Wednesday, 16 January 2013

Tech: How to Fix 'SSLPeerUnverifiedException: peer not authenticated' Exception in Groovy / Java

This is the first in a series of tech posts on the NerdAbility blog. We are aiming to blog any useful tips / gotchas we come across when developing with various technologies. We will still be posting tech recruitment insights and NerdAbility news, so stay tuned!

How to Fix 'SSLPeerUnverifiedException: peer not authenticated' Exception in Java / Groovy


When developing with web services in Java you may come across the need to connect to a HTTPS URL, for example when creating a REST client. In some cases there will be an issue with the type of certificate the web server is using, resulting in a SSLPeerUnverifiedException.

To solve this you could previously export the servers SSL certificate via firefox / chrome and load this directly into the cacerts keystore (jvm's default trusted keystore). In recent versions of firefox / chrome this feature seems to have disappeared.  In this post we will show you how to grab the certificate using command line tools and then load it into the cacerts keystore. Finally we give an example of connecting to a HTTPS URL with Groovy using RESTClient.

Please note this guide is for Linux / Mac users. Windows users may be able to follow along using cygwin, but we have not tested this. If you are using an alternative trusted keystore in your application, use this instead of cacerts in the examples.

Prerequisites: Before loading any key into your cacerts keystore, please verify you are happy with the certificate and its authenticity, and issuer. You can do this by using a tool like this one.

Disclaimer: Follow this guide at your own risk, we can not be held liable / accountable for any damage or issues caused to you or your systems.

Step 1: Download and Store the Certificate


To download and store the certificate run the following command, changing $ADDRESS for the sites address. For example https://www.facebook.com would become facebook.com:

echo -n | openssl s_client -connect $ADDRESS:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/$ADDRESS.cert

To check the certificate was grabbed, you can run:

cat /tmp/$ADDRESS.cert

This will output the certificate and you should see something like:

-----BEGIN CERTIFICATE-----
*DATA*
-----END CERTIFICATE-----


Step 2: Load this into the default keystore for the JVM CACERTS


First of all you need to locate the cacerts keystore for the JRE you are using. To find out the version of java run the following command:

java -version

This should give you something similar to:

java version "1.6.0_11" Java(TM) SE Runtime Environment (build 1.6.0_11-b03) Java HotSpot(TM) 64-Bit Server VM (build 11.0-b16, mixed mode)

Next take the Java version number from the previous output, in this case 1.6.0_11 and use locate to find the cacerts keystore for this Java install:

locate cacerts | grep "1.6.0_11"

The output should give you something similar to:

/usr/lib/jvm/jre1.6.0_11/lib/security/cacerts

Now you have enough information to import the key into the keystore. Run the following command, replacing the $ADDRESS with the address variable you used earlier, the $ALIAS with a name for the certificate i.e. facebook. Replace the $PATH variable with the path to the cacert (the output from the locate command we just ran). Also we have added the -storepass argument, passing the default password for the cacerts keystore. You will want to change this, if you have not already, and should be prompted to do so.

sudo keytool -importcert -alias "$ALIAS" -file /tmp/$ADDRESS.cert -keystore $PATH/cacerts -storepass changeit

Once you run this you will be shown the certificate and prompted to confirm you want to import the certificate:

Trust this certificate? [no]:  yes
Certificate was added to keystore

Now you should have the certificate ready for use in your application, providing it is configured to use the default keystore and runs on the JVM we configured the certificate for!

Step 3: Test It!


Here is some example Groovy code using RESTClient:



64 comments:

  1. Its also possible to override the default behaviour for ssl handling by creating a custom TrustManager. This alleviates the potential nightmare that you might bump into when moving code through different environments etc. See SSLContext init for more.

    ReplyDelete
    Replies
    1. Hey Michael, any chance you could elaborate on this? My organization has so many servers they face the nightmare you describe. I would like to create my own TrustManager, but looking at the interface (http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/TrustManager.html) there are no methods to implement. Is it expected that creating an empty class that implements TrustManager will alleviate the need for peer authentication?

      Context:
      I'm trying to fix a few operational scripts written in groovy that use HttpBuilder and throw this error. Authenticaion fails because the scripts are hitting individual server nodes by IP (not by hitting apache or a load balancer). My understanding is that the SSL cert's hostname does not match the IP address and this causes the error. Creating self signed certs to fake the match is not a viable solution for this problem.

      Delete
    2. Provided example : https://gist.github.com/patelm5/8820842

      Delete
  2. Thanks, that was exactly what I was looking for :-)

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Thanks for the openssl command, I too used to use FF to do the same thing.

    If you want to avoid adding extra certificates to your JDK you could create a copy and use that instead, e.g.

    cp $JAVA_HOME/lib/security/cacerts /tmp

    then specify the copy when running your app;

    java -Djavax.net.ssl.trustStore=/tmp/cacerts com.test.Main

    ReplyDelete
  5. Hi,
    Your code was exceptionally useful. My legal department is asking whether you could license this code snippet to us or put forth some expression about it being public domain. In the event that you attach an Apache 2.0 or BSD style license, that would be simplest.
    Much thanks to you!
    ~~~~~~~~~~~~~~~~~~>>
    top hidden object games

    ReplyDelete
  6. Thanks, it really helped to resolve my issue.

    ReplyDelete
  7. The information you posted here is useful to make my career better keep updates..If anyone want to become an oracle certified professional reach FITA, which offers Best Oracle Training in Chennai with years of experienced professionals.

    ReplyDelete
  8. Hi, This is Jamuna from Chennai. I am a technology freak. I have read your blog, its really useful for me. Recently I did Java Course in Chennai at a leading Java Institutes in Chennai. This is really helpful for me to make a bright career in IT industry.



    ReplyDelete
  9. This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
    Android Training in Chennai
    Ios Training in Chennai

    ReplyDelete
  10. You have shared useful information. Thanks for sharing your valuable knowledge with us.
    Oracle dba training | Oracle dba training syllabus

    ReplyDelete
  11. I have to voice my passion for your kindness giving support to those people that should have guidance on this important matter.
    Best selenium training Institute in chennai

    ReplyDelete
  12. Howdy, would you mind letting me know which web host you’re utilizing? I’ve loaded your blog in 3 completely different web browsers, and I must say this blog loads a lot quicker than most. Can you suggest a good internet hosting provider at a reasonable price?
    Hadoop Training in Chennai
    Hadoop Training in Bangalore

    ReplyDelete
  13. Hey, would you mind if I share your blog with my twitter group? There’s a lot of folks that I think would enjoy your content. Please let me know. Thank you.
    MEAN stack training in Chennai
    MEAN stack training in bangalore

    ReplyDelete
  14. Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.
    Devops Training in pune

    Devops Training in Chennai

    Devops Training in Bangalore

    AWS Training in chennai

    AWS Training in bangalore

    ReplyDelete
  15. Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information..

    rpa training in Chennai

    rpa training in anna nagar | rpa training in marathahalli

    rpa training in btm | rpa training in kalyan nagar

    rpa training in electronic city | rpa training in chennai

    rpa online training | selenium training in training

    ReplyDelete
  16. Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.

    rpa training in Chennai | rpa training in pune

    rpa training in tambaram | rpa training in sholinganallur

    rpa training in Chennai | rpa training in velachery

    rpa online training | rpa training in bangalore

    ReplyDelete
  17. Well somehow I got to read lots of articles on your blog. It’s amazing how interesting it is for me to visit you very often.
    Python training in marathahalli
    Python training in pune

    ReplyDelete
  18. A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article. I am learning a lot from you.
    python online training
    python training in OMR
    python training institute in chennai

    ReplyDelete
  19. Really great post, I simply unearthed your site and needed to say that I have truly appreciated perusing your blog entries. I want to say thanks for great sharing.
    Data Science course in kalyan nagar | Data Science course in OMR
    Data Science course in chennai | Data science course in velachery
    Data science online course | Data science course in jaya nagar

    ReplyDelete
  20. Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.
    Devops Training in pune

    ReplyDelete
  21. Hmm, it seems like your site ate my first comment (it was extremely long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I as well as an aspiring blog writer, but I’m still new to the whole thing. Do you have any recommendations for newbie blog writers? I’d appreciate it.

    Best Selenium Training in Chennai | Selenium Training Institute in Chennai | Besant Technologies

    Selenium Training in Bangalore | Best Selenium Training in Bangalore

    AWS Training in Bangalore | Amazon Web Services Training in Bangalore

    ReplyDelete
  22. This is an awesome post.Really very informative and creative contents. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.
    Ethical Hacking Course in Chennai 
    Hacking Course in Chennai 
    Certified Ethical Hacking Course in Chennai 
    Ethical Hacking Course 
    Ethical Hacking Course near me

    ReplyDelete
  23. Amazing Article ! I have bookmarked this article page as i received good information from this. All the best for the upcoming articles. I will be waiting for your new articles. Thank You ! Kindly Visit Us @ Coimbatore Travels | Ooty Travels | Coimbatore Airport Taxi

    ReplyDelete
  24. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.

    Oracle Training in Chennai | Best Oracle Training Institute in Chennai
    Web Design Training in Chennai
    Web Design Training in Chennai|Best Web Design Training in Chennai
    AngularJS Training in Chennai |Advanced SAS Training in Chennai | Best SAS Training in Chennai

    ReplyDelete
  25. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.

    Oracle Training in Chennai | Best Oracle Training Institute in Chennai
    Web Design Training in Chennai
    Web Design Training in Chennai|Best Web Design Training in Chennai
    AngularJS Training in Chennai |Advanced SAS Training in Chennai | Best SAS Training in Chennai

    ReplyDelete
  26. All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.

    python training in chennai
    python training in chennai
    python training in bangalore

    ReplyDelete
  27. Nice tutorial. Thanks for sharing the valuable information. it’s really helpful. Who want to learn this blog most helpful. Keep sharing on updated tutorials…
    excel advanced excel training in bangalore
    Devops Training in Chennai

    ReplyDelete
  28. The knowledge of technology you have been sharing thorough this post is very much helpful to develop new idea. here by i also want to share this.
    excel advanced excel training in bangalore
    Devops Training in Chennai

    ReplyDelete
  29. Excellant post!!!. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it.
    excel advanced excel training in bangalore
    Devops Training in Chennai

    ReplyDelete
  30. Brilliant ideas that you have share with us.It is really help me lot and i hope it will help others also.update more different ideas with us.
    AWS Courses in T nagar
    AWS Course in Anna Nagar
    AWS Training center in Bangalore
    Best AWS Training in Bangalore

    ReplyDelete
  31. Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.
    iosh course in chennai

    ReplyDelete
  32. The knowledge of technology you have been sharing thorough this post is very much helpful to develop new idea. here by i also want to share this.
    python course institute in bangalore
    python Course in bangalore
    python training institute in bangalore

    ReplyDelete
  33. Marvelous and fascinating article. Incredible things you've generally imparted to us. Much obliged. Simply keep making this kind out of the post.

    Oracle PLSQL Training in Chennai
    Oracle PLSQL Training

    ReplyDelete
  34. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

    best rpa training in chennai
    rpa training in chennai
    rpa interview questions and answers
    automation anywhere interview questions and answers
    blueprism interview questions and answers
    uipath interview questions and answers
    rpa training in bangalore

    ReplyDelete
  35. Your very own commitment to getting the message throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals.
    angularjs online Training

    angularjs Training in marathahalli

    angularjs interview questions and answers

    angularjs Training in bangalore

    angularjs Training in bangalore

    angularjs interview questions and answers

    ReplyDelete
  36. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.
    Best Selenium Training in Chennai | Selenium Training Institute in Chennai | Besant Technologies
    Selenium Training in Bangalore | Best Selenium Training in Bangalore

    ReplyDelete
  37. Amazing Article ! I have bookmarked this article page as i received good information from this. All the best for the upcoming articles. I will be waiting for your new articles. Thank You ! Kindly Visit Us @ Coimbatore Travels | Ooty Travels | Coimbatore Airport Taxi | Coimbatore taxi

    ReplyDelete

  38. Hello! This is my first visit to your blog! We are a team of volunteers and starting a new initiative in a community in the same niche. Your blog provided us useful information to work on. You have done an outstanding job.
    Advanced AWS Training in Marathahalli |No.1 AWS Training in Marathahalli
    Best AWS Amazon Web Services Training Institute in Chennai | No.1 AWS Training Institutes for Solution Architect in Chennai | Advanced AWS Certification Training in Chennai

    ReplyDelete
  39. This comment has been removed by the author.

    ReplyDelete
  40. This is a nice article here with some useful tips for those who are not used-to comment that frequently. Thanks for this helpful information I agree with all points you have given to us. I will follow all of them.
    Devops Training in Bangalore
    Best Devops Training in pune

    ReplyDelete
  41. Thank you for sharing such great information with us. I really appreciate everything that you’ve done here and am glad to know that you really care about the world that we live in
    Data science course in bangalore | Data Science training with placement in Bangalore

    ReplyDelete
  42. Very nice post here and thanks for it .I always like and such a super contents of these post.
    Excellent and very cool idea and great content of different kinds of the valuable information's.

    Java training in Bangalore



    ReplyDelete