This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Cheryl Cisresasonflar
Jun 11, 2013, 9:32 PM
6 Posts

OpenSocial Widget HTTPS Certificate validation problem

  • Category: OpenSocial - Embedded Experiences
  • Platform: Linux
  • Release: 9.0
  • Role: Developer
  • Tags:
  • Replies: 13

Hi all, i'm having the following issue with developing an OpenSocial Widget for iNotes/Notes: our service that i'm developing a widget for is accessed through HTTPS, and the cetificate issuer is GoDaddy, which apparently is not added as a trusted root CA somewhere in the depths of Domino Server.

The exact error is as follows: 

1. When trying to open a widget in iNotes, the request to /fiesta/rpc returns the following response: [{"id":"gadgets.metadata","result":{"https://myserver.mydomain.com/gadget-os-alt.jsp":{"error":{"message":"Unable to retrieve spec for https://myserver.mydomain.com/gadget-os-alt.jsp. HTTP error 502","code":502}}}}]

2. The error-log-0.xml file contains the following: 

<CommonBaseEvent creationTime="2013-06-12T00:54:01.240+04:00" globalInstanceId="EL7f00000100013f35044b1b00000000" msg="Certificate with subject CN=*.mydomain.com, OU=Domain Control Validated, O=*.mydomain.com, issued by SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=&quot;GoDaddy.com, Inc.&quot;, L=Scottsdale, ST=Arizona, C=US, is not trusted. Validation failed with error 3659." severity="30" version="1.0.1">
<extendedDataElements name="CommonBaseEventLogRecord:level" type="noValue">
<children name="CommonBaseEventLogRecord:name" type="string"> 
<values>WARNING</values>
</children>
</extendedDataElements>
<extendedDataElements name="CommonBaseEventLogRecord:sourceClassName" type="string">
<values>com.ibm.domino.napi.ssl.DominoX509TrustManager</values>
</extendedDataElements>
<extendedDataElements name="CommonBaseEventLogRecord:sourceMethodName" type="string">
<values>checkServerTrusted</values>
</extendedDataElements>
<sourceComponentId component="Expeditor 6.2" componentIdType="ProductName" instanceId="" location="localhost.localdomain" locationType="Hostname" subComponent="com.ibm.domino.napi.ssl" threadId="1" componentType="http://www.w3.org/2001/XMLSchema-instance"/>
<situation categoryName="ReportSituation">
<situationType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ReportSituation" reasoningScope="INTERNAL" reportCategory="LOG"/>
</situation>
</CommonBaseEvent>

 

Here is where i already tried installing the root certificate:

  1. People & Groups -> Certificates -> Internet Certifiers 
  2. The keyring file for SSL on the domino web server that i created through the 'Server Certificate Admin' application
  3. The 'cacerts' keystore in /opt/ibm/domino/notes/latest/linux/jvm/lib/security

None of this has helped me, the error stays precisely the same... Gadget works if deployed in an http environment.

~Cheryl Cisresasonflar
Jun 12, 2013, 5:46 PM
6 Posts
similar issue

Seems to be the same issue, yes. The difference could be that in your case the widget itself loads through http and then tries to retreive some content over https, yes?

In my case the widget itself is also behind https, so it doesn't load at all. Did you solve the issue? If yes, how exactly?

~Samuel Preniskioden
Jun 13, 2013, 1:13 AM
23 Posts
The Cert Is Not Trusted
I am surprised #3 did not work for you.  How did you import it into the JVM (what was the command you used)?  Is there anything else in the Domino logs besides the error you provided?  Usually you will see something that says "peer not verified".
~Cheryl Cisresasonflar
Jun 13, 2013, 9:09 AM
6 Posts
cacerts store

I used the jvm/bin/ikeyman tool. Should i try using the ikeycmd tool instead? Edit: reverted the keystore to original file, tried using ikeycmd instead - same result

This is the exact command i used after using my web browser to view the certificate chain for my domain and exporting the root and intermediate signer certificates to binary .cer files:

/opt/ibm/domino/notes/latest/linux/jvm/bin/ikeycmd -cert -add -db /opt/ibm/domino/notes/latest/linux/jvm/lib/security/cacerts -file /local/notesdata/godaddy-root.cer  -format binary -trust enable -type jks

(then the same for intermediate certificate)

 

The domino logs contained only the entry i posted

~Samuel Preniskioden
Jun 13, 2013, 9:30 PM
23 Posts
I use keytool
Whenever I import certs into the Domino JVM I always use keytool.  The command ususally looks like this

keytool -import -v -trustcacerts -alias <server-alias> -file <full path to pem file> -keystore <jvmhome>\jre\lib\security\cacerts -keypass changeit -storepass changeit

Can you give that a shot?
~Zach Nonboosipuletsi
Jun 13, 2013, 5:27 PM
36 Posts
Some....

All the traffic is encrypted, but it seems i've more successfully imported the root certificate. But there are some problems nevertheless

~Cheryl Cisresasonflar
Jun 14, 2013, 12:40 PM
6 Posts
keytool didn't help

Still no results.

Here are my actions step by step:

1. I downloaded the certificates in .crt format from here: https://certs.godaddy.com/anonymous/repository.pki

2. Once again replaced the cacerts file in domino with a fresh original copy

3. Used keytool to import the certificates one by one: 

[nvoskresensky@localhost security]$ keytool -import -v -trustcacerts -alias gd-root -file gd/gd-class2-root.crt -keystore cacerts -storepass changeit Certificate already exists in keystore under alias <godaddyclass2ca>
Do you still want to add it? [no]:  yes
Certificate was added to keystore
[Storing cacerts]
[nvoskresensky@localhost security]$ keytool -import -v -trustcacerts -alias gd-intermediate -file gd/gd_intermediate.crt -keystore cacerts -storepass changeit 
Certificate was added to keystore
[Storing cacerts]
[nvoskresensky@localhost security]$ keytool -import -v -trustcacerts -alias gd-cross -file gd/gd -keystore cacerts -storepass changeit 
gd-class2-root.crt         gd_intermediate.crt
gd_cross_intermediate.crt  gdroot-g2.crt
gdig2.crt                  
[nvoskresensky@localhost security]$ keytool -import -v -trustcacerts -alias gd-cross -file gd/gd_cross_intermediate.crt -keystore cacerts -storepass changeit 
Certificate was added to keystore
[Storing cacerts]
[nvoskresensky@localhost security]$ keytool -import -v -trustcacerts -alias gdrootg2 -file gd/gdroot-g2.crt -keystore cacerts -storepass changeit 
Certificate already exists in system-wide CA keystore under alias <extra-godaddyrootcag2>
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore
[Storing cacerts]
[nvoskresensky@localhost security]$ keytool -import -v -trustcacerts -alias gdintermediateg2 -file gd/gdig2.crt -keystore cacerts -storepass changeit 

4. Started server, tried to open the gadget, same result, same error in log as in OP

 

I assume i do not need to import the certificate or key for my domain specifically? It is supposed to be validated based on the certificate chain, isn't it?

 

Edit: i've also bumped up the appropriate logging level to FINEST, here is the full log:

http://pastebin.com/HRufqG2w

~Cheryl Cisresasonflar
Jun 17, 2013, 4:02 PM
6 Posts
BasicConstraints extension

Update: with more tinkering around with logging, i've narrowed it down to the following exception:

java.security.cert.CertPathValidatorException: The CA certificate did not contain BasicConstraints
at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:220)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:289)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267)
at com.ibm.domino.napi.ssl.DominoX509TrustManager.checkServerTrusted(DominoX509TrustManager.java:53)

Looks like the root cause is that our server's certificate was signed with a legacy Valicert root certificate (https://certs.godaddy.com/anonymous/repository.pki?streamfilename=valicert_class2_root.crt&actionMethod=anonymous%2Frepository.xhtml%3Arepository.streamFile%28%27%27%29&cid=1381721 this one), and the code in ibmcertpathprovider.jar does not like the fact it does not have a 'Basic Constraints' extension.

I do not see a workaround for this right from top of my head here, maybe you can suggest some solution?

 
~Samuel Preniskioden
Jun 20, 2013, 12:20 AM
23 Posts
Another Thing To Try
I talked to some people on the Domino security team and they suggested trying to delete valicert certifier from pubnames and then trying again.
~Cheryl Cisresasonflar
Jun 19, 2013, 4:29 PM
6 Posts
stackoverflow question

Nope, it's not my post, although i've seen it.

Adding the root Valicert certificate to the internet certifiers view and then cross-certifying all of the certificates in the chain did not work for me either, unfortunately

~Zach Nonboosipuletsi
Jun 19, 2013, 5:00 PM
36 Posts
Hmmm

After cross-certifying all of the certificates, i remove CA from cacerts. All works, with warning of course :)


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal