Skip to content
This repository has been archived by the owner. It is now read-only.

Invalid HTTPS certificate #5282

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 6 comments
Closed

Invalid HTTPS certificate #5282

openstreetmap-trac opened this issue Jul 23, 2021 · 6 comments

Comments

@openstreetmap-trac
Copy link

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Reporter: don-vip
[Submitted to the original trac issue database at 7.13pm, Friday, 20th February 2015]

Something has changed today on the HTTPS certificate used by the OSM API, and it is no more possible to access it with JOSM and latest version of Java (8u31):

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:957)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:892)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
	at org.openstreetmap.josm.io.OsmServerReader.getInputStreamRaw(OsmServerReader.java:158)
	... 13 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
	... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 30 more

Looking at https://api.openstreetmap.org with Chrome, I have a similar warning as well, about untrust certificate.

@openstreetmap-trac
Copy link
Author

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Author: don-vip
[Added to the original trac issue at 10.44pm, Sunday, 22nd February 2015]

By the way, http://api06.dev.openstreetmap.org/api/capabilities does not respond since several days: has the test API been shut down?

@openstreetmap-trac
Copy link
Author

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Author: TomH
[Added to the original trac issue at 10.56pm, Sunday, 22nd February 2015]

We have reverted to the old certificate for now, but JOSM really needs to find a way to trust the StartCom root certificate (it already does on Fedora, where Java uses the mozilla cert bundle rather than the java default one).

The dev server is down this weekend due to a scheduled power outage at one of our hosting sites.

@openstreetmap-trac
Copy link
Author

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Author: don-vip
[Added to the original trac issue at 11.27pm, Sunday, 22nd February 2015]

Replying to [comment:2 TomH]:

JOSM really needs to find a way to trust the StartCom root certificate

not so easy! it requires root privileges. On Windows installing a root CA displays a very scary popup. Besides it would require a new version of JOSM, leaving in the wild all older clients.

We wouldn't have switched to HTTPS by default if we were expecting that you switch to an unknown Root CA. Why don't you stay with your current provider?

@openstreetmap-trac
Copy link
Author

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Author: don-vip
[Added to the original trac issue at 11.53pm, Sunday, 22nd February 2015]

ok found the original ticket: openstreetmap/operations#2 we can discuss there if you want

@openstreetmap-trac
Copy link
Author

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Author: TomH
[Added to the original trac issue at 12.00am, Monday, 23rd February 2015]

It needs root perms to install into the system store, but presumably JOSM could add to the local bundle that it is using?

You'd need to ask Grant why we switched but I think the main reason is that we could get certs that covered a wider range of domains and at lower cost. It's a provider that is recognised by all the main browsers - we just hadn't realised that Java didn't recognise it.

@openstreetmap-trac
Copy link
Author

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Author: TomH
[Added to the original trac issue at 12.17am, Monday, 23rd February 2015]

So far http://nelenkov.blogspot.co.uk/2011/12/using-custom-certificate-trust-store-on.html is the best resource I have found on how to create a customer TrustManager that trusts extra certificates while mostly deferring to the system store.

It looks like there are extra complications depending on what https client(s) are being used though as you have to persuade them to use the custom TrustManager.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant