0

I have the following application error when accessing https://..appRoot../TestJavaMongo/test/mongo/all by following the doc: https://medium.com/@blumareks/mongodb-for-you-a-hardcore-java-cloud-developer-f67b909834f4

I'm testing to connect the Mongo DB service from the Liberty Java CF app on IBM Cloud. How to resolve the error?

``` Error 500: com.mongodb.MongoTimeoutException: Timed out after 30000 ms while waiting for a server that matches WritableServerSelector. Client view of cluster state is {type=UNKNOWN, servers=[{address=sl-us-south-1-portal.16.dblayer.com:50233, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message},

caused by {javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=********* is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error}, ...

$ keytool -list -v -keystore mongoKeyStore Enter keystore password:

Keystore type: JKS Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey Creation date: 24/06/2017 Entry type: trustedCertEntry

Owner: [email protected] Issuer: [email protected] Serial number: 59491e1b Valid from: Tue Jun 20 23:07:39 AEST 2017 until: Sat Jun 20 23:00:00 AEST 2037 Certificate fingerprints: MD5: A4:54:21:6A:52:E1:8B:CB:07:CC:25:A3:3B:1A:8B:05 SHA1: BE:5D:AE:94:C3:A5:37:2D:43:B2:E7:FC:CF:39:19:EE:B8:10:29:9B SHA256: D5:6B:EB:D6:88:36:D4:77:06:9B:8D:2B:83:39:9B:95:A5:E3:22:09:99:EF:32:89:31:E2:88:C2:86:58:83:62 Signature algorithm name: SHA512withRSA Version: 3

Extensions:

1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 65 2C 47 37 D6 4C B7 24 E9 A1 AA 14 01 4A 12 AD e,G7.L.$.....J.. 0010: 63 E0 7C 56
c..V ] ]

2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ]

3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ]

4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign ]

5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 65 2C 47 37 D6 4C B7 24 E9 A1 AA 14 01 4A 12 AD e,G7.L.$.....J.. 0010: 63 E0 7C 56
c..V ] ]

Improve this question
1
  • would you please show your prior research on this? Commented Aug 2, 2018 at 18:44

2 Answers 2

Reset to default
1

I recently had this same issue with our db provider, they sent me their .crt file and I had to create a keystore with it.

keytool -import -alias "name" -file "/path/to/file" -keystore "/path/to/keystore/file" -storetype pkcs12 -storepass "keystorepass"

then at my main class I defined truststore and truststore pass:

 System.setProperty("javax.net.ssl.trustStore", "/path/to/keystore/file");
 System.setProperty("javax.net.ssl.trustStorePassword", "keystorepass");

Hope it helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for the comment. I tested again with your suggestion. It is a similar with the doc: compose.com/articles/… Unfortunately, I gets the same error.
you might need to set sslInvalidHostNameAllowed=true if its a self signed certificate.
0

As the error says, the certificate isn't trusted. I see that tutorial has a pretty substantial section on importing the certificate from the Mongo service into a keystore and setting it as the trustStore for Liberty. Double check those steps to make sure that you:

  1. Correctly obtained and saved the certificate from the Mongo service, ie that it is not incomplete or corrupted or anything.

  2. Check that you created a keystore using the keytool command in the correct location, and that you replaced the one from the repository if you checked that out, and that it includes the certificate you saved for the Mongo server. You can use keytool -list -v -keystore <path_to_keystore.jks> on your keystore to see what's inside.

  3. Check that you configured Liberty correctly to use this keystore as your trust store. I think the tutorial is a little misleading, as it says

A typical application will also need to set several JVM system properties to ensure that the client presents an TLS/SSL certificate to the MongoDB server: javax.net.ssl.keyStore The path to a key store containing the client’s TLS/SSL certificates javax.net.ssl.keyStorePassword The password to access this key store

However, I think you actually need to set this keystore you created as the value for the javax.net.ssl.trustStore property (and set the trustStorePassword property accordingly) because the JVM uses the trustStore to check the public keys of hosts it is connecting to for trust.

Either way, make sure those properties are set appropriately and that Liberty is not throwing up any errors in the logs related to it on server start.

Once you have verified the whole chain (that you have exported the correct certificate, that you have created a keystore that contains that certificate, and that you have set that keystore as the truststore for the server,) you should have security set up to talk to the Mongo server correctly. If you have changed the existing truststore while the server is running you have to restart the server for it to pick up those changes.

Improve this answer

1 Comment

Thank you for the comment. - 1. I believe it is correct certificate saved from the Mongo. I don't know how to verify. - 2. I ran keytool -list -v -keystore <path_to_keystore.jks>. I will share the output later. - 3. I checked the codes. It looks ok.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.