Cert Error: "Can't find root certificate in chain"

Dathan Pattishall
Added about 4 years ago

I am getting this error

2015-01-27 16:01:59.741 [main]             SSLContextContainer.init()         WARNING:  Cannot load certficate from file: certs/
1452 java.lang.RuntimeException: Can't find root certificate in chain!                                                 
1453   at tigase.cert.CertificateUtil.sort(                                                   
1454   at tigase.cert.CertificateUtil.sort(                                                   
1455   at                              
1456   at                                             
1457   at                                                       
1458   at tigase.conf.ConfiguratorAbstract.setProperties(                                
1459   at tigase.conf.ConfiguratorAbstract.setup(                                        
1460   at tigase.conf.ConfiguratorAbstract.componentAdded(                               
1461   at tigase.conf.Configurator.componentAdded(                                                
1462   at tigase.conf.Configurator.componentAdded(                                                
1463   at tigase.server.AbstractComponentRegistrator.addComponent(               
1464   at tigase.server.MessageRouter.addRegistrator(                                           
1465   at tigase.server.MessageRouter.setConfig(                                                
1466   at tigase.server.XMPPServer.start(                                                          
1467   at tigase.server.XMPPServer.main(                                                          

Yet the output from

java -cp jars/tigase-server.jar tigase.cert.CertificateUtil --load-cert certs/

show that the CertificateUtil class can read it. Is this error something else? is there another root certificate?

I normally would put this on the forums but I don’t want my cert getting out there.

Also I read this:

I don’t think they apply to me

Also here is my text of the bundle cert I put together

openssl x509 -in certs/ -noout -text
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
            Not Before: Jun 14 00:00:00 2014 GMT
            Not After : Jun 21 12:00:00 2017 GMT
        Subject: C=US, ST=California, L=San Francisco, O=Shots Mobile, Inc., CN=*
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 

            X509v3 Subject Key Identifier: 
            X509v3 Subject Alternative Name: 
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.1.1

            Authority Information Access: 
                OCSP - URI:
                CA Issuers - URI:

            X509v3 Basic Constraints: critical
    Signature Algorithm: sha256WithRSAEncryption

What am I doing wrong? Do I need some sort of other root cert?

Replies (3)

Added by Wojciech Kapcia TigaseTeam about 4 years ago

$ grep -E "(Subject|Issuer):" cert
  Subject: CN=*, O="Shots Mobile, Inc.", L=San Francisco, ST=California, C=US
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  Subject: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  Issuer: CN=DigiCert Global Root CA,, O=DigiCert Inc, C=US

Please try inclusion of DigiCert Global Root CA

Added by Dathan Pattishall about 4 years ago

Yup that worked but for future folks the attached global cert is not in a text format (pem format)

openssl x509 -inform DES -in DigiCertGlobalRootCA.crt -out DigicertRoot.pem -text

If you open the crt and see BEGIN then its in a pem format. Use the above command to convert it.