Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#5284 closed defect (fixed)

Invalid HTTPS certificate

Reported by: don-vip Owned by: rails-dev@…
Priority: critical Milestone:
Component: admin Version:
Keywords: https Cc: bastik

Description

Something has changed today on the HTTPS certificate used by the OSM API, and it is no more possible to access it with JOSM and latest version of Java (8u31):

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:957)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:892)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
	at org.openstreetmap.josm.io.OsmServerReader.getInputStreamRaw(OsmServerReader.java:158)
	... 13 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
	... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 30 more

Looking at https://api.openstreetmap.org with Chrome, I have a similar warning as well, about untrust certificate.

Change History (8)

comment:1 Changed 5 years ago by don-vip

By the way, http://api06.dev.openstreetmap.org/api/capabilities does not respond since several days: has the test API been shut down?

comment:2 Changed 5 years ago by Tom Hughes

Resolution: fixed
Status: newclosed

We have reverted to the old certificate for now, but JOSM really needs to find a way to trust the StartCom? root certificate (it already does on Fedora, where Java uses the mozilla cert bundle rather than the java default one).

The dev server is down this weekend due to a scheduled power outage at one of our hosting sites.

comment:3 Changed 5 years ago by Tom Hughes

Component: websiteadmin

comment:4 in reply to:  2 Changed 5 years ago by don-vip

Replying to TomH:

JOSM really needs to find a way to trust the StartCom? root certificate

not so easy! it requires root privileges. On Windows installing a root CA displays a very scary popup. Besides it would require a new version of JOSM, leaving in the wild all older clients.

We wouldn't have switched to HTTPS by default if we were expecting that you switch to an unknown Root CA. Why don't you stay with your current provider?

comment:5 Changed 5 years ago by don-vip

ok found the original ticket: https://github.com/openstreetmap/operations/issues/2 we can discuss there if you want

comment:6 Changed 5 years ago by Tom Hughes

It needs root perms to install into the system store, but presumably JOSM could add to the local bundle that it is using?

You'd need to ask Grant why we switched but I think the main reason is that we could get certs that covered a wider range of domains and at lower cost. It's a provider that is recognised by all the main browsers - we just hadn't realised that Java didn't recognise it.

comment:7 Changed 5 years ago by Tom Hughes

So far http://nelenkov.blogspot.co.uk/2011/12/using-custom-certificate-trust-store-on.html is the best resource I have found on how to create a customer TrustManager? that trusts extra certificates while mostly deferring to the system store.

It looks like there are extra complications depending on what https client(s) are being used though as you have to persuade them to use the custom TrustManager?.

comment:8 Changed 5 years ago by bastik

Cc: bastik added
Note: See TracTickets for help on using tickets.