OFBiz
  1. OFBiz
  2. OFBIZ-1902

ofbiz.org cert is expired causes peer not authenticated

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: Release Branch 4.0, Trunk
    • Fix Version/s: Release Branch 4.0, Trunk
    • Component/s: None
    • Labels:
      None
    • Environment:

      Ofbiz ootb localhost

      Description

      the ofbiz.org cert that is in the ootb has expired on July 7th.

      2008-07-29 14:24:31,312 (http-0.0.0.0-8443-2) [ RequestHandler.java:243:INFO ] [Processing Request]: EditWebSite sessionId=15BC9675666BC788DE897F186C9BF720.jvm1
      2008-07-29 14:24:31,312 (http-0.0.0.0-8443-2) [ RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is a view. sessionId=15BC9675666BC788DE897F186C9BF720.jvm1
      2008-07-29 14:24:31,312 (http-0.0.0.0-8443-2) [ RequestHandler.java:584:INFO ] servletName=control, view=EditWebSite sessionId=15BC9675666BC788DE897F186C9BF720.jvm1
      2008-07-29 14:24:31,312 (http-0.0.0.0-8443-2) [ JSSESupport.java:89 :DEBUG] Error getting client certs

      javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
      at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345)
      at org.apache.tomcat.util.net.jsse.JSSESupport.getX509Certificates(JSSESupport.java:87)
      at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:141)
      at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1011)
      at org.apache.coyote.Request.action(Request.java:352)

        Issue Links

          Activity

          Hide
          Bruno Busco added a comment -

          Changed from "Resolved" to "Closed" since we do not use the "Resolved" issue status

          Show
          Bruno Busco added a comment - Changed from "Resolved" to "Closed" since we do not use the "Resolved" issue status
          Hide
          Jacques Le Roux added a comment -

          Yes

          Show
          Jacques Le Roux added a comment - Yes
          Show
          BJ Freeman added a comment - you mean this one http://docs.ofbiz.org/display/OFBIZ/Ant+Script+to+build+new+ofbiz+self+cert
          Hide
          Jacques Le Roux added a comment -

          Thanks BJ,

          I put a link from FAQ

          Jacques

          Show
          Jacques Le Roux added a comment - Thanks BJ, I put a link from FAQ Jacques
          Hide
          BJ Freeman added a comment -

          for now will close since I put in a solution in the comments
          when I get the final solution will submit patch

          Show
          BJ Freeman added a comment - for now will close since I put in a solution in the comments when I get the final solution will submit patch
          Hide
          BJ Freeman added a comment -

          put this in the main build and use
          ant ofbizkey
          note:you may have to delete the framework/base/config/ofbizssl.jks
          I am still working on taking data from the
          framework/base/config/ofbiz-containers.xml
          and doing a auto delete in the script.

          <target name="ofbizkey">
          <echo message="[genkey] ========== Start genkey for Ofbiz main cert Key =========="/>
          <echo message="[genkey] ========== removing Ofbiz main cert Key =========="/>
          <genkey alias="ssl" storepass="changeit" keystore="framework/base/config/ofbizssl.jks" storetype="JKS" keypass="changeit"
          dname="CN=ofbiz.apache.org, OU=SSL Server Testing, O=Apache Open For Business, C=US, ST=Delaware, L=Dover"/>
          <echo message="[genkey] ========== genkey for Ofbiz main cert completed =========="/>
          </target>

          Show
          BJ Freeman added a comment - put this in the main build and use ant ofbizkey note:you may have to delete the framework/base/config/ofbizssl.jks I am still working on taking data from the framework/base/config/ofbiz-containers.xml and doing a auto delete in the script. <target name="ofbizkey"> <echo message=" [genkey] ========== Start genkey for Ofbiz main cert Key =========="/> <echo message=" [genkey] ========== removing Ofbiz main cert Key =========="/> <genkey alias="ssl" storepass="changeit" keystore="framework/base/config/ofbizssl.jks" storetype="JKS" keypass="changeit" dname="CN=ofbiz.apache.org, OU=SSL Server Testing, O=Apache Open For Business, C=US, ST=Delaware, L=Dover"/> <echo message=" [genkey] ========== genkey for Ofbiz main cert completed =========="/> </target>
          Hide
          BJ Freeman added a comment -

          Open SSL is Apache License but they have this warning

          This software package uses strong cryptography, so even if it is created, maintained and distributed from liberal countries in Europe (where it is legal to do this), it falls under certain export/import and/or use restrictions in some other parts of the world.

          PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS OF OPENSSL ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

          Show
          BJ Freeman added a comment - Open SSL is Apache License but they have this warning This software package uses strong cryptography, so even if it is created, maintained and distributed from liberal countries in Europe (where it is legal to do this), it falls under certain export/import and/or use restrictions in some other parts of the world. PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS OF OPENSSL ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
          Hide
          BJ Freeman added a comment -

          It came to mind that maybe there was an ant script to build a ssl cert.
          I ran accross this

          Local-deploy-generated-apache-certs

          Overwrites files with generated self-signed certificate and key files; target directory is the subdirectory of APACHE_HOME specified by the apache-server-ssl-cert-directory property in apache-conf.properties. Called by local-deploy-apache.
          configure-apache

          Calls targets to copy model httpd.conf and ssl.conf files using token filtering. Depended on by local-deploy-generated-apache-config.
          generate-self-signed-certificate

          Generates self-signed certificate and key files with openssl, based on peroperties set in apache-conf.properties. Depended on by local-deploy-generated-apache-certs.

          So maybe that is what ofbiz needs to do. then the person downloading would be responsible to do the certs

          Show
          BJ Freeman added a comment - It came to mind that maybe there was an ant script to build a ssl cert. I ran accross this Local-deploy-generated-apache-certs Overwrites files with generated self-signed certificate and key files; target directory is the subdirectory of APACHE_HOME specified by the apache-server-ssl-cert-directory property in apache-conf.properties. Called by local-deploy-apache. configure-apache Calls targets to copy model httpd.conf and ssl.conf files using token filtering. Depended on by local-deploy-generated-apache-config. generate-self-signed-certificate Generates self-signed certificate and key files with openssl, based on peroperties set in apache-conf.properties. Depended on by local-deploy-generated-apache-certs. So maybe that is what ofbiz needs to do. then the person downloading would be responsible to do the certs

            People

            • Assignee:
              Unassigned
              Reporter:
              BJ Freeman
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development