Invalid CA exception...

[rtalexander]

Hi,

I've switched from a Mac to an Unbuntu 14/04 LTS box. However, I am now getting an exception stating that an unknown CA was encountered:

Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/share/java/jayatanaag.jar 
2015-06-02 17:05:06,357 INFO o.m.p.d.DirectProxy MockServer proxy started on port: 8123 connected to remote server: sel3530-0030a704c3ba.ad.selinc.com:80
2015-06-02 17:05:09,682 WARN i.n.c.DefaultChannelPipeline An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
  at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:346) ~[mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:229) ~[mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:339) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:324) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:847) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:111) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) [mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at java.lang.Thread.run(Thread.java:745) [na:1.7.0_80]
Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
  at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.7.0_80]
  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639) ~[na:1.7.0_80]
  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607) ~[na:1.7.0_80]
  at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776) ~[na:1.7.0_80]
  at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068) ~[na:1.7.0_80]
  at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890) ~[na:1.7.0_80]
  at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764) ~[na:1.7.0_80]
  at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.7.0_80]
  at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1114) ~[mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:981) ~[mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:934) ~[mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:315) ~[mockserver-netty-3.9.12-jar-with-dependencies.jar:na]
  ... 12 common frames omitted

I started Mock Server Proxy (MSP) with the following command line:

java \
     -Djavax.net.ssl.trustStore=added \
     -Djavax.net.ssl.trustStore=/Users/USER/.keystore \
     -Droot.logLevel=DEBUG \
     -jar mockserver-netty-3.9.12-jar-with-dependencies.jar \
     -proxyPort 8123 \
     -proxyRemotePort 80  \
     -proxyRemoteHost sel3530-0030a704c3ba

The version of the JDK that I am using is javac 1.7.0_80.

I have also installed the CA certificates by running install_ca_certificate.sh from mockserver/scripts, receiving the following output:

 ./install_ca_certificate.sh
--2015-06-02 16:59:46--  https://raw.githubusercontent.com/jamesdbloom/mockserver/master/mockserver-core/src/main/resources/org/mockserver/socket/CertificateAuthorityCertificate.pem
Resolving wall.ad.selinc.com (wall.ad.selinc.com)... 10.100.0.240
Connecting to wall.ad.selinc.com (wall.ad.selinc.com)|10.100.0.240|:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 1330 (1.3K) [text/plain]
Saving to: ‘CertificateAuthorityCertificate.pem’

100%[======================================>] 1,330       --.-K/s   in 0s      

2015-06-02 16:59:47 (283 MB/s) - ‘CertificateAuthorityCertificate.pem’ saved [1330/1330]

Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/share/java/jayatanaag.jar 
deleting certificate
Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/share/java/jayatanaag.jar 
keytool error: java.lang.Exception: Keystore file does not exist: /home/USER/.keystore
Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/share/java/jayatanaag.jar 
Certificate was added to keystore
[Storing /home/USER/.keystore]

==========================================================================================
Ensure your JVM is using the correct keystore as follows: -Djavax.net.ssl.trustStore=added
==========================================================================================

The scenario that I am trying to set up has MSP running on box A (listening at localhost:8123) and proxying all requests to box B (sel3530-0030a704c3ba, local to my LAN). Using Firefox, I connect to https://localhost:8123, which results in the exception shown previously.

I must be missing something here; could you please verify that I am using MSP correctly?

Thanks,

Roger Alexander.

P.S. Any chance of getting a user forum setup?

[jamesdbloom]

A user forum is not a bad idea, do you have any suggestions for setting one up?

The script install_ca_certificate.sh is actually incorrect and I havn't had a chance to fix it. It should point as the truststore and not the keystore. On my Mac for example the truststore is /Library/Java/JavaVirtualMachines/jdk1.8.0_05.jdk/Contents/Home/jre/lib/security/cacerts.

The script you mentioned incorrect adds the CA certificate to the keystore and so it is not by default trusted by java. In addition on a mac I tend to add the PEM file to the keychain Access application, that way Chrome and other apps like Mail will also trust the CA cert which is helpful when you're using the proxy (particularly in SOCKS mode which catches all traffic).

I'll leave this issue open until I update the script.

[jamesdbloom]

the script is now fixed, I will also update the documentation as commented on #115