Hi Greg,
Sorry for bothering again on the same issue.
Since I modified the self-signed certificate I can't make gsearch working anymore.
The exception throw is always:

Fedora Object xxxxxxxxxx not found at DemoAtDtu; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

 I have configured tomcat to load the keystore where the self-signed certificate is in and to load a custom truststore where I trusted that certificate. I have also ran tomcat with ssl debug options and here is the result:

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-8443-1, setSoTimeout(60000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1328210885 bytes = { 67, 138, 70, 121, 118, 92, 54, 158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245, 198, 200, 96, 231, 127, 90, 242, 78, 197 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
http-8080-4, WRITE: TLSv1 Handshake, length = 75
http-8080-4, WRITE: SSLv2 client hello message, length = 101
http-8443-1, READ:  SSL v2, contentType = Handshake, translated length = 75
*** ClientHello, TLSv1
RandomCookie:  GMT: 1328210885 bytes = { 67, 138, 70, 121, 118, 92, 54, 158, 143, 142, 85, 65, 104, 198, 105, 187, 13, 101, 245, 198, 200, 96, 231, 127, 90, 242, 78, 197 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
%% Created:  [Session-16, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1328210885 bytes = { 47, 120, 37, 197, 62, 247, 95, 232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9, 89, 159, 191, 149, 137, 73, 59, 122, 65 }
Session ID:  {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112, 152, 100, 250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142, 185, 238, 215, 99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
  public exponent: 65537
  Validity: [From: Fri Jan 27 17:37:34 CET 2012,
               To: Sat Jan 26 17:37:34 CET 2013]
  Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
  SerialNumber: [    4f22d2ce]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 2D 40 00 D7 8F F5 A4 85   F2 1B 72 AF C3 BC DE 8D  -@........r.....
0010: E5 50 9E 0D 63 CC D2 D6   4B C3 D0 55 B1 A8 76 12  .P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3   3F C1 2B 23 B7 19 10 97  <.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F   2C 87 BB B9 02 D4 A7 8D   S...G..,.......
0040: 63 30 29 17 8B CA 71 6B   2B 56 7C 7D A7 B5 C4 90  c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01   49 6E 98 BF 2D C1 36 4E  .J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8   44 79 ED 8B BE E0 52 46  ...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E   3A 3F 1B 47 01 C8 75 8A  .s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45   59 B5 D6 14 5E 1E 92 6A  .....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45   95 DB BE D3 D8 25 0F 5B  .g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14   82 E8 C7 60 84 3E 54 94  ../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2   55 3F AA D3 5D 37 28 35  ........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD   4C BF 2C 13 EA AD 65 36  IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E   34 16 75 BF 9B 45 7E 30  .....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16   2F 67 B0 20 2D ED 22 35  &-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2   92 85 6A E2 2E 0D 84 43   .3.ES....j....C

]
***
*** ServerHelloDone
http-8443-1, WRITE: TLSv1 Handshake, length = 932
http-8080-4, READ: TLSv1 Handshake, length = 932
*** ServerHello, TLSv1
RandomCookie:  GMT: 1328210885 bytes = { 47, 120, 37, 197, 62, 247, 95, 232, 197, 6, 103, 66, 150, 175, 138, 223, 116, 114, 9, 89, 159, 191, 149, 137, 73, 59, 122, 65 }
Session ID:  {79, 43, 228, 197, 44, 49, 31, 110, 59, 165, 112, 152, 100, 250, 225, 128, 224, 239, 110, 235, 136, 192, 171, 142, 185, 238, 215, 99, 144, 238, 33, 131}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created:  [Session-17, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 17661593669421858218411695598553797822920372273555124371461037567902617101375504162491484973176890789579620089972944454891564865544786573612037968012019305163894378123784419527375220478530403364569016018453996686344369362921581597920769643751454368493077782536030400938009459107928045222069203207445307480604767696747643641235711336095880000296052166470303956724650011167885232993976903037401782809172246342969503969643912804519781046798499462554025521745428121941174946483101336873991433783598519754951275915999306443219649393264403734713231147801316173857847931988613935558702770768716915959357700644451196891575503
  public exponent: 65537
  Validity: [From: Fri Jan 27 17:37:34 CET 2012,
               To: Sat Jan 26 17:37:34 CET 2013]
  Issuer: CN=esx-fao.cilea.it, OU=OEKMI, O=FAO, L=Rome, ST=Italy, C=IT
  SerialNumber: [    4f22d2ce]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 2D 40 00 D7 8F F5 A4 85   F2 1B 72 AF C3 BC DE 8D  -@........r.....
0010: E5 50 9E 0D 63 CC D2 D6   4B C3 D0 55 B1 A8 76 12  .P..c...K..U..v.
0020: 3C 8A BE 7D E9 D4 25 E3   3F C1 2B 23 B7 19 10 97  <.....%.?.+#....
0030: 20 53 F7 7B 01 47 15 8F   2C 87 BB B9 02 D4 A7 8D   S...G..,.......
0040: 63 30 29 17 8B CA 71 6B   2B 56 7C 7D A7 B5 C4 90  c0)...qk+V......
0050: B3 4A 30 9A 24 BE E5 01   49 6E 98 BF 2D C1 36 4E  .J0.$...In..-.6N
0060: C4 B1 EF 21 B1 4E C0 C8   44 79 ED 8B BE E0 52 46  ...!.N..Dy....RF
0070: 87 73 B0 40 7E AC AF 9E   3A 3F 1B 47 01 C8 75 8A  .s.@....:?.G..u.
0080: 9D C3 AA E1 BA 24 99 45   59 B5 D6 14 5E 1E 92 6A  .....$.EY...^..j
0090: F6 67 B0 D9 70 1D C7 45   95 DB BE D3 D8 25 0F 5B  .g..p..E.....%.[
00A0: 17 E4 2F 73 7D 99 84 14   82 E8 C7 60 84 3E 54 94  ../s.......`.>T.
00B0: 0E AF 08 C0 0D 91 00 F2   55 3F AA D3 5D 37 28 35  ........U?..]7(5
00C0: 49 52 D0 BD 69 70 74 FD   4C BF 2C 13 EA AD 65 36  IR..ipt.L.,...e6
00D0: 92 D3 A7 BD D9 4C 89 3E   34 16 75 BF 9B 45 7E 30  .....L.>4.u..E.0
00E0: 26 2D CD 62 93 F8 19 16   2F 67 B0 20 2D ED 22 35  &-.b..../g. -."5
00F0: 20 12 33 CE 45 53 D5 F2   92 85 6A E2 2E 0D 84 43   .3.ES....j....C

]
***
http-8080-4, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
http-8080-4, WRITE: TLSv1 Alert, length = 2
http-8080-4, called closeSocket()
http-8443-1, READ: TLSv1 Alert, length = 2
http-8443-1, RECV TLSv1 ALERT:  fatal, certificate_unknown
http-8080-4, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
http-8443-1, called closeSocket()
http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
http-8443-1, called close()
http-8443-1, called closeInternal(true)
dk.defxws.fedoragsearch.server.errors.FedoraObjectNotFoundException: Fedora Object eims-document:418565 not found at DemoAtDtu; nested exception is:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
    at dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:340)
    at dk.defxws.fgssolr.OperationsImpl.fromPid(OperationsImpl.java:389)
    at dk.defxws.fgssolr.OperationsImpl.updateIndex(OperationsImpl.java:241)
    at dk.defxws.fedoragsearch.server.GenericOperationsImpl.updateIndex(GenericOperationsImpl.java:308)
    at dk.defxws.fedoragsearch.server.RESTImpl.updateIndex(RESTImpl.java:261)
    at dk.defxws.fedoragsearch.server.RESTImpl.doGet(RESTImpl.java:114)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
    at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
    at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
    at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
    at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
    at org.apache.axis.client.Call.invoke(Call.java:2767)
    at org.apache.axis.client.Call.invoke(Call.java:2443)
    at org.apache.axis.client.Call.invoke(Call.java:2366)
    at org.apache.axis.client.Call.invoke(Call.java:1812)
    at fedora.server.management.FedoraAPIMBindingSOAPHTTPStub.export(FedoraAPIMBindingSOAPHTTPStub.java:639)
    at dk.defxws.fedoragsearch.server.GenericOperationsImpl.getFoxmlFromPid(GenericOperationsImpl.java:338)
    ... 20 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
    at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
    ... 31 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:184)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
    ... 42 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
    ... 49 more
Caused by: java.security.SignatureException: Signature does not match.
    at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
    at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
    at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
    ... 53 more
Finalizer, called close()
Finalizer, called closeInternal(true)



I'm sorry, but I feel really stuck on this...

Enrico


On 01/27/2012 05:33 PM, Greg Jansen wrote:
Hey Enrico,
I think you have to change which certificate within the keystore is to be used, in tomcat's server.xml file. The default key for tomcat is the first one found in the keystore, so that's probably the original one. You'll need to add a "keyAlias" attribute that points to your self-signed cert.
See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support

Greg

On 01/27/2012 10:54 AM, Enrico Anello (OEKM) wrote:
Dear all,

I have a fedora installation with embedded tomcat which runs with SSL sharing the default self-signed certificate coming with the installation.
Since I need to change that certificate with another self-signed cert made by myself how can I do it?

I've been digging through and I see that tomcats loads the keystore by those parameters:
-Djavax.net.ssl.trustStore=/var/fedora/server/truststore -Djavax.net.ssl.trustStorePassword=tomcat

I have actually changed that truststore with the one generated by myself but nothing happened; if from the browser I check the certificate it keeps saying that is the default one coming from the original installation!

Any tips?

Thank you and Regards,
Enrico Anello

Food and Agriculture Organization of the United Nations
Via delle terme di Caracalla, 1 - 00100 - Rome (Italy)

------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users


-- 
___
Gregory N. Jansen
Developer - Carolina Digital Repository
UNC Chapel Hill Libraries