does not respond since several days: has the test API been shut down?

openstreetmap-trac · 2021-07-23T20:13:08Z

Author: TomH
[Added to the original trac issue at 10.56pm, Sunday, 22nd February 2015]

We have reverted to the old certificate for now, but JOSM really needs to find a way to trust the StartCom root certificate (it already does on Fedora, where Java uses the mozilla cert bundle rather than the java default one).

The dev server is down this weekend due to a scheduled power outage at one of our hosting sites.

openstreetmap-trac · 2021-07-23T20:13:11Z

Author: don-vip
[Added to the original trac issue at 11.27pm, Sunday, 22nd February 2015]

Replying to [comment:2 TomH]:

JOSM really needs to find a way to trust the StartCom root certificate

not so easy! it requires root privileges. On Windows installing a root CA displays a very scary popup. Besides it would require a new version of JOSM, leaving in the wild all older clients.

We wouldn't have switched to HTTPS by default if we were expecting that you switch to an unknown Root CA. Why don't you stay with your current provider?

openstreetmap-trac · 2021-07-23T20:13:13Z

Author: don-vip
[Added to the original trac issue at 11.53pm, Sunday, 22nd February 2015]

ok found the original ticket: openstreetmap/operations#2 we can discuss there if you want

openstreetmap-trac · 2021-07-23T20:13:16Z

Author: TomH
[Added to the original trac issue at 12.00am, Monday, 23rd February 2015]

It needs root perms to install into the system store, but presumably JOSM could add to the local bundle that it is using?

You'd need to ask Grant why we switched but I think the main reason is that we could get certs that covered a wider range of domains and at lower cost. It's a provider that is recognised by all the main browsers - we just hadn't realised that Java didn't recognise it.

openstreetmap-trac · 2021-07-23T20:13:18Z

Author: TomH
[Added to the original trac issue at 12.17am, Monday, 23rd February 2015]

So far http://nelenkov.blogspot.co.uk/2011/12/using-custom-certificate-trust-store-on.html is the best resource I have found on how to create a customer TrustManager that trusts extra certificates while mostly deferring to the system store.

It looks like there are extra complications depending on what https client(s) are being used though as you have to persuade them to use the custom TrustManager.

openstreetmap-trac added Component: admin Priority: critical Resolution: fixed Type: defect labels Jul 23, 2021

openstreetmap-trac self-assigned this Jul 23, 2021

openstreetmap-trac closed this as completed Jul 23, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid HTTPS certificate #5282

Invalid HTTPS certificate #5282

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

Navigation Menu

Invalid HTTPS certificate #5282

Invalid HTTPS certificate #5282

Comments

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021

openstreetmap-trac commented Jul 23, 2021