Project

General

Profile

Cert Error: "Can't find root certificate in chain"

Dathan Pattishall
Added almost 4 years ago

I am getting this error

2015-01-27 16:01:59.741 [main]             SSLContextContainer.init()         WARNING:  Cannot load certficate from file: certs/shots.com.pem
1452 java.lang.RuntimeException: Can't find root certificate in chain!                                                 
1453   at tigase.cert.CertificateUtil.sort(CertificateUtil.java:665)                                                   
1454   at tigase.cert.CertificateUtil.sort(CertificateUtil.java:651)                                                   
1455   at tigase.io.SSLContextContainer.addCertificateEntry(SSLContextContainer.java:199)                              
1456   at tigase.io.SSLContextContainer.init(SSLContextContainer.java:421)                                             
1457   at tigase.io.TLSUtil.configureSSLContext(TLSUtil.java:86)                                                       
1458   at tigase.conf.ConfiguratorAbstract.setProperties(ConfiguratorAbstract.java:848)                                
1459   at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:580)                                        
1460   at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:183)                               
1461   at tigase.conf.Configurator.componentAdded(Configurator.java:50)                                                
1462   at tigase.conf.Configurator.componentAdded(Configurator.java:33)                                                
1463   at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)               
1464   at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:131)                                           
1465   at tigase.server.MessageRouter.setConfig(MessageRouter.java:700)                                                
1466   at tigase.server.XMPPServer.start(XMPPServer.java:142)                                                          
1467   at tigase.server.XMPPServer.main(XMPPServer.java:112)                                                          

Yet the output from

java -cp jars/tigase-server.jar tigase.cert.CertificateUtil --load-cert certs/shots.com.pem.bak

https://gist.github.com/dathan/585de7f4b313d2bc5975

show that the CertificateUtil class can read it. Is this error something else? is there another root certificate?

I normally would put this on the forums but I don’t want my cert getting out there.

Also I read this:

https://projects.tigase.org/issues/2232

https://projects.tigase.org/boards/15/topics/1166

I don’t think they apply to me

Also here is my text of the bundle cert I put together

openssl x509 -in certs/shots.com.pem.bak -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0e:a0:c6:79:0c:24:ff:e8:a7:bc:59:1c:e6:80:d2:95
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
        Validity
            Not Before: Jun 14 00:00:00 2014 GMT
            Not After : Jun 21 12:00:00 2017 GMT
        Subject: C=US, ST=California, L=San Francisco, O=Shots Mobile, Inc., CN=*.shots.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    **OMIT**
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:*OMIT*

            X509v3 Subject Key Identifier: 
                2C:CF:35:42:53:07:F0:17:9F:67:03:AC:CA:11:BB:58:23:E7:AE:E3
            X509v3 Subject Alternative Name: 
                DNS:*.shots.com, DNS:shots.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 
                URI:http://crl3.digicert.com/ssca-sha2-g2.crl
                URI:http://crl4.digicert.com/ssca-sha2-g2.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS

            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
        **OMIT**

What am I doing wrong? Do I need some sort of other root cert?


Replies (3)

Added by Wojciech Kapcia TigaseTeam almost 4 years ago

$ grep -E "(Subject|Issuer):" cert
  Subject: CN=*.shots.com, O="Shots Mobile, Inc.", L=San Francisco, ST=California, C=US
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  Subject: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Please try inclusion of DigiCert Global Root CA

Added by Dathan Pattishall almost 4 years ago

Yup that worked but for future folks the attached global cert is not in a text format (pem format)

openssl x509 -inform DES -in DigiCertGlobalRootCA.crt -out DigicertRoot.pem -text

If you open the crt and see BEGIN then its in a pem format. Use the above command to convert it.

    (1-3/3)