Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Tomcat 9 server: javax.net.ssl.SSLHandshakeException: Empty server certificate chain

Tags:

java

tomcat

java-security

tomcat9

I am trying to establish ssl connection to tomact server which I ve installed at my local machine. The server.xml has following entries:

<Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       sslImplementationName="localSSLImplementation keystoreFile="~/localhost.p12" 
       keystorePass="myPassword"
       keystoreType="PKCS12"
       
       truststoreFile="~/truststore.p12"
       truststorePass="changeit"
       truststoreType="PKCS12"
       truststoreProvider="SUN"
       clientAuth="required" sslProtocol="TLS"  sslEnabledProtocols="TLSv1.1,TLSv1.2"/>

I have a self signed certificate and private-public key pair present at localhost.p12

I exported this certificate and imported it in truststore.p12, which has entries imported from JRE's cacerts as well.

Now when clientAuth="optional" is set I can connect to tomcat server seamlessly but I can see the stackTrace for tomcat in my eclipse as follows :

javax.net.ssl|DEBUG|15|https-jsse-nio-8443-exec-6|2021-04-22 12:43:24.104 IST|Alert.java:238|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "certificate_unknown"
}
)
javax.net.ssl|DEBUG|14|https-jsse-nio-8443-exec-5|2021-04-22 12:43:24.104 IST|Alert.java:238|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "certificate_unknown"
}
)
javax.net.ssl|ERROR|15|https-jsse-nio-8443-exec-6|2021-04-22 12:43:24.106 IST|TransportContext.java:341|Fatal (CERTIFICATE_UNKNOWN): Received fatal alert: certificate_unknown (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:511)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:243)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1685)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:829)}

)
javax.net.ssl|ERROR|14|https-jsse-nio-8443-exec-5|2021-04-22 12:43:24.106 IST|TransportContext.java:341|Fatal (CERTIFICATE_UNKNOWN): Received fatal alert: certificate_unknown (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:511)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:243)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1685)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:829)}

)
javax.net.ssl|ALL|16|https-jsse-nio-8443-exec-7|2021-04-22 12:43:24.116 IST|X509Authentication.java:295|No X.509 cert selected for EC
javax.net.ssl|ALL|19|https-jsse-nio-8443-exec-10|2021-04-22 12:43:24.151 IST|X509Authentication.java:295|No X.509 cert selected for EC
javax.net.ssl|ALL|18|https-jsse-nio-8443-exec-9|2021-04-22 12:43:24.187 IST|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|WARNING|18|https-jsse-nio-8443-exec-9|2021-04-22 12:43:24.188 IST|SSLEngineOutputRecord.java:168|outbound has closed, ignore outbound application data
javax.net.ssl|ALL|10|https-jsse-nio-8443-exec-1|2021-04-22 12:43:24.406 IST|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|ALL|13|https-jsse-nio-8443-exec-4|2021-04-22 12:43:24.432 IST|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|ALL|13|https-jsse-nio-8443-exec-4|2021-04-22 12:43:24.433 IST|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|ALL|11|https-jsse-nio-8443-exec-2|2021-04-22 12:43:24.438 IST|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|ALL|11|https-jsse-nio-8443-exec-2|2021-04-22 12:43:24.441 IST|SSLEngineImpl.java:752|Closing outbound of SSLEngine

Questionon 1:- I don't if that should be happening or not as I have specified the same certificate in truststoreFile

Question 2:- if I change the clientAuth="required", which I intend to do, I observer following stack-trace along with warning in chrome.

stackTrace:-

avax.net.ssl|ALL|11|https-jsse-nio-8443-exec-2|2021-04-22 12:48:16.627 IST|X509Authentication.java:295|No X.509 cert selected for EC
javax.net.ssl|ALL|10|https-jsse-nio-8443-exec-1|2021-04-22 12:48:16.627 IST|X509Authentication.java:295|No X.509 cert selected for EC
javax.net.ssl|DEBUG|14|https-jsse-nio-8443-exec-5|2021-04-22 12:48:16.660 IST|Alert.java:238|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "certificate_unknown"
}
)
javax.net.ssl|DEBUG|15|https-jsse-nio-8443-exec-6|2021-04-22 12:48:16.660 IST|Alert.java:238|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "certificate_unknown"
}
)
javax.net.ssl|ERROR|14|https-jsse-nio-8443-exec-5|2021-04-22 12:48:16.662 IST|TransportContext.java:341|Fatal (CERTIFICATE_UNKNOWN): Received fatal alert: certificate_unknown (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:511)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:243)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1685)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:829)}

)
javax.net.ssl|ERROR|15|https-jsse-nio-8443-exec-6|2021-04-22 12:48:16.662 IST|TransportContext.java:341|Fatal (CERTIFICATE_UNKNOWN): Received fatal alert: certificate_unknown (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:511)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:243)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1685)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:829)}

)
javax.net.ssl|ALL|16|https-jsse-nio-8443-exec-7|2021-04-22 12:48:16.669 IST|X509Authentication.java:295|No X.509 cert selected for EC
javax.net.ssl|ERROR|18|https-jsse-nio-8443-exec-9|2021-04-22 12:48:16.680 IST|TransportContext.java:341|Fatal (BAD_CERTIFICATE): Empty server certificate chain (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Empty server certificate chain
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
    at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:455)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:519)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:243)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1685)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:829)}

)
javax.net.ssl|WARNING|18|https-jsse-nio-8443-exec-9|2021-04-22 12:48:16.682 IST|SSLEngineOutputRecord.java:168|outbound has closed, ignore outbound application data

Text Displayed in chrome:- when I try to connect to https://localhost:8443

This site can’t provide a secure connectionlocalhost didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT

If I try to establish connection through ssl clientI see following error:

SSL handshake has read 16672 bytes and written 388 bytes
Verification error: self signed certificate

======================================================================== Editing this post

commented section from Dave did help me to resolve my second issue, in which case I added self-signed cert to chrome.

But for first question, I am still able to see in my tomcat server's logs stack trace exactly similar to the first stack trace that I posted. So now my query is as I have imported the same root in server's truststore which has signed my client certificate. So why do I see javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown in stack trace whenever I establish the connection from client to server?

like image 401
Jeet Avatar asked Oct 12 '25 22:10

Jeet

1 Answers

Refer comment from Dave. I just figured out that the stack trace that I see saying certificate_unknown is because client doesn't trust my server's certificate which is a self-signed certificate. So that's normal as my browser doesn't trust the local certificate. If it is signed by authorized CA then that will solve the problem.

like image 198
Jeet Avatar answered Oct 14 '25 16:10

Jeet
Sign in to Comment

Related questions

Generics: Make sure parameters are of same type
convert dataURL to file using javascript
Java FX Road Tiles
ViewModelProvider - .Incomptible type with Fragment
Spring Boot scheduler thread stops randomly
Writing Aspects For Reactive Pipelines
Flink Tumble Window Trigger time
How to define parameters in Spring RequestBody as not null?
Why synchronizing on the field variable and incrementing it inside synchronized block results in print out of order?
What version of JRE should I use to run a Java 15 compiled program?
Mockito mocking restTemplate.postForEntity
How to send body in restTemplate as application/x-www-form-urlencoded
How to switch on validation according to WSDL - spring boot and spring-ws
In Thymeleaf, how can I choose the th:selected value for an HTML selector based on the current model object?
Best architecture for a social media app
Adding "-Xshare:off" JVM arg break jacoco-maven-plugin setup
Android Kotlin (beginner) - using File() with Uri returned from ACTION_GET_CONTENT
Invoke method by reflection with dynamic parameters

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!