Payara full 5.182 SSL certificate expired

[vassterg]

Description

---

Payara full keystore contains expired SSL certificate
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US

Expected Outcome

No severe log for The SSL certificate has expired

Current Outcome

Severe: The SSL certificate has expired: [
[
Version: V1
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 104674226241368487598835828377585222181792546532354327780214427055917513664449991602803276678454577364904540367827644455215731003386468752240014232146814457308076052176227490263634768927290191763858631579785604655038492469791381988347440106477066514204303723029602991655085187937840556671697442212352844587673
public exponent: 65537
Validity: [From: Thu Aug 13 03:29:00 EEST 1998,
To: Tue Aug 14 02:59:00 EEST 2018]
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
SerialNumber: [ 01a5]
]
Algorithm: [MD5withRSA]
Signature:
0000: 6D EB 1B 09 E9 5E D9 51 DB 67 22 61 A4 2A 3C 48 m....^.Q.g"a.*<H
0010: 77 E3 A0 7C A6 DE 73 A2 14 03 85 3D FB AB 0E 30 w.....s....=...0
0020: C5 83 16 33 81 13 08 9E 7B 34 4E DF 40 C8 74 D7 ...3.....4N.@.t.
0030: B9 7D DC F4 76 55 7D 9B 63 54 18 E9 F0 EA F3 5C ....vU..cT.....
0040: B1 D9 8B 42 1E B9 C0 95 4E BA FA D5 E2 7C F5 68 ...B....N......h
0050: 61 BF 8E EC 05 97 5F 5B B0 D7 A3 85 34 C4 24 A7 a....._[....4.$.
0060: 0D 0F 95 93 EF CB 94 D8 9E 1F 9D 5C 85 6D C7 AA ............m..
0070: AE 4F 1F 22 B5 CD 95 AD BA A7 CC F9 AB 0B 7A 7F .O."..........z.
]

Steps to reproduce (Only for bug reports)

./asadmin start-domain domain1

Samples

Context (Optional)

Environment

• Payara Version: 5.182
• Edition: Full
• JDK Version: 1.8.0_181; Java HotSpot(TM) 64-Bit Server VM 25.181-b13
• Operating System: Linux / Ubuntu 18.04
• Database:

[trreeves]

+1

This is a killer. A quick resolution would be greatly appreciated.

[smillidge]

You can just delete it from the keystore or replace it with one from the JDK.

If you need a fast maintenance release outside of the usual quarterly release cycle please go to https://www.payara.fish/choose_support

[edwingioflo13]

I had the same problem, but I use glassfish, the first thing I did is to see which certificates are expired with the following command, this command execute from : \glassfish-4.1\glassfish\domains\domain1\config

"C:\Program Files\Java\jdk1.8.0_161\bin\keytool.exe" -list -v -keystore cacerts.jks -storepass changeit > listaCertificados.txt

This command saves all the certificates in a txt, then you can go looking for those that expire in 2018 and copy their name, then you put the following command to delete it from the keystore:

"C:\Program Files\Java\jdk1.8.0_161\bin\keytool.exe" -delete -alias gtecybertrustglobalca -keystore cacerts.jks -storepass changeit

in my case the expired certificate was "gtecybertrustglobalca" with that the problem is solved.

[smillidge]

Thanks for the detailed instructions

[smillidge]

Fixed by #3044

[cbbravo]

Oh hey. Just a few days ago my up-to-date setup (Eclipse + Payara Tools + Payara 5.182) ran without any problems.
Today it did not.
Console output showed Payara Server startup, up until an outdated certificate error.
Everything else kept going fine: logs, functionality, everything.
Just not the eclipse console.
It took me hours (reinstalling Payara, Eclipse, Plugins, Projects etc) to find out what was going wrong there.

Now that I found this thread, I could fix it by removing the outdated keys.
Big big thanx to https://github.com/edwingioflo13 by the way!
Now after the fix, everything is working fine, also the Eclipse console output...

So, apart from removing the outdated keys, I think you should overthink your approach to that error handling.
Like making that "severe" certificate really severe, i.e. stop Payara from starting at all (like System.exit() severe)
OR dont mess up the consoles reaction to that "severe" error.

I am sorry I cannot provide any intellectual constructive contribution to this problem, because I don't know much about that live debugging stuff and how Glassfish/Payara kills its own loggers.
But this "crashing my console output but everything else keeps running" is a severe side effect that IMO should not exist any longer, in any circumstance.

BTW, you I really love the Payara server and the Payara Tools for Eclipse. Great work!

[meliora]

We have some servers running on the latest Payara 4 version and we encountered this issue too while trying to log in to DAS console. The login goes to an endless loop and burps out this error about this expired root CA.

Removing the certificate from the cacerts keystore does not fix the problem. The endless loop still happens but with an error from "equifaxsecureca" certificate. We also removed this certificate with no avail.

We have secure domain enabled in our DAS. If anyone has any clue what to do to get the DAS console working, it would be greatly appreciated.

[cbbravo]

Just a general question: why do you even include all those wild certificates into the realease versions?

My console output to eclipse always dies with those error messages. Any chance you could fix that?
Why not just warn and resume?

Oh and those errors start popping up 3-5 times a year now, and im getting really tired of fixing those every time by removing those outdated certificates.

[heatherita]

It's really tedious having to delete them one by one.

[grommitz]

i wrote a script to automate it based on @edwingioflo13's instructions:
https://gist.github.com/grommitz/7364ac99a9d2c3f9cbf68c8c570c5acb