OFBiz
  1. OFBiz
  2. OFBIZ-1902

ofbiz.org cert is expired causes peer not authenticated

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: Release Branch 4.0, Trunk
    • Fix Version/s: Release Branch 4.0, Trunk
    • Component/s: None
    • Labels:
      None
    • Environment:

      Ofbiz ootb localhost

      Description

      the ofbiz.org cert that is in the ootb has expired on July 7th.

      2008-07-29 14:24:31,312 (http-0.0.0.0-8443-2) [ RequestHandler.java:243:INFO ] [Processing Request]: EditWebSite sessionId=15BC9675666BC788DE897F186C9BF720.jvm1
      2008-07-29 14:24:31,312 (http-0.0.0.0-8443-2) [ RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is a view. sessionId=15BC9675666BC788DE897F186C9BF720.jvm1
      2008-07-29 14:24:31,312 (http-0.0.0.0-8443-2) [ RequestHandler.java:584:INFO ] servletName=control, view=EditWebSite sessionId=15BC9675666BC788DE897F186C9BF720.jvm1
      2008-07-29 14:24:31,312 (http-0.0.0.0-8443-2) [ JSSESupport.java:89 :DEBUG] Error getting client certs

      javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
      at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345)
      at org.apache.tomcat.util.net.jsse.JSSESupport.getX509Certificates(JSSESupport.java:87)
      at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:141)
      at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1011)
      at org.apache.coyote.Request.action(Request.java:352)

        Activity

        Gavin made changes -
        Workflow jira [ 12436305 ] OFbiz Workflow [ 12507081 ]
        Bruno Busco made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Hide
        Bruno Busco added a comment -

        Changed from "Resolved" to "Closed" since we do not use the "Resolved" issue status

        Show
        Bruno Busco added a comment - Changed from "Resolved" to "Closed" since we do not use the "Resolved" issue status
        Hide
        Jacques Le Roux added a comment -

        Yes

        Show
        Jacques Le Roux added a comment - Yes
        Show
        BJ Freeman added a comment - you mean this one http://docs.ofbiz.org/display/OFBIZ/Ant+Script+to+build+new+ofbiz+self+cert
        Hide
        Jacques Le Roux added a comment -

        Thanks BJ,

        I put a link from FAQ

        Jacques

        Show
        Jacques Le Roux added a comment - Thanks BJ, I put a link from FAQ Jacques
        BJ Freeman made changes -
        Field Original Value New Value
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Resolved [ 5 ]
        Hide
        BJ Freeman added a comment -

        for now will close since I put in a solution in the comments
        when I get the final solution will submit patch

        Show
        BJ Freeman added a comment - for now will close since I put in a solution in the comments when I get the final solution will submit patch
        Hide
        BJ Freeman added a comment -

        put this in the main build and use
        ant ofbizkey
        note:you may have to delete the framework/base/config/ofbizssl.jks
        I am still working on taking data from the
        framework/base/config/ofbiz-containers.xml
        and doing a auto delete in the script.

        <target name="ofbizkey">
        <echo message="[genkey] ========== Start genkey for Ofbiz main cert Key =========="/>
        <echo message="[genkey] ========== removing Ofbiz main cert Key =========="/>
        <genkey alias="ssl" storepass="changeit" keystore="framework/base/config/ofbizssl.jks" storetype="JKS" keypass="changeit"
        dname="CN=ofbiz.apache.org, OU=SSL Server Testing, O=Apache Open For Business, C=US, ST=Delaware, L=Dover"/>
        <echo message="[genkey] ========== genkey for Ofbiz main cert completed =========="/>
        </target>

        Show
        BJ Freeman added a comment - put this in the main build and use ant ofbizkey note:you may have to delete the framework/base/config/ofbizssl.jks I am still working on taking data from the framework/base/config/ofbiz-containers.xml and doing a auto delete in the script. <target name="ofbizkey"> <echo message=" [genkey] ========== Start genkey for Ofbiz main cert Key =========="/> <echo message=" [genkey] ========== removing Ofbiz main cert Key =========="/> <genkey alias="ssl" storepass="changeit" keystore="framework/base/config/ofbizssl.jks" storetype="JKS" keypass="changeit" dname="CN=ofbiz.apache.org, OU=SSL Server Testing, O=Apache Open For Business, C=US, ST=Delaware, L=Dover"/> <echo message=" [genkey] ========== genkey for Ofbiz main cert completed =========="/> </target>
        Hide
        BJ Freeman added a comment -

        Open SSL is Apache License but they have this warning

        This software package uses strong cryptography, so even if it is created, maintained and distributed from liberal countries in Europe (where it is legal to do this), it falls under certain export/import and/or use restrictions in some other parts of the world.

        PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS OF OPENSSL ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

        Show
        BJ Freeman added a comment - Open SSL is Apache License but they have this warning This software package uses strong cryptography, so even if it is created, maintained and distributed from liberal countries in Europe (where it is legal to do this), it falls under certain export/import and/or use restrictions in some other parts of the world. PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS OF OPENSSL ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
        Hide
        BJ Freeman added a comment -

        It came to mind that maybe there was an ant script to build a ssl cert.
        I ran accross this

        Local-deploy-generated-apache-certs

        Overwrites files with generated self-signed certificate and key files; target directory is the subdirectory of APACHE_HOME specified by the apache-server-ssl-cert-directory property in apache-conf.properties. Called by local-deploy-apache.
        configure-apache

        Calls targets to copy model httpd.conf and ssl.conf files using token filtering. Depended on by local-deploy-generated-apache-config.
        generate-self-signed-certificate

        Generates self-signed certificate and key files with openssl, based on peroperties set in apache-conf.properties. Depended on by local-deploy-generated-apache-certs.

        So maybe that is what ofbiz needs to do. then the person downloading would be responsible to do the certs

        Show
        BJ Freeman added a comment - It came to mind that maybe there was an ant script to build a ssl cert. I ran accross this Local-deploy-generated-apache-certs Overwrites files with generated self-signed certificate and key files; target directory is the subdirectory of APACHE_HOME specified by the apache-server-ssl-cert-directory property in apache-conf.properties. Called by local-deploy-apache. configure-apache Calls targets to copy model httpd.conf and ssl.conf files using token filtering. Depended on by local-deploy-generated-apache-config. generate-self-signed-certificate Generates self-signed certificate and key files with openssl, based on peroperties set in apache-conf.properties. Depended on by local-deploy-generated-apache-certs. So maybe that is what ofbiz needs to do. then the person downloading would be responsible to do the certs
        BJ Freeman created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            BJ Freeman
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development